MV1000 WireGuard IPv6 traffic routing

WAN is IPv4 only. WG client profile I put on the MV1000W is dual stack with a public IPv4 /32 and public IPv6 /128. From same WAN, same profile can be used on a Windows client or Anroid client and it functions as expected. When used on the MV1000W then the wg0 interface of the MV1000W shows the IPv4 address only. Clients onMV1000W LAN get normal 192.168.8.0/24 network and an IPv6 ULA. They can then only connect to the internet via IPv4, IPv6 times out. Globa IPv6 setting is set to NAT6 as in the screenshot I had there.

Your setup is the same as mine. I’m guessing your VPN provider/server is IPv4-only and is not giving your MV1000 an IPv6 address.

The provider is the ISP I am working at. We have full control. We own the IP space and it is giving me a functioning IPv6 /128. As stated the exact profile as I pasted it into the MV1000W will perform as normal if I plug it into Windows Wireguard client or import to Android.

I have VPN killswitch feature turned on. For testing I will factory reset, turn on IPv6, reimport the profile and not turn on the killswitch just to see if it will work. Might also try IPv6 only profile. Will report back.

In the WireGuard client screen of the GUI do you see an IPv6 address when you’re connected?

No. I see it in the GUI in the client settings I see IPv4/32,IPv6/128 and it has also taken my IPv6 DNS server thats in the WG profile. But in WG status part of GUI it shows connected IPv4 only and ifconfig wg0 shows IPv4 only.

If I SSH in, where is the wg0.conf located ? I did not see in /etc/
I am curious if maybe it did not import correctly because I imported when IPv6 global setting was still disabled. This may be why client config shows good in GUI but no IPv6 is applied!

Edit: Nope. The config is applied fine.

find / -name wireguard && find / -name wg0

I found /etc/config/wireguard and it has IPv4 and IPv6 separated by a comma in the Interface section. Looks correct.

There is a bug in the WireGuard client GUI where if you edit the parameters within the GUI for whatever reason it will copy the DNS server IP into the IP Address field of the WireGuard config. Check if that’s the case.

Because of this bug in the GUI whenever I need to edit the config I just delete the existing and edit the config in Notepad then paste it back into the GUI.

@alzhao You might wanna take a look at this one too and add it to the list for the developers

1 Like

I removed the profile now via GUI. Then I imported a new client config, also known-good working. Also with a public ipv4/32 and ipv6/128. I encounter the same issue. This one I imported and connected without any editing. Still only seeing IPv4 address on wg0.

The MV1000W is awesome by the way. I found it by accident and will buy more now :slight_smile: I found it when I got to a hotel that only had WiFi and I needed to connect a Netgate SG-1100. I have a crappy netgear repeater I normally use in this situation to catch public WiFi and get it into ethernet but for some reason it hates the Ruckus AP that this hotel have in production. I was about to try a different model netgear when I found the MV1000W. We have 5 people working remotely and they will all get an MV1000W now. It’s perfect for what we do.

Hmm… unfortunately there is nothing else I can think of. My WAN is setup as DHCP in the MV1000 and I have mine connected to my main Asus router (not my ISP’s modem). I have IPv6 disabled in my main router. The MV1000 gets both IPv4/6 addresses from my VPN provider and all clients connected to it can also use the VPN’s IPv4/6 addresses.

Have you tried to connect to your WG server through your phone or PC and see if you get an IPv6 address?

I bought the MV1000 because it is one of the few consumer-grade routers that support IPv6 over VPN. IPv6 addresses are less likely to be blocked by services online (for now).

Yes. The profile I imported into the MV1000W works fine on Android and Windows, now tested on Linux, too. It will be fully functionial dual stack in all cases getting 20/20 in https://ipv6-test.com/

In the MV1000W it seems to ignore the IPv6 addresses altogether.

Have you tried OpenVPN? Just to see if IPv6 tunneling works there

Yes, it works for OVPN. LAN clients get the private addresses, VPN client interface tun0 is dual-stack and connectivity is dual-stack. But I see latency very high. If I ping the OVPN server from the MV1000W it is 23ms away. If I ping anything from the LAN it reports first hop (the OVPN server) as 300-500ms way with wild fluctuations. But to be fair I am using hotel wifi and the MV1000W is getting WAN from the hotel WiFi. IMO performance measurements are futile when some public WiFi is involved.

TL;DR: I cannot get IPv6 to work with WG client. With OpenVPN it works.

I think you are running into the same bug with WG I encountered in my post here:

https://forum.gl-inet.com/t/mv1000-vpn-wireguard-ipv6-leak/16601

I think the same bug is causing your WG IPv6 to not work.

Unlikely. My WAN (hotel wifi) is IPv4 only.

It’s true that your hotel WiFi is IPv4 only.

My point is there are cases where WG fails to take the VPN’s IPv6 address. My scenario being one of them. Whereas it takes every time on OpenVPN

Just upgrade my MV1000 to 3.203 firmware. I can’t input any IPv6 address in Wireguard configuration. If I set my IP in Wireguard to IPv6, I’ll get invalid IP Address error and refuse to save the config.

Do you have two Address lines in the WG config? When you paste in the config, the MV1000 doesn’t allow you to have two address lines

It won’t let me paste, even with IPv6 only address.

This issue still exists. Even in 3.211 beta 4 firmware.

If you try paste in a Wireguard client .conf

  • That has an MTU= line, it will parse it wrong and instead of filtering it out or using the value, it puts it into the DNS server box

  • If a Wireguard .conf has IPv6 GUA it will do bad input validation and claim the address is not valid.