I want to reach ipv6 addresses on the internet through my wireguard tunnel.
I use dietpi v8.2.2 on a Odroid C2 with PiVPN Setup for wireguard.
here’s what I did:
/etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
editing the client settings for Client iptest:
/etc/wireguard/configs
root@xxx:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:1e:06:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.178.99/24 brd 192.168.178.255 scope global dynamic eth0
valid_lft 169584sec preferred_lft 169584sec
inet6 fe80::21e:xxx:xxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.6.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
inet6 fd06::1/64 scope global
valid_lft forever preferred_lft forever
root@bkiste:~# ip r
default via 192.168.178.1 dev eth0
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.99
looks like there is no public IPv6 address assigned. It seems to be a local fe80 only. However on the FritzBox you specify something like 2001. Are you sure your IPv6 network is working fine? Are you able to connect to any IPv6 address from the DietPi device themselves?
I haven’t read through everything, just note that the WireGuard install option in dietpi-software sets to everything for IPv6 access OOTB and on PiVPN this is an open request since years.
IPv6 routes can be checked via ip -6 r. If there is no public/GUA IPv6 address assigned to the adapter, it seems the router sends no router advertisements. You say it sends those via DHCP? Note that DHCPv6 is pretty uncommon and usually not required, in favour of SLAAC auto-configuration via router advertisements. Try to configure your router to send these instead or in addition to DHCPv6. I’m currently not 100% sure, but I think for the system to request DHCPv6, you need an additional interface block in /etc/network/interfaces with “inet6” instead of “inet”.
Even if there was an IPv6 assigned, which in your case is not evident from the output, you’d still need to NAT6 the private IPv6 of the WG to the public the dietpi has from the provider. So the ip6tables cannot be empty, or you need to handle the SNAT/Masquerade with another utility.
Yes, that is done by the DietPi WireGuard installation as well. As fast as an IPv6 address and route assigned, I can share the related ip6tables commands.
~# ip -6 r
::1 dev lo proto kernel metric 256 pref medium
fd06::/64 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
It this a public ipv6?
I have change some settings in my router (Fritz Box)
Heimnetz → Netzwerk → Netzwerkeinstellungen → IIPv6-Einstellungen → DHCPv6-Server im Heimnetz
[…]Geräte im Heimnetz bekommen eine IPv6-Adresse via DHCPv6 […] is now on → Devices in the home network get an IPv6 address via DHCPv6
Translate:
FRITZ!Box is announced as DNS server via DHCPv6. Parts of the IPv6 network assigned by the ISP are passed on to downstream routers. Devices in the home network are assigned an IPv6 address via DHCPv6.
On my MacBook I can ping a IPv6 Adress in the network
MBP ~ % ping6 heise.de
PING6(56=40+8+8 bytes) 2001:9e8:b1aa:c00:xxxx:baf9:xxxx:xxxx --> 2a02:2e0:3fe:1001:302::
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=0 hlim=55 time=16.881 ms
but it doesn’t work on the Odroid C2
# ping6 heise.de
ping6: connect: Das Netzwerk ist nicht erreichbar
“The network is not reachable”
If have try to use the setup guide for the IP address
# ip -o a | grep -E '(eth|wlan)[0-9]' | awk '{print $4}' | sed 's|/.*$||'
192.168.xxx.xx
fe80::21e:xxx:fe33:xxxx
There is no default route and no GUA address assigned indeed. So it seems when DHCPv6 is enabled, the Fritz!Box does not send any router advertisement for SLAAC auto-configuration anymore. Do you need DHCPv6 for a specific reason? Else I suggest to disable it. It is pretty uncommon to use DHCPv6 but leave IPv6 auto-configured via SLAAC. If you require DHCPv6, and there is no way to have the Fritz!Box sending RAs regardless, then you’d need to add a specific IPv6 entry for the interface, e.g.: