Hello,
I'm moving my first baby steps in ipv6 land and I'm a bit confused about
routing. I'm trying to build a vpn on wireguard, but only the ipv4 part
of it it's working. I suspect there's an issue in how I'm configuring
the client, but I'm not sure how to debug.
My setup is as follows. On the vps i have a /48:
# ifconfig vio
vio0:
flags=2a48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6,AUTOCONF4,LRO>
mtu 1500
lladdr fa:16:3e:6a:25:3b
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet6 fe80::f816:3eff:fe6a:253b%vio0 prefixlen 64 scopeid 0x1
inet6 2a0f:85c2:7::3c1 prefixlen 64
inet 193.57.159.213 netmask 0xfffffff0 broadcast 193.57.159.223
inet6 2a0f:85c1:c4d::1 prefixlen 48
the /64 is assigned by the hosting, I want to use /48 for wg.
I can successfully connect via ipv6 on the vps.
I've configured a wg device as follows:
# ifconfig wg
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 10 priority 0 llprio 3
wgport ...
wgpubkey ...
wgpeer ...
wgdescr: op
wgendpoint ...
tx: 44984372, rx: 1340300
last handshake: 103 seconds ago
wgaip 2a0f:85c1:c4d:cafe::/64
wgaip 10.1.1.2/32
[...]
groups: wg
inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
inet6 2a0f:85c1:c4d:beaf::1 prefixlen 48
tl;dr I'm using :beaf::1 for the wg0 interface and :cafe::1 for my client.
this is my current pf config:
ext_if = "vio0"
wg0_if = "wg0"
wg0_networks = "10.1.1.1/24"
set skip on lo
block return # block stateless traffic
pass # establish keep-state
pass in quick proto icmp6
pass out quick proto icmp6
pass quick on $wg0_if
pass out quick on $wg0_if
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
pass out on egress inet from wg0:network to any nat-to (egress)
pass out on wg0
I do have forwarding enabled too:
# sysctl -a | fgrep .forwarding
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
now, on my laptop i have:
# ifconfig wg1
wg1: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 5 priority 0 llprio 3
wgport 34657
wgrtable 1
wgpubkey ...
wgpeer ...
wgdescr: vellutata
wgpka 25 (sec)
wgendpoint 193.57.159.213 ...
tx: 13188262248, rx: 64374848
last handshake: 57 seconds ago
wgaip ::/0
wgaip 0.0.0.0/0
groups: wg egress
inet 10.1.1.2 netmask 0xffffff00 broadcast 10.1.1.255
inet6 2a0f:85c1:c4d:cafe::1 prefixlen 48
with the added routes:
# route add -net default 10.1.1.1
# route add -net -inet6 default 2a0f:85c1:c4d:beaf::1
and iwx0 running on rdomain 1.
Now, my expectation is that I should be able to connect over this vpn to
other ipv6 addresses, but that's not happening. I can connect with ipv4
tho. I'm guessing this is an issue in how i'm configuring the laptop
because i cannot even ping the :beaf::1, while i can with the 10.1.1.1.
# ping6 -c 3 2a0f:85c1:c4d:beaf::1
PING 2a0f:85c1:c4d:beaf::1 (2a0f:85c1:c4d:beaf::1): 56 data bytes
--- 2a0f:85c1:c4d:beaf::1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
fwiw i also have forwarding enabled on my laptop too, for natting some
vms.
any ideas/pointers in what to look into?
Thanks!
Omar Polo
