I have a strange issue I can’t seem to resolve. I have configured Wireguard on RouterOS for both ipv6 and ipv4.
I have configured Wireguard on iOS to connect using an ipv6 endpoint address to RouterOS, using allowed IPs ::/0 and address fd00::2/64. All seems to work fine, I can browse the internet over the wireguard connection.
However, I noticed that for some reason when going via the wireguard peer all traffic to the internet is ipv4. Trying to force going to ipv6 addresses, or using a test site such as https://test-ipv6.com shows I don’t have an external ipv6 address. Where as if I use a PC directly connected to the same router ipv6 works perfectly.
What could be preventing ipv6 traffic from being routed over the Wireguard interface? I have given the wireguard interface an ULA of fd00::1/64.
Thanks
With the peers only having ULA addresses, you'll also need to do some SRCNAT-ing on the router before forwarding the traffic with ULA as source addresses to the internet, did you configure that?
Also, please note that once you have fixed that issue, your remote WG peers will probably still prefer IPv4 if the resources to be accessed have both IPv4 and IPv6 addresses, because IPv4 has higher precedence than ULA.
It's also not the best practice to use very trivial ULA prefix (fd00:: like you currently do). Instead you should pick something more random. You can go to this site https://www.unique-local-ipv6.com/ and copy the /48 prefix it shows to you and use that instead of just fd00::.
1 Like
Thanks, I forgot to create the src NAT for the ULA subnet. I also took your advice of using a random ULA prefix.
I get a ipv6 prefix form my ISP which I use for my VLANs. Should I also get my wireguard interface to track the WAN, or is using a ULA better?
It depends on whether the GUA prefix from the ISP is static. If it's static then you can do that and it's better because the GUA prefix will have higher priority than IPv4 and the devices will prefer to use the GUA addresses for dual stack services.
But if that prefix is dynamic (changes periodically or with router reboot / PPPoE redial - if you use PPPoE) then it's not worth the hassle. The reason is because on most client devices, the WG app has no way to dynamically update the assigned addresses, every time the ISP prefix change you have to go on your devices, open the WG app, and manually change the IPv6 address in the Address = line of the [Interface] section. And then there is the problem that the ISP prefix might change while you were away.
And on RouterOS, you'll also need a script that goes through the peer entries and changes the prefix in the allowed-address fields of the peers.
If the ISP prefix is dynamic, then ULA is clearly better. In case you need the priority over IPv6, you can consider doing this (this is what I am currently doing on my WG networks):
- Go to Hurricane Electric https://tunnelbroker.net/ make a free account and you can get a couple of free
/64 and /48 GUA prefixes. You don't need to use those prefixes for the tunnel broker service. You just consider those prefixes to be "reserved" for you, and can be sure that they don't clash with real IPv6 from other services on the internet.
- You'll use these prefixes only internally, as replacement for the ULA prefixes. They are static, but are also GUA, so you don't have the lower than IPv4 priority problem.
- You will never use those prefixes outside of your network (because the internet will route them to HE and not to you). Which means like with ULA prefixes, you'll need NAT before sending packets with those source addresses into the internet.
You can split the /48 prefix and have plenty of internal prefixes to use wherever static GUA addresses are needed inside your LAN. I usually have a SRCNAT netmap rule on my FWs that automatically swaps the HE prefix with the ISP GUA prefix on out-interface-list=WAN.
You might need to, from time to time, use the HE real tunnel and transfer something or otherwise they might remove the "unused" prefixes from your account.