On 2025-07-27, Omar Polo <o...@omarpolo.com> wrote:
> Hello,
>
> I'm moving my first baby steps in ipv6 land and I'm a bit confused about
> routing. I'm trying to build a vpn on wireguard, but only the ipv4 part
> of it it's working. I suspect there's an issue in how I'm configuring
> the client, but I'm not sure how to debug.
>
> My setup is as follows. On the vps i have a /48:
>
> # ifconfig vio
> vio0:
> flags=2a48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6,AUTOCONF4,LRO>
> mtu 1500
> lladdr fa:16:3e:6a:25:3b
> index 1 priority 0 llprio 3
> groups: egress
> media: Ethernet autoselect
> status: active
> inet6 fe80::f816:3eff:fe6a:253b%vio0 prefixlen 64 scopeid 0x1
> inet6 2a0f:85c2:7::3c1 prefixlen 64
> inet 193.57.159.213 netmask 0xfffffff0 broadcast 193.57.159.223
> inet6 2a0f:85c1:c4d::1 prefixlen 48
>
> the /64 is assigned by the hosting, I want to use /48 for wg.
> I can successfully connect via ipv6 on the vps.
Normally the /48 would be routed to the address you have in the /64
because doing neughbour discovery for a /48 of addresses would ve
insane. So you would not want it configured on the normal upstream
interface.
> I've configured a wg device as follows:
>
> # ifconfig wg
> wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
> index 10 priority 0 llprio 3
> wgport ...
> wgpubkey ...
> wgpeer ...
> wgdescr: op
> wgendpoint ...
> tx: 44984372, rx: 1340300
> last handshake: 103 seconds ago
> wgaip 2a0f:85c1:c4d:cafe::/64
> wgaip 10.1.1.2/32
> [...]
> groups: wg
> inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
> inet6 2a0f:85c1:c4d:beaf::1 prefixlen 48
Firstly this conflicts with the /48 on vio0. Removing the vio0 /48
address might help.
/48 is a lot to use just for wg, I would probably just use a /56 or a
/64 from it and keep the rest for anything else you want to do.
If doing that, add a blackhole static route covering the /48 to stop
addresses in the /48 but outside the used prefix from looping back to
the default route. The more specific route to the /64 or /56 will take
priority.
> tl;dr I'm using :beaf::1 for the wg0 interface and :cafe::1 for my client.
>
> this is my current pf config:
>
> ext_if = "vio0"
> wg0_if = "wg0"
> wg0_networks = "10.1.1.1/24"
>
> set skip on lo
>
> block return # block stateless traffic
> pass # establish keep-state
> pass in quick proto icmp6
> pass out quick proto icmp6
>
> pass quick on $wg0_if
> pass out quick on $wg0_if
>
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
>
> # Port build user does not need network
> block return out log proto {tcp udp} user _pbuild
>
> pass out on egress inet from wg0:network to any nat-to (egress)
> pass out on wg0
>
>
> I do have forwarding enabled too:
>
> # sysctl -a | fgrep .forwarding
> net.inet.ip.forwarding=1
> net.inet6.ip6.forwarding=1
I was going to check that if you hadn't said.
> now, on my laptop i have:
>
> # ifconfig wg1
> wg1: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
> index 5 priority 0 llprio 3
> wgport 34657
> wgrtable 1
> wgpubkey ...
> wgpeer ...
> wgdescr: vellutata
> wgpka 25 (sec)
> wgendpoint 193.57.159.213 ...
> tx: 13188262248, rx: 64374848
> last handshake: 57 seconds ago
> wgaip ::/0
> wgaip 0.0.0.0/0
> groups: wg egress
> inet 10.1.1.2 netmask 0xffffff00 broadcast 10.1.1.255
> inet6 2a0f:85c1:c4d:cafe::1 prefixlen 48
>
> with the added routes:
>
> # route add -net default 10.1.1.1
> # route add -net -inet6 default 2a0f:85c1:c4d:beaf::1
>
> and iwx0 running on rdomain 1.
>
> Now, my expectation is that I should be able to connect over this vpn to
> other ipv6 addresses, but that's not happening. I can connect with ipv4
> tho. I'm guessing this is an issue in how i'm configuring the laptop
> because i cannot even ping the :beaf::1, while i can with the 10.1.1.1.
>
>
> # ping6 -c 3 2a0f:85c1:c4d:beaf::1
> PING 2a0f:85c1:c4d:beaf::1 (2a0f:85c1:c4d:beaf::1): 56 data bytes
>
> --- 2a0f:85c1:c4d:beaf::1 ping statistics ---
> 3 packets transmitted, 0 packets received, 100.0% packet loss
>
>
> fwiw i also have forwarding enabled on my laptop too, for natting some
> vms.
(also you need to avoid strong host model in some cases with fiddly
networks and that's the only way to do it).
