1

I'm new to IPv6, this is my home network

                                   +------------------------------------------+                                   
                                   |                                          |                                   
                                   |                  Router                  |                                   
                                   |                                          |                                   
                                   |                                          |                                   
                                   |                                          |                                   
                                   |                                          |                                   
                                   |             fe80::fe7c:2ff:fed5:a236     |                                   
                                   +------------------------------------------+                                   
                                                         |                                                        
                                                         |                                                        
                                                         |                                                        
                                                         |                                                        
                                                         |                                                        
                      +----------------------------------|-----------------------------------+                    
                      |                                                                      |                    
                      |                                                                      |                    
                      |                                                                      |                    
                      |                                                                      |                    
                      |                                                                      |                    
+------------------------------------------+                          +------------------------------------------+
|                   wlan0                  |                          |                    eth0                  |
|         fe80::8e70:5aff:fe62:7180/64     |                          |          fe80::3686:d00c:4a2b:1052/64    |
|                                          |                          |                                          |
|                                          |                          |                                          |
|                  Laptop                  |                          |                  VPN Gateway             |
|                                          |                          |                                          |
|                                          |                          |                                          |
+------------------------------------------+                          +------------------------------------------+

My ISP doesn't give me IPv6 address, but I run VPN software on VPN Gateway, I've created these iptables rules on VPN Gateway:

iptables -t nat -A POSTROUTING -o wg_vpn  -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o wg_vpn -j ACCEPT

ip6tables -t nat -A POSTROUTING -o wg_vpn  -j MASQUERADE
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i eth0 -o wg_vpn -j ACCEPT

I know how to add ipv4 rule on my laptop, ip route add default via vpn_gateway_ip dev wlan0, but it seems this doesn't work on ipv6? So how can I write the ipv6 rule?

I've already run ip -6 route add default via fe80::3686:d00c:4a2b:1052 dev wlan0, but ping -6 www.google.com will return From _gateway (fe80::3686:d00c:4a2b:1052%wlan0) icmp_seq=1 Destination unreachable: Beyond scope of source address .

ping fe80::3686:d00c:4a2b:1052 also has no response, but ping -I wlan0 fe80::3686:d00c:4a2b:1052 will return correct response.

I don't want the IPv6 address from ISP, I want all my network traffic go through VPN.

Improve this question
2
  • All your addresses are link-local addresses. Do you really want to use these? Why not use Unique Local Addresses (ULA)?
    – Daniel B
    Commented Apr 22, 2022 at 11:47
  • "I don't want the IPv6 address from ISP" – nobody said you need to use those. The VPN server is your new ISP in this case.
    – grawity_u1686
    Commented Apr 22, 2022 at 11:54

2 Answers 2

Reset to default
2

The switch you are looking for is -6:

mtak@gen1:~$ sudo ip -6 route add default via 2001:470:xxxx::1
mtak@gen1:~$ ip -6 route list
2001:470:xxxx::/64 dev eth0  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256
default via 2001:470:xxxx::1 dev eth0  metric 1024

Why are you messing around with NAT for IPv6? The whole point of IPv6 is that NAT is not required anymore. If you have IPv6 available on your VPN gateway, just route it plain an simple.

Improve this answer
0
0

It is the same as in IPv4:

ip route add default via fe80::3686:d00c:4a2b:1052 dev wlan0

You might want to be more specific about it being an IPv6 route – either use ip -6, or specify ::/0 instead of "default". (That is, ip r add ::/0 via or ip -6 r add default via).

However, what is different from IPv4 is that your only LAN addresses right now are link-local. They're not merely "private" – the fe80::/64 prefix is strictly scoped to the same link, and packets sent from such IP addresses are not to be forwarded by routers even if there's a NAT/masquerade rule present.

(Link-local addresses can, however, be used as the 'gateway' for routes because a gateway address has to be from the same link anyway – in both IPv6 and IPv4 equally. So via fe80... is fine.)

If you want your LAN to have IPv6 access through the VPN, you'll need to assign your devices global-scope addresses (in addition to the link-local ones). Preferably, this would be a "public" /64 range routed through your VPN server, in which case you wouldn't need any form of NAT in ip6tables – your devices would just directly use their global addresses.

But if you really don't have a public /64 to spare (or if you're using a commercial VPN service which expects a single device only), then the fd00::/8 "Unique local address" range is your other option. That's the direct IPv6 equivalent to IPv4's RFC1918 private addresses – you're supposed to pick a random /48 from it (like fd84:1b4e:6281::/48 for example), from which you then assign /64's to your subnets (like fd84:1b4e:6281:0::/64 for the local LAN). These addresses are forwardable (in the same way as 192.168.x), so ip6tables NAT will work like you'd expect.

You can assign IPv6 addresses either manually (using ip addr add ... dev wlan0) or announce the prefix automatically (using radvd running on the VPN gateway, which will also announce the ::/0 default route at the same time).

Improve this answer
2
  • I've already run ip -6 route add default via fe80::3686:d00c:4a2b:1052 dev wlan0, but ping -6 www.google.com will return From _gateway (fe80::3686:d00c:4a2b:1052%wlan0) icmp_seq=1 Destination unreachable: Beyond scope of source address. ping fe80::3686:d00c:4a2b:1052 also has no response, but ping -I wlan0 fe80::3686:d00c:4a2b:1052 will return correct response.
    – jackyyy
    Commented Apr 22, 2022 at 11:43
  • The rest of my post (starting with 3rd paragraph) answers this. The way you add the route is not the problem. It's the source address that is the problem.
    – grawity_u1686
    Commented Apr 22, 2022 at 11:44

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .