Today I upgrading my router to LEDE 17.01 and played a bit with IPv6 and Wireguard VPN tunnels. My Internet connection at home (connected via Cable to the Comcast network) has decent IPv6 support, which I wanted to enjoy also when on the road, using non-IPv6 networks. The first step is to setup a Wireguard tunnel, which I already did some months ago (Dan Lüdtke, author of the LEDE/OpenWrt web interface plugin for Wireguard has a good post on that). In my setup the Wireguard IPv4 network uses a network from the private range (192.168.2.0/24) to route IPv6 traffic. For IPv6 my goal was to assign a public subnet, so I can access the IPv6 network without any NAT directly through the tunnel. In IPv6 world, NAT is a technology which is not commonly used/considered deprecated anyway. Note that this how-to does not route the IPv4 traffic to the internet through the VPN tunnel, only IPv6 traffic.
First, a large enough IPv6 prefix needs to be available on the router in order to assign two independent IPv6 networks to my local LAN and the Wireguard VPN. One has to realize that in IPv6 world, subnets are by definition between /49 and /64. One cannot create a subnet /72 or similar since the last 64 bits are the host portion, reserved exclusively for host addresses. By default, LEDE requested a 64 bit IPv6-prefix from the provider, but this can be changed in the WAN6 network interface settings:
My new provider IPv6 connectivity, however after connecting my OpenWrt based WNDR4300 (using Chaos Calmer 15.05-rc3) things unfortunately did not “just work”… This post summarize some hints how to debug IPv6 on OpenWrt.
First, make sure that the upstream (WAN) interface is configured according to the documentation in the OpenWrt Wiki. Using LuCI, you have to create a new interface (WAN6) which should c
If your ISP provides IPv6 support, it should “just work” at this point. However, what to do if not?Read more »
DNSSEC does not require any special support on the router, since the validation is typically done by the client itself. However, caching the DNSSEC records makes validation for clients faster, and a router in a trusted network can provide DNS replies which carry the ad flag (authenticated data).
Chaos Calmer comes with dnsmasq without DNSSEC validation support by default (DNSSEC is not enabled at compile time). However, one can use the dnsmasq-full package, which provides the DNSSEC features. Without DNSSEC compiled in or enabled, dnsmasq forwards the DNSSEC records properly, however it does not validate them and therefor the DNS replies do not contain the ad flag:
# dig debian.org. SOA +dnssec
; <<>> DiG 9.9.6-P1 <<>> debian.org. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62577
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 11
^^^^^^^^^^^^^^^ (no ad flag, dnsmasq did not authenticated the DNS response)
A week later and my account had enough credits to request the subnet. I got a /48 network, or in otherwords, I have a network with 80 bits which I can use! This are more address then the whole IPv4 address space has! 😎
When you have the approval for the subnet SixXS did allready a lot of work for you: They sent you the actual address, and they make sure that this subnet is routed to your router address. So you only need to assign the addresses to your devices.Read more »
Lately I wanted to try using IPv6. The first part I needed was an IPv6 capable router. Since I was always interested running Linux on my router I picked one which is ready to run OpenWRT on it. Netgear WNDR3700 seems to match my needs: Pretty common in the OpenWRT community, 16 MiB flash (4 MiB is the absolute minimum, 8 MiB should be fine for IPv6 use. More flash, more space to play with :-)). But take care: Lately Netgear made a new revision, v3, which is not compatible with OpenWRT, or at least no yet.
My provider says he is still working on implementing IPv6, he don’t know when it’s ready, but it should be in the next months… That’s way too long 🙂 So I decided using one of these tunneling solutions. Wikipedia has a list of tunnel brokers, I chose SixXS. After Signup you have to wait some hours until your account request is being processed. After the approval you get a username, password and 25 credits. These credits are needed to get a tunnel and your own subnet, for each of them you need 15 credits, which makes 30 for both. The first thing you do is requesting a tunnel. Some hours later, you should get a tunnel approval with your Tunnel Id. You can earn 5 credits by operating the tunnel a week. So after you have a tunnel, one has to wait another week to request a subnet. For me it took about two hours to get the account and another two hours to get the tunnel, so they are pretty fast!Read more »