IPv6 Routing Rules Not Working to Redirect Local Devices Via Wireguard VPN Clients

[wildland_hondo]

I have the following configuration / setup on my router:

1. Setup 1x OpenVPN client via user Merlin user interface
2. Setup 5x Wireguard VPN clients via the Merlin user interface
3. Router setup as an exit node for Tailscale (via tailmon)
4. Use VPN director to route Tailscale IPv4s into VPN tunnels with failover
5. Manually add Tailscale IPv6 to ip -6 routing table to route IPv6 traffic over VPN (works for wg not for ovpn)

But when I try to do the same for local IP addresses, it works for IPv4 addresses but not for IPv6.

I have tried the following:

Serial​	Action​	IPv4 Result​	IPv6 Result​
1​	Manually add IPv4 and IPv6 (GUA) addresses to routing tables	Routed​	Failed​
2​	Add IPv4 via GUI and IPv6 (GUA) manually to routing tables	Routed​	Failed​
3​	Added IPv6 (LL) to routing tables	N/A ​	Failed​
4​	Created client MAC ipsets and marked traffic with fwmark 0x30/0xf0 and used this rule: ip(6)tables -t mangle -A PREROUTING -m set --match-set client_macs src -j MARK --set-mark 0x30/0xf0 along with ip rules to redirect marked traffic to VPN interfaces	Routed​	Failed​
5​	Tried to do the same as serial 4 but with two ipsets (one for ipv4 and one for ipv6) to route traffic to VPN interfaces	Routed​	Failed​

Could someone tell me what I am doing wrong and why tailscale IPv6 get routed but those of my local devices do not?

Please note that I am not proficient in Linux networking and used forums and AI help to do what I did.

Grateful for all your help. Thanks.



PS: Is there any plan to switch VPN director to use MAC addresses rather than IP addresses and for it to support dual stack VPNs?

 

[ZebMcKayhan]

Could someone tell me what I am doing wrong and why tailscale IPv6 get routed but those of my local devices do not?

How have you tried to add the routes, just in the main route table or even in the policy route table? Have you added ipv6 policy rules?
Ipv6 firewall is statefull and drops everything not explicitly allowed so have you added ipv6 firewall rules?

 

[wildland_hondo]

How have you tried to add the routes, just in the main route table or even in the policy route table? Have you added ipv6 policy rules?
Ipv6 firewall is statefull and drops everything not explicitly allowed so have you added ipv6 firewall rules?

To redirect Tailscale IPv6 traffic, I basically looked at the IPv4 routing table and changed the IPs and added using this rule:
ip -6 rule add from [aaaa:bbbb:cccc::dddd]/48 lookup wgc1 priority 11210
ip -6 rule add from [aaaa:bbbb:cccc::dddd]/48 prohibit pref 12219

This works perfectly fine for Tailscale traffic.

Inferring from this and some googlefu, I made an ipset using:
ipset create vpn_macs hash:mac hashsize 1024 maxelem 65536
and added the hash of the local client to this set.

Then marked for IPv4 using:
iptables -t mangle -A PREROUTING -m set --match-set client_macs src -j MARK --set-mark 0x30/0xf0

for IPv6:
ip6tables -t mangle -A PREROUTING -m set --match-set client_macs src -j MARK --set-mark 0x30/0xf0

Assumed routing tables made by VPN director would keep working fine, because they worked for Tailscale IPv6 routes.

Then added to rules in this format:
ip rule add from all fwmark 0x30/0xf0 lookup wgc1 pref 11211
ip -6 rule add from all fwmark 0x30/0xf0 lookup wgc1 pref 11211

This also led to IPv4 traffic being successfully routed but IPv6 traffic simply disappeared.

ip6tables -t mangle -L PREROUTING -vn did show packets being captured by this rule but it wasn't working how I wanted it to. Oh and all traffic simply died on the router after some time. I think it ran out of memory and swap is on a USB drive so probably became unresponsive and had to be restarted.

 

[ZebMcKayhan]

So, your issue is to use mac address based routing from lan to wgc1 only?

This works perfectly fine for Tailscale traffic.

Just for a quick test, if you would have added a rule for the lan client, i.e its global address, would it work then? I would assume it should but I have never tested it. It would prove that there are no other issues at play, like firewall stuff.

This also led to IPv4 traffic being successfully routed but IPv6 traffic simply disappeared.

If you only mean lan to wgc1 it should be possible to get it to work. There are some things to notice, for example, the policy route table (i.e table wgc1) is not as complete as the main route table and I don't know how ipv6 routing would work if all device communication is set to use a route table which only have routes to wgc1 and not even back to your own lan. Not sure if you would need to limit the adress scope to global addresses or something.