Ipv6 vpn gateway

Hey all,

My new VPN provider, Mullvad, supports IPv6. I have experience routing ipv4 hosts through the gateway, by creating a firewall rule for that specific host.

Now I am wondering how to do this with IPv6. What rule do I have to create to route all traffic from one of my hosts trough the V6 gateway of Mullvad?

Thanks in advance!

I suppose this is quite tricky. Hosts usually have multiple IPv6 addresses which change over time due to Privacy Extensions. These temporary addresses are used for outgoing connections in order to make it harder to track individual users / machines. In IPv4, NAT has a similar effect. Privacy Extensions can be disabled on most desktop operating systems. That’s normally not recommended, but in the case of routing traffic through a VPN, the machine’s address gets masqueraded either way.

Once Privacy Extensions are disabled, a machine will use the same (preferably static) IPv6 address for all outgoing connections. The rule in pfSense is just like with IPv4, except of course that you set the “Address Family” to “IPv6”, enter an IPv6 source address with /128 and choose the correct IPv6 gateway in the advanced options.

I have the same setup working albeit for a different VPN provider. Assuming you have set up Mullvad Wireguard on your PFSense already with both IPv6 and IPv4 gateways, here is what you need to do:

  1. You need to set an IPv6 static IP address (non-routable) for your LAN interface.
  2. Turn on DHCPv6 server in PFSense and have it allocating local, non-routable IPv6 addresses to your clients. Set the RA Router Mode to ‘Managed’. I also have my router priority set to ‘High’.
  3. Set up an outbound IPv6 NAT rule for your local IPv6 network to allow them to go out of the Wireguard interface.
  4. Set up IPv6 firewall rules in your LAN interface to have your local IPv6 network send traffic to the Mullvad IPv6 gateway.

I am happy to share screenshots too if that helps.

Thank you both for the response!

@paolo that is what I was worrying about too, the changing addresses. I’ll have to figure out how to disable the privacy addresses of my iocage jails. They also have a ULA address for internal networking, but that doesn’t matter I guess?

@day008 looks like a good tutorial! I would love to see some screenshots!

Here you go:

1.You need to set an IPv6 static IP address (non-routable) for your LAN interface.

  1. Turn on DHCPv6 server in PFSense and have it allocating local, non-routable IPv6 addresses to your clients. Set the RA Router Mode to ‘Managed’. I also have my router priority set to ‘High’.

image

  1. Set up an outbound IPv6 NAT rule for your local IPv6 network to allow them to go out of the Wireguard interface.

4.Set up IPv6 firewall rules in your LAN interface to have your local IPv6 network send traffic to the Mullvad IPv6 gateway.

Looks like a clear manual! Thanks!

The only problem I have is that my interfaces are trackinterfaces and I also have ULA’s via VIP’s.

Is it also possible without NAT? Because in that case I could block the GUA’s for my host and use the ULA’s to use the gateway.