Ipv6 vpn gateway

Networking & Firewalls
1

Hey all,

My new VPN provider, Mullvad, supports IPv6. I have experience routing ipv4 hosts through the gateway, by creating a firewall rule for that specific host.

Now I am wondering how to do this with IPv6. What rule do I have to create to route all traffic from one of my hosts trough the V6 gateway of Mullvad?

Thanks in advance!

2

I suppose this is quite tricky. Hosts usually have multiple IPv6 addresses which change over time due to Privacy Extensions. These temporary addresses are used for outgoing connections in order to make it harder to track individual users / machines. In IPv4, NAT has a similar effect. Privacy Extensions can be disabled on most desktop operating systems. That’s normally not recommended, but in the case of routing traffic through a VPN, the machine’s address gets masqueraded either way.

Once Privacy Extensions are disabled, a machine will use the same (preferably static) IPv6 address for all outgoing connections. The rule in pfSense is just like with IPv4, except of course that you set the “Address Family” to “IPv6”, enter an IPv6 source address with /128 and choose the correct IPv6 gateway in the advanced options.

3

I have the same setup working albeit for a different VPN provider. Assuming you have set up Mullvad Wireguard on your PFSense already with both IPv6 and IPv4 gateways, here is what you need to do:

  1. You need to set an IPv6 static IP address (non-routable) for your LAN interface.
  2. Turn on DHCPv6 server in PFSense and have it allocating local, non-routable IPv6 addresses to your clients. Set the RA Router Mode to ‘Managed’. I also have my router priority set to ‘High’.
  3. Set up an outbound IPv6 NAT rule for your local IPv6 network to allow them to go out of the Wireguard interface.
  4. Set up IPv6 firewall rules in your LAN interface to have your local IPv6 network send traffic to the Mullvad IPv6 gateway.

I am happy to share screenshots too if that helps.

4

Thank you both for the response!

@paolo that is what I was worrying about too, the changing addresses. I’ll have to figure out how to disable the privacy addresses of my iocage jails. They also have a ULA address for internal networking, but that doesn’t matter I guess?

@day008 looks like a good tutorial! I would love to see some screenshots!

5

Here you go:

1.You need to set an IPv6 static IP address (non-routable) for your LAN interface.

image
image1161×248 18 KB

  1. Turn on DHCPv6 server in PFSense and have it allocating local, non-routable IPv6 addresses to your clients. Set the RA Router Mode to ‘Managed’. I also have my router priority set to ‘High’.

image
image1151×375 26.1 KB

image

  1. Set up an outbound IPv6 NAT rule for your local IPv6 network to allow them to go out of the Wireguard interface.

image
image1137×561 34 KB

4.Set up IPv6 firewall rules in your LAN interface to have your local IPv6 network send traffic to the Mullvad IPv6 gateway.

image
image894×136 10.5 KB

6

Looks like a clear manual! Thanks!

The only problem I have is that my interfaces are trackinterfaces and I also have ULA’s via VIP’s.

Is it also possible without NAT? Because in that case I could block the GUA’s for my host and use the ULA’s to use the gateway.

7

Hey all,

A little bump.

I made an separate subnet with the manual above, to create a guest network.
With IPv4 it was easy to block access to my other networks by blocking al private IPv4 subnets.
How do I do this with IPv6? I have GUA’s and ULA’s on my other subnets that I don’t want to be accessible by the users of my guest network.

Thanks in advance!