OpenWRT + Route64 w/WireGuard

This is not an endorsement of any of the above, but Route64 is a free IPv6 brokerage (among other things) and OpenWRT a very advanced, if sometimes fiddly, open source router firmware stack. WireGuard is a VPN system (to clarify, because the term “VPN” has been hijacked, a method to connect computers to a virtual network, not an anonymizing proxy) and you can use it to tunnel your IPv6 connection to another ISP.

You can read about all three here:

https://www.route64.org https://openwrt.org https://wireguard.org

Anyway... combine the three and you get a set of IPv6 prefixes for your network that are publicly routable. If you don't have IPv6 from your ISP, or it's crippled, this is an option. HOWEVER, there's a but, there's always a but... you do need an unchanging IP from your ISP at the time of writing. This is probably for security reasons but it means you can't use a failover connection and it'll be dubious over CGNAT. There are solutions to that too, involving a VPS, but we'll address that later.

At first glance it's not obvious how to set up OpenWRT with Route64 using Wireguard as the transportation mechanism. There are multiple solutions online which are just quite not right enough to break things, and several on OpenWRT's own site require creating shell scripts which means the functionality is hidden from the web interface. Let's break it down.

1. Set up a tunnel at Route64

This bit's fairly straightforward. Once you're registered, go to https://manager.route64.org/ and from the left pick IPv6 Tunnel Broker –> Add new tunnel broker.

Interface: This actually refers to where the tunnel provider is, the listing of what city/country maps to what acronym is listed below the configurations. Pick whatever seems likely nearest to you.

Tunnel Type: Pick “Wireguard”

Remote Endpoint: Put your current fully routable IPv4 address here. (Some also take IPv6 addresses, and for some people behind CGNAT but with a suboptimal IPv6 service that might work. You can, currently, only add one IP.

You can ignore the GRE key prompt. Just hit Create New Tunnel Broker Service and you'll get the information you need. Keep that tab open.

2. Set up the Wireguard connection on your public facing OpenWRT router

2.1 Install Wireguard

Wireguard is fully supported by OpenWRT with an official implementation but it's not included in the base install. But it's available on the OpenWRT repository so installing what you need is easy.

Log in to your OpenWRT router. Go to System –> Software. Hit the “Refresh Lists” button. Then search for “wireguard”. You will want to install:

Once installed, you may need to reboot your router. I did, as Luci didn't show the new protocol until I did.

2.2 Set up the transport interface (Wireguard VPN)

You'll be setting up two interfaces, a transport one for carrying data, and an IPv6 layer for carrying the main prefix data. So start by going to Network –> Interfaces, stay in the Interfaces tab, and create a new Interface, select “Wireguard VPN” as the protocol. Call it what you want, i suggest something like “vpnr64” – that's what I'll call it here.

Sidenote: Always give OpenWRT interfaces lowercase names. Misleadingly it coverts them to uppercase in Luci, but you'll run into problems with case sensitivity if you don't.

Hit “Create” and before setting anything else up, on the General Settings tab select “Import Configuration” It'll now give you a text box for importing information from Route 64, so pop back to the latter's tab (told you to keep it open), and get the config (if you're at the list of tunnels, on the right hand side there's a “...” button next to the prefix information, hit that, and select Show Config which at the time of writing is the only menu option there.)

The config is shown on a page under the heading “Tunnel configuration for Linux”, and should look a bit like this:

[Interface]
PrivateKey = gkkljgrkjnraKJjkedjkf8idssd8dsds88=
Address = 2222:3333:4444:5555::2/64

[Peer]
PublicKey = fsaknmaf898afoafjiafsAJKNfjnasj=
AllowedIPs = ::/1, 8000::/1
Endpoint = 111.222.33.44:12345
PersistentKeepAlive = 30

Copy this and paste it into the box on the OpenWRT Import Configuration box, and hit “Import Settings”.

Now save, and exit. At this point OpenWRT should try to bring up the connection and within a minute you should see that it's up and that it has an IPv6 address. If you want you can ssh into your box and ping the gateway listed on the Route64 page, like this:

ping -I vpnr64 2222:3333:4444:5555::1

(Substitute the gateway for 2222:3333:4444:5555::1)

2.3 Set up the IPv6 WAN interface

While Wireguard supports IPv6 packets, it either doesn't contain a method to send configuration information about IPv6 prefixes or it does but the OpenWRT implementation doesn't support it so we have to implement this ourselves as a interface that uses the Wireguard interface as its transport. There is, reportedly, a way of running DHCPv6 PD over Wireguard (which would mean you would always get the latest configuration from the Tunnelbroker), but alas Route64 doesn't do that, so we're going to instead hard code things.

So within OpenWRT, create a new Interface (same tab as earlier), call it “wanr64” (or whatever you want, but these instructions will refer to it as wanr64 – reminder, all names should be given in lower case), and select “Static Address” as the protocol.

So this is where it gets a little messy. First, from your VPN configuration, you'll see there's an address line, which in my example was 2222:3333:4444:5555::2/64

The part of the address before the :: is the routing prefix, but NOT the network prefix. It's just an internal prefix that's being used to help with routing packets.

Under IPv6 address, add ROUTINGPREFIX::3, eg I'd have entered 2222:3333:4444:5555::3 Under IPv6 gateway, put in ROUTINGPREFIX::1, eg I'd have entered 2222:3333:4444:5555::1 Under IPv6 routed prefix do NOT put in ROUTINGPREFIX. Instead go back to Route64, click on List IP Subnets, and copy the enter address under Subnet for this network. It'll look something like 6666:7777:8888:9900::/56 – copy it from start to finish including the /56 part.

In the “Advanced” tab make sure “Use default gateway” is checked, as is “Delegate IPv6 prefixes”, everything else except Force Link, which can be left alone as you prefer, should be blank.

Under Firewall settings, you'll either want to add a new IPv6 firewall or use the existing 'wan' firewall setting. (I personally prefer putting all the IPv6 stuff in its own thing as OpenWRT's defaults seem to cripple IPv6 a little, but it's up to you. If you do add an IPv6 firewall zone, remember to configure the Firewall such that the lan and IPv6 zone have full access to one another.)

Leave the DHCP server as unconfigured.

2.4 Set up routes and (optionally) the firewall

Because the interface that configures the IPv6 prefix is static, it doesn't automatically add routes for IPv6 packets. So you'll need to do that. Head to Network –> Routing, and then to the “Static IPv6 Routes” tab, and click “Add”.

Select “vpnr64” as the interface, unicast as the packet type, ::/0 as the target (yes, it's the same as suggested entry, but the suggested entry isn't the default), and leave the Gateway field blank. And now save the results.

For the firewall, if you didn't place wanr64 under the existing 'wan' firewall, you'll need to allow traffic between “lan” and the zone you created. Go to Network –> Firewall, look for the line with the new zone you created (which currently goes... nowhere) and hit Edit. In the form that comes up, have “Accept” be the routing policy for at least the Input and Output fields, leave the check boxes blank, and select “lan” for both “Allow forward to destination zones” and “Allow forward from source zones”. Save, then Save & Apply.

3. Now it should “Just work™”

You can verify the configuration is working by checking for an IP address with the new prefix on your computer's network interface, and typing something like “ping -6 www.microsoft.com”

Credits

I got many of the ideas from Craig Miller's guide on tunneling IPv6 through WireGuard on OpenWRT. The main difference between what he did and what I'm saying above is he was able to control both ends of the tunnel (he's talking about sharing your IPv6 block with others), and as such was able to run DHCPv6 PD over the WireGuard link. Alas that's not possible with Route 64.