Re: Setting up IPv6 wg tunnel

[Greg Troxel <gdt%lexort.com@localhost>]

z411 <z411%omaera.org@localhost> writes:

> The NetBSD machine itself has working IPv6 connectivity.

You have left out your addressing design.  IPv6 is not a place where
people use NAT much.   It seems obvious you should have a /64 assigned
to your VPS and use that on the VPN, but it seems you only have one address.

You didn't explain if you ran ifconfig on wg0 on the client once up, and
what you see.

You didn't show pinging of the server-side fd00 address from the client
(or just say that it works, don't need to see it).

> $ext_if = ifaddrs(wm0)
> $vpn_if = ifaddrs(wg1)
>
> map wm0 dynamic 10.2.0.0/24 -> $ext_if
> map wm0 dynamic fd00:2::/64 -> $ext_if # I also tried typing the address
>
> group "vpn" on $vpn_if {
>         pass stateful in final all
>         pass stateful out final all
> }

This seems funny, to have stateful in for all.

You don't seem to have stateful out on wm0.  As I understand npf, that
is where the NAT state is carried.

npfctl list and npfctl show may help, and read the man page and look at
anything else that can be looked at.

Also there is tcpdump, to see packets arriving and departing on every
interface you can look at.

Proper NAT requires that ICMP from the WAN side be transformed into the
tunnel.   Not just for echo reply, but for MTU discovery.[q

This is just a list of things to check.   I have never tried to do NAT
with v6.