Last active
May 7, 2025 06:36
-
-
Save Noltari/39b53c740c736bfe25f005928e4a5245 to your computer and use it in GitHub Desktop.
OpenWrt Wireguard IPv6 NPT
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| uci -q delete firewall.npt6_wg0 | |
| uci set firewall.npt6_wg0="include" | |
| uci set firewall.npt6_wg0.enabled=1 | |
| uci set firewall.npt6_wg0.path="/etc/nftables.d/npt6-wg0.sh" | |
| uci commit firewall | |
| service firewall restart |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| . /lib/functions/npt6.sh | |
| npt6_setup wg0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| . /lib/functions/network.sh | |
| ipv6_priv_prefix() { | |
| local interface=$1 | |
| local prefix="" | |
| local prefix_list | |
| network_get_prefix_assignments6 prefix_list $interface | |
| for cur_prefix in $prefix_list; do | |
| prefix=$(echo $cur_prefix | awk '$1 ~ /^fd/') | |
| if [ ! -z "$prefix" ]; then | |
| break | |
| fi | |
| done | |
| echo $prefix | |
| } | |
| ipv6_pub_prefix() { | |
| local interface=$1 | |
| local prefix="" | |
| local prefix_list | |
| network_get_prefix_assignments6 prefix_list $interface | |
| for cur_prefix in $prefix_list; do | |
| prefix=$(echo $cur_prefix | awk '$1 ~ /^[23]/') | |
| if [ ! -z "$prefix" ]; then | |
| break | |
| fi | |
| done | |
| echo $prefix | |
| } | |
| npt6_setup() { | |
| local NPT_DEV=$1 | |
| local NFT_COMMENT="NFT_NPT6_${NPT_DEV}" | |
| network_flush_cache | |
| network_find_wan6 WAN_IF | |
| network_get_device WAN_DEV "${WAN_IF}" | |
| local PUB_PFX="$(ipv6_pub_prefix ${NPT_DEV})" | |
| local PRIV_PFX="$(ipv6_priv_prefix ${NPT_DEV})" | |
| nft add rule inet fw4 dstnat \ | |
| iifname "${WAN_DEV}" dnat ip6 prefix to ip6 \ | |
| daddr map { "${PUB_PFX}" : "${PRIV_PFX}" } \ | |
| comment ${NFT_COMMENT} | |
| nft add rule inet fw4 srcnat \ | |
| oifname "${WAN_DEV}" snat ip6 prefix to ip6 \ | |
| saddr map { "${PRIV_PFX}" : "${PUB_PFX}" } \ | |
| comment ${NFT_COMMENT} | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment