18.06.4 - Wireguard Client

asterios · July 17, 2019, 7:21pm

Hi there, i configured a wireguard server with this:

and with my clients it works great, now i want to set up my wrt3200acm with 18.06.4 as a wiregaurd client to route all traffic to my server, so at home i don't need my clients to run wireguard.

i followed this instruction: ( without the mullvad stuff )

i got it working, but only with ipv4.

i have no idea what is missing:

config interface 'wg0'
        option proto 'wireguard'
        option private_key '****************************'
        option listen_port '5604'
        list addresses '10.66.66.7/24'
        list addresses 'fd42:42:42::7/64'

config wireguard_wg0
        option public_key '*********************************'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option route_allowed_ips '1'
        option endpoint_port '5544'
        option persistent_keepalive '25'
        option endpoint_host '******************'

ip a shows in on openwrt that wg0 got an ipv4 but no ipv6 address

thank you

lleachii · July 17, 2019, 7:25pm

Correct. Most providers only offer one IPv4 and IPv6 address. IPv4 generally uses masquerade (NAT), hence it's working.

asterios · July 17, 2019, 7:44pm

i cant surf or ping ipv6 addresses trough the tunnel.

on a well working client with wireguard tunnel on it i get this :

7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.66.66.2/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fd42:42:42::2/64 scope global 
       valid_lft forever preferred_lft forever

on the router i only get an wg0 with an ipv4 address, it think there is something wrong with setting an wireguard interface up on 18.06.4

lleachii · July 17, 2019, 8:28pm

Were you issued Global IPv6 addresses?

This IP is local.

Also see:

asterios · July 18, 2019, 7:46pm

okay, so today i tried the wireguard experminent again and i set up all new on my router.

i have got an server in the internet (vps at netcup) this machine got an ipv4/ipv6 dual stack ethernet connection. that works some months now.

some weeks before i installed and configured the wireguard server side on that machine, and the client side on my notebook and my desktop.

this all works nice, without any problems, when i run an check on ipleak.net i get the correct ipv4 and ipv6 fallback adresses displayed. i can ping from the clients the ipv4/ipv6 address from my server 10.66.66.1 / fd42:42:42::1

i configured that all with this howto:

now i want at home on my openwrt router be a wireguard client to this server for tunnel all traffic trough that, like my clients already do.

my problem is now that i only get it with ipv4 and not with ipv6 working.
i have got an unitymedia dualstack internet connection.

there are some different documents to congifure wireguard on the router. i am not sure which one is right.

do i need only a wireguard interface and the firewall zone to get it work ( with that i only get an ipv4 ) or do i need more, or is there something missing ?

i used this configuration example for my router:

but with the ips from that:

thank you.

vgaetera · July 20, 2019, 9:02am

You can either enable NAT6 or change the VPN provider.

vanyaindigo · October 15, 2019, 4:59am

Hello everyone. I have the same issue with Wireguard ipv6 support. But I've got own VPS with wireguard server and can configure it as I want.
So can someone tell step-by-step how to enable ipv6 support on OpenWRT as wireguard client through vpn-policy-routing (I use it to selectively push some apps to VPN). VPN is not set as main route.
My ISP hasn't ipv6 support and without wan6 I even have not DHCPv6 lease. My network setup is:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd42:42:42::/60'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_dev'
	option name 'eth1.1'
	option macaddr '(hidden)'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	option dns '127.0.0.1'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '(hidden)'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'wg0'
	option listen_port '51820'
	option proto 'wireguard'
	option private_key '(hidden)'
	list addresses '10.50.0.2/24'
	list addresses 'fd42:42:42::2/48'

config wireguard_wg0
	option endpoint_host '(hidden)'
	option persistent_keepalive '25'
	option endpoint_port '51820'
	option public_key '(hidden)'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

vanyaindigo · October 16, 2019, 5:32pm

Well, one big step forward: I made default ipv6 route through wireguard vpn interface and it works!
My /etc/config/network looks like this:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid 'eui64'

config device 'lan_dev'
	option name 'eth1.1'
	option macaddr '8c:59:73:f9:d5:0e'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	option dns '127.0.0.1'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '8c:59:73:f9:d5:0f'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'wg0'
	option listen_port '51820'
	option proto 'wireguard'
	option private_key '(hidden)'
	list addresses '10.0.0.2/16'
	list addresses 'fd42:42:42::2/48'

config wireguard_wg0
	option endpoint_host '(hidden)'
	option persistent_keepalive '25'
	option endpoint_port '51820'
	option public_key '(hidden)'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option route_allowed_ips '1'

config interface 'wg06'
	option ifname '@wg0'
	option proto 'static'
	option ip6prefix 'fd42:42:42::2/48'

config route6
	option interface 'wg0'
	option target 'fd42:42:42::2/128'

config route6
	option interface 'wg0'
	option gateway 'fd42:42:42::2'
	option target '::/0'

lleachii · October 16, 2019, 5:53pm

I actually did a quick setup of IPv6 a few moments ago based on your configs; and it worked.

Pick a prefix
Add an IP from that prefix to the OpenWrt (e.g. /64) and on the peer (as a /128)
Assign IP on peer app/software (using the prefix, e.g. /64)
Add the IPv6 route to OpenWrt

vanyaindigo · October 16, 2019, 5:56pm

Happy me
One not solved issue: how make dns queries prefer ipv6?

lleachii · October 16, 2019, 6:04pm

Only add IPv6 DNS servers in your's peer's config (recall your router also has an IPv6 address ).

vanyaindigo · October 16, 2019, 6:19pm

Nope, not so easy:

root@OpenWrt:~# drill txt qnamemintest.internet.nl @fd42:42:42::1
Error: error sending query: Could not send or receive, because of network error

lleachii · October 16, 2019, 6:24pm

Whoa...where's your public IPv6 address?
Did you assign one to the mobile/remote device?
And did you assign your DNS server IP on your mobile/remote device?
Why is this test being done on the router?

I thought your IP was ::2, not ::1.

vanyaindigo · October 16, 2019, 6:26pm

fd42:42:42::1 - my DNS resolver. It stands at the top of tunnel.
And yes, fd42:42:42::2 - works... but not for clients

lleachii · October 16, 2019, 6:31pm

???

That confused me, I mistook this peer for a phone, not the VPN server. So ensure you're running some DNS resolver listening at ::1 and its firewall's open for requests.

It should, it's your router.

vanyaindigo · October 16, 2019, 6:34pm

I can query it through the tunnel (at mobile client) but not from client of OpenWRT.

But if I advertise it as DNS resolver via dhcpv6 in lan for clients it won't work.

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option noresolv '1'
	option allservers '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option cachesize '10000'
	option dnsforwardmax '300'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option nonwildcard '0'
	option nonegcache '1'
	option port '53'
	list server '10.0.0.1#53'
	list server '/pool.ntp.org/84.200.69.80'
	list server 'fd42:42:42::1#53'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option 'option:dns-server,192.168.1.1'
	option ra_management '1'
	option ra_default '1'
	list dns 'fd42:42:42::2'

What to change?

lleachii · October 16, 2019, 6:44pm

On LAN, Link Local DNS would be announced anyway
You must use ULA IPv6 addressing across links - not link local (I notice a prefix is not configured globally)
Not sure why DNS is listed in so many places, are you sure it's not nested queries and no DNS listed?
Are there routes for these ULAs?

vanyaindigo · October 16, 2019, 6:53pm

Not helped

Not sure

I made just like ipv4

lleachii · October 16, 2019, 6:56pm

No, you didn't make a route to the subnet, just to the single /128 IP. Make this route /48.

Also, target ::0 is likely wrong, that is a network number, not an IP.

vanyaindigo · October 16, 2019, 7:00pm

ipv6 connectivity broken with /48