I am behind CGNAT, however my ISP provide IPv6 and via that I can reach my home devices (by placing correct firewall rules in openwrt).
I have a wireguard sever running on raspberry pi at home. And pi's IPv6 address is mapped to a dns server.
Firewall rules for wireguard VPN is placed inside openwrt.
I can confirm that I can do VPN with above dns name from outside home (with IPv6 ip) network. And its very stable.
The issue I am trying to solve is, making this VPN when I am outside home with IPv4 only network.
What I tried is, on a cloud dual stack VPS installed nginx and setup stream to forward all traffic to the dns of my pi.
And then from IPv4 only network, tried accessing the VPN by accessing above dual stack cloud VPS nginx. It works, but I feel the connection is intermittent. And I see some timeouts in nginx logs. Is this the correct way to do IPv4 to IPv6 translation for VPN?
The log from nginx has below randomly when trying vpn with reverse proxy,
ngnix is http TCP and Wireguard is UDP so I don't see how that could work at all. Something like Jool can translate v4 to v6. It seems the simplest way might be to set up the VPS with two Wireguard interfaces-- one for the road warrior on v4 and one for the house on v6, then forward the inside the tunnel traffic between them.
Why are you trying to use nginx to proxy wireguard connections? Set up a wireguard tunnel between the VPS and your LAN. Then connect remote peers to the VPS.
So,
A wireguard server runs on vps.
My raspberry pi (which Is on lan) setup wireguard client and conned vpn to vps,
Or
Is it my openwrt router to be wireguard client and establish vpn to vps?
Then, once I ask my clients to do VPN to vps, they can access my lan resources with 192.168.0.xx ip address?
Why not let everyone meet at the Internet-connected VM, and route your ULA through the VPN.
Point your DNS Records how ever you like or setup HTTP-Reverse_proxy how it pleases you, but there is no need to unnecessarily tunnel traffic and add useless latency.
You can use nginx or haproxy to easily serve content from LAN to Internet, too.
Sorry I am not able to fully understand what you explained.
My need is simple,
when I am outside home, I would like to access my home network (access router, ssh my servers etc).
I can reach my home via IPv6 only.
When I am outside home, I might be on a network with IPv4 only or dual stack.
Damn it. My fear is true. Nobody told the kids that wireguard in a DEFAULT way does not fiddle with routing or iptables rule. It just creats a tunnel. All this easy-wg-blabla shit is shit really bad in a sense that it teaches kids badbly.
With wireguard, you of course need to "allow" certain IP addresses or networks to enter and leave the encryption tunnel. But if packets are actually routed via an encryption-device is mostly based on routing.
Want I want to say:
The mobile client uses:
peer: the VM
allowed_ip: 0..0.0.0/0 and ::/0
auto route bla bla yes yes!
nameserver: your:local:dns:server:at:home
The VM gets:
one interface:
listen port:
listen IP if you like
allow vpn ip of mobile client
another interface:
listen port
listen ip
allow the home router vpn ip
allow ip: ULA
the router at home:
peer: VM
route allowed IP: the vpn ip range
roughly how this.
TL;DR; your VM has two wg-interfaces, that way you can route traffic. (Of course with forwarding enabled on the VM and yes a firewall can help too....)
Let me try this step by step,
Since I use pivpn to install and create client configs for wireguard, I never looked inside that config file generated. Now I did, and I can slowly relate to thing you posted.
To also give you an fundamental obvious hint once its pointed out to you.
Wireguard is a Layer-3 protocol. It is run at UDP/IP and UDP/IP6, and inside the tunnel only Layer-3 traffic is possible. And then not even all, but I will come later to that...
Layer-3? Which means. IP. Internet Protocol. And Internet Protocol Version 6.
Each in a limited fashion. I.e. there is no ARP and no NDP, because its layer-3. You already know what to reach over there at the other end of the tunnel. If not you set a route.
Wireguard, and IPsec, for instance, also have inside a machanism to only "allow" certain source and destiantion addresses.
Ok why do I say not all IP and IPv6 traffic? Because wireguard gives a shit about multicast, and will not support it.
Which is ok. Because using dedicated point-to-point tunnel may seams config overhead at first but gives you a shit load of more clean and sane network design options regarding to routing and firewalling.
Ah and the most obvious one.
Depending on your OS you can treat configured wireguard interfaces like any other configured network interface... Just saying. Again, no need for wg-easy or however the modern street crack is called.
NAT64 is to give access to the v4 Internet through a v6 only connection. This is the opposite of your problem of reaching the house on v6 from a location that is v4 only.
Some ISPs are using it so they don't have to run dual stack on customer's lines; the link to each customer is v6 only. Since Wireguard readily supports dual stack inside a single tunnel it does not seem necessary here.