OpenWRT router running Wireguard server with public IPv6; access to IPv4 LAN

Hello, I need some help:

I set up a small computer with two NICs running OpenWRT as my main router. Everything is configured fine so far - I guess:

Public Internet --> OpenWRT eth0

  • public IPv6 address, public IPv6 prefix
  • CGNAT IPv4 address

LAN --> OpenWRT eth1

  • handing internal IPv4 addresses to different VLANs
  • delegating public IPv6 prefix into different VLANs

I want to run a Wireguard server on my router to give external clients access to my LAN (i.e. one of the VLANs).
I configured it with an IPv4 address and to listen on the default port (51820). I then forwarded that port from my router to the Wireguard IPv4 address.

So far I followed different tutorials but the problem seems to be that I cannot get a handshake between my phone (client app, iOS) and my router (Wireguard server). My phone is connecting to the external public IPv6 address of my router.

I guess that is what I am doing wrong?! But I cannot find out the right configuration...

Is IPv4 on wireguard correct in my use case? Is some kind of NAT from IPv6 to IPv4 missing?
Do I have to give the Wireguard server and peers IPv6 addresses only? Do they need to get a prefix delegated? If so, how?! Do they get ULA addresses?!

Any input and help would be appreciated!

Regards,
anbe

As you don't have a public ipv4 address then you either need to run the wireguard tunnel over ipv6 (it can carry ipv4 inside) or set up a remote host somewhere (e.g. a VPS) that does have a public ipv4 address and use that was as a 'hub'.

1 Like

Outside the tunnel will be all v6 in this case. Inside the tunnel can carry v4 or v6 or both at the same time. For simply accessing a home LAN you can use v4 in the conventional way. Most but not all ISPs that support v6 will pass through incoming connections all the way to your router. There is no need to "forward ports" with v6 since there is no NAT.

Run tcpdump on the Wireguard listen port to see if any requests from the phone are received. The phone must be running on a separate Internet connection such as through its phone company. It will not work to test while the phone is connected to your home WiFi.

Could you be more specific on the "tunnelling"?

Does the Wireguard-Interface need an IPv4 or IPv6 (public? local?) address? Who does the tunnelling of IPv4 traffic inside the IPv6 tunnel? OpenWRT? Is a package needed?

I have a VPS (several, really) with public IPv4 addresses. But I thought - as I have a public IPv6 address on my WAN port - I could do without them by directly connecting the client to my router via IPv6.

The wireguard tunnel itself runs over ipv6 so the peer endpoints will be ipv6. What you put inside the tunnel is separate, so if you l want ipv4 then give the interfaces ipv4 addresses.

Does your mobile provider use ipv6 on their network?

Of course my phone is on a separate connection - not my WiFi.

What you are saying does not sound to apply to my case: My router itself (WAN-port) gets a public IP assigned. Prefixes are delegated to LAN-devices. The wireguard interface does not get a prefix/IPv6 address. So the connection from outside to port 51820 should terminate at my router - never reaching the wireguard interface???

The Wireguard IP for encrypted (outer) packets is the public IPv6 held by the wan interface on your router where Wireguard is listening. This would be configured into the phone, or entered into a DDNS server so that your router can be found by name.

As is the case for v4, the firewall needs a rule to allow UDP input from wan on the listen_port. This can be constrained to v6 only with the family option. If you don't specify the family, both V4 and V6 connections to Wireguard will be accepted, though V4 is not useful since it is not publicly reachable.

1 Like

When a properly encrypted (keys match) Wireguard packet arrives at the public listen port, the Wireguard kernel process will decrypt it and pass the inner IPv4 packet to the internal wg interface, where it can be forwarded to the lan.

Another attempt:

  • Wireguard Interface, IPv4 address
  • Firewall rule to accept input on WAN interface on that port

result:
Phone says that the handshake is not happening. Interface shows "RX 0 Bytes, TX 0 Bytes"

Is there a basic guide that should apply to my scenario? I have the feeling that I need to eliminate points of failure...

Does your mobile have an ipv6 address?

Yes, IPv6 connectivity is there.

Right, time to see some configs then. Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Also, let's see the WG config from the phone.

See https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

As already suggested, check with tcpdump if you have any traffic on 51820/UDP.

ubus call system board

{
        "kernel": "5.15.150",
        "hostname": "router",
        "system": "Intel(R) N100",
        "model": "AWOW Technology Co., Ltd. AK10",
        "board_name": "awow-technology-co-ltd-ak10",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "x86/64",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd41:XXXX:XXXX::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'none'
        option ip6assign '60'
        list ip6class 'wan6'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option hostname '*'
        option delegate '0'

config device
        option name 'eth0'

config device
        option name 'eth1'
        option macaddr 'CC:XX:D0:XX:0D:XX'
        option mtu '1472'
        option mtu6 '1472'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth1'
        option reqaddress 'try'
        option reqprefix 'auto'
        option ip6assign '58'
        option ip6weight '1'
        list ip6class 'wan6'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '3'
        option name 'br-lan.3'

config interface 'Gastnetzwerk'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option delegate '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'
        option name 'br-lan.1'

config interface 'Heimnetzwerk'
        option proto 'static'
        option device 'br-lan.1'
        option ipaddr '10.0.0.1'
        option netmask '255.0.0.0'
        option ip6assign '64'
        list ip6class 'wan6'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth0:t'

config interface 'HeimnetzVPN'
        option proto 'wireguard'
        option private_key '...'
        list addresses '192.168.250.1/24'
        option listen_port '51280'

config wireguard_HeimnetzVPN
        option description 'Peer1'
        option public_key '...'
        option private_key '...'
        option preshared_key '...'
        list allowed_ips '192.168.250.2/32'
        option route_allowed_ips '1'

cat /etc/config/wireless

  • does not apply, wireless is not done by OpenWRT

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list notinterface 'wan'
        list notinterface 'wan6'
        option rebind_localhost '1'

config dhcp 'lan'
        option interface 'lan'
        option start '79'
        option limit '41'
        option leasetime '3h'
        option dhcpv4 'server'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Gastnetzwerk'
        option interface 'Gastnetzwerk'
        option start '100'
        option limit '150'
        option leasetime '1h'

config dhcp 'Heimnetzwerk'
        option interface 'Heimnetzwerk'
        option start '79'
        option limit '41'
        option leasetime '3h'
        option ra 'hybrid'
        list ra_flags 'managed-config'
        option dhcpv6 'hybrid'
        option ndp 'hybrid'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'Heim2WAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Heimnetzwerk'

config zone
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option name 'Heimnetz'
        list network 'Heimnetzwerk'
        list network 'HeimnetzVPN'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'Heim2WAN'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'Heim2WAN'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'Heim2WAN'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow DNS-DHCP Gastnetzwerk'
        option src 'Gastnetzwerk'
        option src_port '53 67 68'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config zone
        option name 'Gast2WAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Gastnetzwerk'

config zone
        option name 'Gastnetzwerk'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Gastnetzwerk'

config forwarding
        option src 'Gast2WAN'
        option dest 'wan'

config rule
        option name 'Wireguard port'
        list proto 'udp'
        option src 'wan'
        option src_port '51820'
        option dest_port '51820'
        option target 'ACCEPT'

Phone-Config:

Delete option src_port

That helped - partly. Furthermore: Saw my own mistake: Switched "51280" to "51820" here. Corrected. Handshake happening now.

BUT: I have no LAN access to IPv4 addresses.

Is that correct?

Networks should only be in one firewall zone. If you have two networks in the same zone and want to allow traffic to pass between them then forward needs to be accept.

Trying to get a grasp on that as we speak... watching the videos by OneMarcFifty.

Will try to do that more intelligently... thought I needed individueal "zones" to allow traffic between WAN and several VLANs and so on.

To sum up the way to my solution so far:

This setting in the firewall was necessary to allow traffic on the port from WAN to my router:

config rule
        option name 'Wireguard port'
        list proto 'udp'
        option src 'wan'
        option dest_port '51280'
        option target 'ACCEPT'

As well as this setting in the firewall to allow connectivity to the devices on my LAN:

config zone
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'Heimnetz'
        list network 'Heimnetzwerk'
        list network 'HeimnetzVPN'

Now my phone connects via the public IPv6 to the Wireguard server on my router and is able to access IPv4 LAN devices. Pretty sure that I still got a misconfiguration in my firewall (too many zones?!) so that web-access via VPN is not possible.