Wireguard Client over IPV6 endpoint

Hello guys,

sorry for my bad english.
I'm still very new to OpenWrt.
My ISP provides me with a DS-Lite connection, which is why I rely on IPV6.
I would like to connect an OpenWrt router as a Wireguard client to a Wireguard server and an IPV6 endpoint should be used. (I already use this configuration successfully on an Android smartphone).
OpenWrt successfully connects. Ping works. I can also connect to devices from the server network via ssh.
But I cannot reach services on other ports (WebUi, stream from an Enigma2 box and so on ..).

Does anyone have a solution for this problem?

Greetings Florian

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \

Also post the WG server configuration if available.

1 Like

Hi,

What I would like to add:
I still have a Vserver with Debian. Socat runs on this and is configured as follows:
socat UDP4-LISTEN:1234,fork,su=nobody UDP6:**********.myfritz.net:1234

Works perfectly with my Android smartphone and have access via IPV4.

In the current configuration, the IPV4 of the Vserver is also a test as the endpoint
However, the same error with OpenWrt as with the IPV6 endpoint.

Now here is the output:

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
>
{
        "kernel": "4.14.180",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "GL-MT300N-V2",
        "board_name": "gl-mt300n-v2",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.3",
                "revision": "r11063-85e04e9f46",
                "target": "ramips/mt76x8",
                "description": "OpenWrt 19.07.3 r11063-85e04e9f46"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5a:c4b3:a750::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '**********'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'ASUS_MANGO'
        option proto 'wireguard'
        list addresses '100.64.0.3'
        option private_key '******'

config wireguard_ASUS_MANGO
        option public_key '*******'
        option endpoint_port '1234'
        list allowed_ips '192.168.1.0/24'
        list allowed_ips '100.64.0.0/24'
        option route_allowed_ips '1'
        option endpoint_host '****'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/10300000.wmac'
        option htmode 'HT20'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option key '******'
        option encryption 'psk2'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'server'
        option dhcpv6 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 ASUS_MANGO'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul                                                                                                                     t qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gr                                                                                                                     oup default qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global br-lan
       valid_lft forever preferred_lft forever
17: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state                                                                                                                      UP group default qlen 1000
    inet 192.168.178.73/24 brd 192.168.178.255 scope global eth0.2
       valid_lft forever preferred_lft forever
20: ASUS_MANGO: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNK                                                                                                                     NOWN group default qlen 1000
    inet 100.64.0.3/32 brd 255.255.255.255 scope global ASUS_MANGO
       valid_lft forever preferred_lft forever

default via 192.168.178.1 dev eth0.2 proto static src 192.168.178.73
100.64.0.0/24 dev ASUS_MANGO proto static scope link
192.168.1.0/24 dev ASUS_MANGO proto static scope link
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
192.168.178.0/24 dev eth0.2 proto kernel scope link src 192.168.178.73
****** via 192.168.178.1 dev eth0.2 proto static
local 100.64.0.3 dev ASUS_MANGO table local proto kernel scope host src 100.64.0                                                                                                                     .3
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0                                                                                                                     .1
broadcast 192.168.8.0 dev br-lan table local proto kernel scope link src 192.168                                                                                                                     .8.1
local 192.168.8.1 dev br-lan table local proto kernel scope host src 192.168.8.1                                                                                                                     
broadcast 192.168.8.255 dev br-lan table local proto kernel scope link src 192.1                                                                                                                     68.8.1
broadcast 192.168.178.0 dev eth0.2 table local proto kernel scope link src 192.1                                                                                                                     68.178.73
local 192.168.178.73 dev eth0.2 table local proto kernel scope host src 192.168.                                                                                                                     178.73
broadcast 192.168.178.255 dev eth0.2 table local proto kernel scope link src 192                                                                                                                     .168.178.73
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000
    inet6 fe80::9683:c4ff:fe02:db7b/64 scope link
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 ****:****:***:****::1/62 scope global dynamic noprefixroute
       valid_lft 7156sec preferred_lft 3556sec
    inet6 fd5a:c4b3:a750::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::9683:c4ff:fe02:db7b/64 scope link
       valid_lft forever preferred_lft forever
17: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 ****:****:***:****:****:****:****:****/128 scope global dynamic nopref                                                                                                                     ixroute
       valid_lft 7156sec preferred_lft 3556sec
    inet6 fe80::9683:c4ff:fe02:db7b/64 scope link
       valid_lft forever preferred_lft forever
19: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::9683:c4ff:fe02:db7b/64 scope link
       valid_lft forever preferred_lft forever
default from ****:****:***:****:****:****:****:**** via fe80::f2b0:14ff:fe28:982                                                                                                                      dev eth0.2 proto static metric 512 pref medium
default from ****:****:****:****::/62 via fe80::f2b0:14ff:fe28:982 dev eth0.2 pro                                                                                                                     to static metric 512 pref medium
****:****:***:****::/56 from ****:****:***:****:****:****:****:**** via fe80::f2                                                                                                                     b0:14ff:fe28:982 dev eth0.2 proto static metric 512 pref medium
****:****:***:****::/56 from ****:****:***:****::/62 via fe80::f2b0:14ff:fe28:98                                                                                                                     2 dev eth0.2 proto static metric 512 pref medium
****:****:***:****::/64 dev eth0.2 proto static metric 256 pref medium
****:****:***:****::/64 dev br-lan proto static metric 1024 pref medium
unreachable ****:****:***:****::/62 dev lo proto static metric 2147483647 error                                                                                                                      4294967148 pref medium
fd5a:c4b3:a750::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd5a:c4b3:a750::/48 dev lo proto static metric 2147483647 error 4294                                                                                                                     967148 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local ****:****:***:****:****:****:****:**** dev eth0.2 table local proto kernel                                                                                                                      metric 0 pref medium
anycast ****:****:***:****:: dev br-lan table local proto kernel metric 0 pref m                                                                                                                     edium
local ****:****:***:****::1 dev br-lan table local proto kernel metric 0 pref me                                                                                                                     dium
anycast fd5a:c4b3:a750:: dev br-lan table local proto kernel metric 0 pref mediu                                                                                                                     m
local fd5a:c4b3:a750::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fe02:db7b dev eth0 table local proto kernel metric 0 pref                                                                                                                      medium
local fe80::9683:c4ff:fe02:db7b dev eth0.2 table local proto kernel metric 0 pre                                                                                                                     f medium
local fe80::9683:c4ff:fe02:db7b dev br-lan table local proto kernel metric 0 pre                                                                                                                     f medium
local fe80::9683:c4ff:fe02:db7b dev wlan0 table local proto kernel metric 0 pref                                                                                                                      medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev eth0.2 table local metric 256 pref medium
ff00::/8 dev ASUS_MANGO table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main
4200000000:     from ****:****:***:****::1/62 iif br-lan unreachable
4200000001:     from all iif lo failed_policy
4200000015:     from all iif br-lan failed_policy
4200000017:     from all iif eth0.2 failed_policy
4200000017:     from all iif eth0.2 failed_policy
4200000020:     from all iif ASUS_MANGO failed_policy

Move the ASUS_MANGO interface from wan firewall zone to lan.

1 Like

I just tried that. Unfortunately without success.
Ping works.
But everything else doesn't work. A connection to devices in the server network also no longer works.

You already have routes in OpenWrt for 100.64.0.0/24 and 192.168.1.0/24 via the tunnel.
By moving the ASUS_MANGO interface in lan zone, traffic between lan and the wireguard will be allowed.
Is the ASUS_MANGO added in iptables?
iptables-save -c | grep -i ASUS_MANGO
Could you explain what is the flow you are trying to use? (src + dst ip:port)

1 Like

My network is structured as follows:

Fritzbox from my ISP (192.168.178.0)

Behind: Asus AC-86U (192.168.1.0), Wireguard Server (100.64.0.0)
The OpenWrt router should be used for mobile devices and should reach all devices from the 192.168.1.0 network.

iptables-save -c | grep -i ASUS_MANGO brings the following output:


root@OpenWrt:~# iptables-save -c | grep -i ASUS_MANGO
[0:0] -A PREROUTING -i ASUS_MANGO -m comment --comment "!fw3" -j zone_wan_prerou                                      ting
[135:7020] -A POSTROUTING -o ASUS_MANGO -m comment --comment "!fw3" -j zone_wan_                                      postrouting
[135:7020] -A FORWARD -o ASUS_MANGO -p tcp -m tcp --tcp-flags SYN,RST SYN -m com                                      ment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A INPUT -i ASUS_MANGO -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -i ASUS_MANGO -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A OUTPUT -o ASUS_MANGO -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A zone_wan_dest_ACCEPT -o ASUS_MANGO -m conntrack --ctstate INVALID -m co                                      mment --comment "!fw3: Prevent NAT leakage" -j DROP
[135:7020] -A zone_wan_dest_ACCEPT -o ASUS_MANGO -m comment --comment "!fw3" -j                                       ACCEPT
[0:0] -A zone_wan_dest_REJECT -o ASUS_MANGO -m comment --comment "!fw3" -j rejec                                      t
[0:0] -A zone_wan_src_REJECT -i ASUS_MANGO -m comment --comment "!fw3" -j reject

And here is the output when the interface is added to the lan zone:

root@OpenWrt:~# iptables-save -c | grep -i ASUS_MANGO
[0:0] -A PREROUTING -i ASUS_MANGO -m comment --comment "!fw3" -j zone_lan_prerouting
[1:52] -A POSTROUTING -o ASUS_MANGO -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A INPUT -i ASUS_MANGO -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A FORWARD -i ASUS_MANGO -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A OUTPUT -o ASUS_MANGO -m comment --comment "!fw3" -j zone_lan_output
[3:156] -A zone_lan_dest_ACCEPT -o ASUS_MANGO -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i ASUS_MANGO -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT

The OpenWrt router is also just for testing behind the Fritz box. If I now enter the local address as the endpoint that the asus gets from the fritzbox as a wan address, the connection works. Therefore I want to rule out an incorrect Wireguard configuration. I suspect the problem is related to ipv6.

You didn't specify that:

I didn't understand what you mean here. From which source IP to which destination IP and what protocol/port is the problem?

I don't really understand what is meant. Traffic should go to asus_publicipv6: 1234 UDP or, if IPV6 is not available, to Vserver_IPV4, which converts the traffic to ipv6 and forwards it to asus_publicipv6: 1234

I wanted to say that if I enter the local address at endpoint (192.168.178.22, this is the wan ip from asus) everything works and I can access all services in the 192.168.1.0 network.

I want to reach Pyload (192.168.1.1:8000), an enigma2 stream and the webui on port 80 (192.168.1.203:8001, 192.168.1.203:80) and an ip cam (192.168.1.200:850)

All of this does not work via public_ipv6 or Vserver_ipv4. Only ssh works with the above devices.

From your first post:

Which is the server network? What IP addresses does it have? And to which devices does it connect?

I don't know what these IP addresses are and it is becoming quite complicated.
You have two endpoints, the OpenWrt router (let's call it RouterA) with networks 192.168.178.0/24 and 192.168.8.0/24, and some internet server (RouterB) which has 192.168.1.0/24.
Traffic from 192.168.8.0/24 -> 192.168.1.0/24 goes through the tunnel without NAT. Does RouterB allow traffic from 192.168.8.0/24 through the tunnel? Does it have a route to send packets back?
If this is not the flow that has issues, explain which one is it.

Router A (only provides a connection to the internet, nothing more)
192.168.178.0/24

Router B (is connected to router A via wan 192.168.178.22)
192.168.1.0/24
The Wireguard server runs on router B (100.64.0.1)

Router C
192.168.8.0/24
router C should be used as a mobile device and connect to router B via wireguard and should reach all devices from the 192.168.1.0/24 network

For testing I connected router C to router A and specified 192.168.178.22:1234 as the endpoint. Everything works perfectly.

However, if I take router B's public IPV6 as the endpoint, I can no longer access WebUi and other services.

ping from router C to router B -> works
ping from router B to router C -> works
ssh from router C to router B -> works
Webui from router B via router C -> not working
That is what I don't understand.....

Wireguard Server:

interface: wg0
  public key: ************
  private key: (hidden)
  listening port: 1234

peer: *******************
  endpoint: [2a03:****:**:***:****:****:****:****]:39252
  allowed ips: 100.64.0.3/32, 192.168.8.0/24
  latest handshake: 1 minute, 57 seconds ago
  transfer: 199.91 KiB received, 407.26 KiB sent

peer: ***************
  allowed ips: 100.64.0.2/32

peer: *****************
  allowed ips: 100.64.0.4/32

Router C Wireguard Client:

interface: ASUS_MANGO
  public key: **********
  private key: (hidden)
  listening port: 37716

peer: ****************************
  endpoint: *************:1234
  allowed ips: 192.168.1.0/24, 100.64.0.0/24
  latest handshake: 1 minute, 59 seconds ago
  transfer: 748.03 KiB received, 520.75 KiB sent

Edit:
This problem does not seem to have been there for the first time:


However, the solution has not been said, or there is none.

Which is the source IP and destination IP and port?

Verify with tcpdump that packets are coming in and out of the correct interfaces.

1 Like

I was able to solve the problem after a long time.
The problem was with the MTU being too high. I left the setting on default 1420.
After I set the value to 1300, it works fine.

Nevertheless, many thanks for your efforts.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.