WireGuard: IPv6 client can work but IPv4 client cannot

This is a severe and strange problem.

My OpenWrt has WireGuard protocol enabled. This problem occurs when I use a Windows 10 or iOS client to connect to my OpenWrt server.

Under a 5G environment, my iPhone will obtain a global IPv4 and an IPv6 address at the same time. The endpoint type is not limited to my OpenWrt, so my iPhone can use IPv4 or IPv6 to create a VPN connection.

This is my client profile:

[Interface]
PrivateKey = (hidden)
Address = 10.100.80.4/32
DNS = 119.29.29.29
MTU = 1280
ListenPort = 7980

[Peer]
PublicKey = (hidden)
PresharedKey = (hidden)
AllowedIPs = 10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, 10.10.0.0/16, 10.100.10.2/32
Endpoint = (hidden):7980
PersistentKeepalive = 25

And this is my client's peer information on OpenWrt:

config wireguard_lan_wg
	option description 'x299-win10'
	option public_key (hidden)
	option preshared_key (hidden)
	option route_allowed_ips '1'
	option endpoint_port '7980'
	list allowed_ips '10.100.80.4/32'

If I choose IPv6 to create the tunnel, it will be perfect. However, if I choose IPv4, the IP address of my iPhone shown on OpenWrt is my OpenWrt's IPv4 global address, and the iPhone's communication port shown on OpenWrt changes intermittently. I have never seen this before, and I think it is weird.

I have to mention that this is a new router. I just copied the old WireGuard configurations to this new router—the old configuration worked in the past for a very long time.

I need help!

Can we see the IPv4 firewall rule allowing port 7980?

I think you're saying that you want your private LANs to be reachable through Wireguard, but the iPhone to use its local 5G connection for everything else-- that is any public website both V4 and V6 should stay outside the tunnel and reach the Internet direct through the phone company. This is called a "split tunnel" and it is strictly a question of configuring the phone Wireguard client and the phone's routing system. It doesn't have anything to do with the OpenWrt end of the tunnel.

You can! Here are my firewall settings for port 7980.

# /etc/config/firewall
...
config rule
        option name 'Allow-Wireguard-VPN'
        option src 'wan'
        option dest_port '7980'
        option target 'ACCEPT'
...

Yes, I want to access my private LAN from the 5G environment. In the definition of the iPhone's WireGuard settings, Allowed_IPs only contains my LAN network segment, such as 10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, etc.

Compared with full tunnel, I believe your keyword "split-tunnel" can describe my situation more precisely. But these settings are related to the OpenWrt's profile and iPhone's profile at the same time.

You can delete the port on the client it will then use a random port to its liking

It is normal the server shows the ip address from which the connection takes place, as you only allow IPv4 traffic (list allowed_ips = '10.100.80.4/32') it might not do it if you use IPv6?

Yes, you are right. I add ListenPort = 7980 just for testing. I know it is not the right configuration because my iPhone may not obtain a global address. If the iPhone is behind NAT, then ListenPort will be translated to another port by its NAT router.

From my knowledge of WireGuard, the peer's endpoint is the combination of IP address and port. It should not be OpenWrt's IP address.

In IPv6, the truth is the same as my consumption. However, in IPv4 circumstances, the peer endpoint's IP address is OpenWrt's WAN IP. And the port is changed intimately. I don't believe it is normal.

You are testing from outside e.g with your phone on cellular?

Can you verify this, please? Global IPv4 addresses on 5G are quite rare.

Yes. My iPhone is under 5G cellular.

I don't know how to verify this consumption. It seems to be impossible to show the cellular IP address.

• whatismyip.com

I use a little app called "HE Network Tools".