Wireguard issue connecting on Linux client (forcing IPv6 resolution)

flipflop · November 11, 2025, 7:39pm

Hi all, my first question here, so I hope I'll provide the expected details ! M

My WireGuard setup works perfectly on Android and Windows, but on my Arch machine it stubbornly resolves my endpoint to IPv6 and refuses to connect. Same config file, same server, different behavior. I've tried a bunch of things but nothing sticks, so I'm hoping someone here has dealt with this before or has any idea how to help.

System:

Client: Arch Linux (CachyOs) with GNOME
- Tried connecting using NetworkManager GUI
- Tried connecting using wg-quick
Server: OpenWrt router with WireGuard :
- Configuration installed using the following scripts : https://github.com/Coralesoft/openwrt-wireguard-installer

Problem: WireGuard resolves my dynamic DNS endpoint to IPv6, but the connection only works over IPv4.

After using wg-quick up, with my normal config :

❯ sudo wg show
interface: flipflop_opwrt
  public key: ********************
  private key: (hidden)
  listening port: 56821
  fwmark: 0xca6c
peer: *****************
  endpoint: [2001:*:*:*::*]:51823
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 148 B sent
  persistent keepalive: every 25 seconds

If I replace my domain name by my current public IPv4, it works as expected and I have a handshake :

sudo wg show
interface: flipflop_opwrt
  public key: *******************
  private key: (hidden)
  listening port: 54401
  fwmark: 0xca6c
peer: *********************
  endpoint: *.*.*.*:51823
  allowed ips: 0.0.0.0/0
  latest handshake: 22 seconds ago
  transfer: 1.54 KiB received, 22.30 KiB sent
  persistent keepalive: every 25 seconds

What works:

Connection works on Android (auto-resolves to IPv4)
Connection works on Windows (auto-resolves to IPv4)
Connection works on Arch if I hardcode my IPv4 address instead of the domain name

What I've tried:

Deployed config via wg-roadwarrior which apparently should have handled properly the IPv6 configuration.
Some PreUp / PostDown commands which didn't work.
Some rules on my laptop to avoid resolving my hostname in IPv6.

What I want to achieve:

I would prefer to toggle the VPN from GNOME Quick Settings
I'd like to avoid permanently fixing my IPv4 Public address in my config, as I'm on dynamic DNS)
I don't want to disable IPv6 globally

Looking for either solution:

Force domain resolution to IPv4 only for this connection
Fix my configuration to make IPv6 work properly

Server config (OpenWrt router):

root@OpenWrt:~# uci show network | grep wg
network.wg_admin=interface
network.wg_admin.proto='wireguard'
network.wg_admin.private_key='********************'
network.wg_admin.listen_port='51823'
network.wg_admin.addresses='192.168.20.1/24'
network.wireguard_wg_admin_flipflop=wireguard_wg_admin
network.wireguard_wg_admin_flipflop.description='flipflop'
network.wireguard_wg_admin_flipflop.public_key='******************'
network.wireguard_wg_admin_flipflop.persistent_keepalive='25'
network.wireguard_wg_admin_flipflop.allowed_ips='192.168.20.2/32'
root@OpenWrt:~# wg show wg_admin
interface: wg_admin
  public key: *********************
  private key: (hidden)
  listening port: 51823
peer: *************************
  endpoint: *.*.*.*:54401
  allowed ips: 192.168.20.2/32
  latest handshake: 25 minutes, 56 seconds ago
  transfer: 4.59 MiB received, 48.39 MiB sent
  persistent keepalive: every 25 seconds
root@OpenWrt:~# uci show firewall | grep -A5 wg
firewall.@zone[3].name='wg_admin'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='DROP'
firewall.@zone[3].network='wg_admin'
firewall.@zone[3].masq='1'
firewall.@zone[3].masq6='1'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='wg_admin'
firewall.@forwarding[2].dest='lan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='wg_admin'
firewall.@rule[16]=rule
firewall.@rule[16].name='Allow-WG-wg_admin'
firewall.@rule[16].src='wan'
firewall.@rule[16].proto='udp'
firewall.@rule[16].dest_port='51823'
firewall.@rule[16].target='ACCEPT'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='wg_admin'
firewall.@forwarding[4].dest='wan'

Current client config :

[Interface]
PrivateKey = *****************
Address = 192.168.20.2/32
DNS = 192.168.20.1
[Peer]
PublicKey = *************
Endpoint = ******.***.com:51823
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

lleachii · November 11, 2025, 8:31pm

So your Arch machine is at a location with broken IPv6?
Or you didn't know your DDNS domain has a AAAA record?
Or you think the OpenWrt has broken IPv6?

Is this the OpenWrt, and
Is the Arch machine connected to it? (It doesn't seem so from your description)

(I'm not understanding how OpenWrt is related to the issue.)

flipflop · November 11, 2025, 8:52pm

My answers below :

So your Arch machine is at a location with broken IPv6?
- In order to test the VPN connection, I use the tethering on my Android phone, connected via USB. My carrier does support IPv6.
- The thing is that, I have no idea how to set up my wireguard configuration in OpenWRT so it can support IPv6 addressing. So currently, it doesn't matter if the "client" network from which I'll connect does support IPv6, as my wireguard configuration is probably broken anyway for IPv6 (and the solutions I tested to make it work... Didn't for now). I used for example : https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior
- My DDNS domain does have an AAAA record, and other services (behind a reverse proxy) are accessible using IPv6 as well, but as mentioned above, the problem doesn't lie here.

Regarding your last comment, this is true depending on which solution I finally implement :

I fix my openwrt wireguard configuration in order to properly in IPv6 scenario --> openwrt related
I only fix the addressing in either wg-quick / NetworkManager, which resolves my ddns name in IPv6 instead of IPv4 --> Not openwrt related

lleachii · November 11, 2025, 8:59pm

Excellent, because it doesn't matter if you haven't configured IPv6 inside the tunnel.

First test:

nslookup <ddns_domain> 8.8.8.8

Verify this AAAA IP matches the address on interface WAN6

(If not):
DDNS:

Does the agent/updater run on the OpenWrt?
If so, provide the IPv6 config you created, readacting password, domain, etc.
If not, explain it's setup

flipflop · November 11, 2025, 9:29pm

Result of the nslookup : Both values are slightly different, it looks like the following :

**On my WAN6, I have 2 IPv6 (I modified the values for the example, but same logic) : **
- IPv6 : 2001:aaa:aaaa:bbb1::1/64
- IPv6-PD : 2001:aaa:aaaa:bbb0::/60
From the nslookup command, I get :
- IPv6 : 2001:aaa:aaaa:bbb0::de6 (so it seems to be the IP of my NAS)

Regarding the question on agent / updater :

I believe you mean the updater for my ddns address. In that case, I use dynudns, and the updater runs in docker on my NAS (https://github.com/Go2Engle/dynuiuc). It updates the address every 3 minutes, but I don't have the details on how those gets properly updated. It probably pushes my NAS IPv6 and it does seem to work as intended to access my services from my NAS.
It makes me wonder... In IPv4, the public IP address will be the entry point to my "whole" local network, but in IPv6, it probably directly links to my NAS address. So I might just need a dedicated ddns for the wireguard network, which would point to the openwrt IPv6 address ?

You might need my current IPv6 configuration on the openwrt router as well, so here it is :

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.globals.ula_prefix='fdfb:***:***::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.59.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='64'
network.lan.delegate='0'
network.wan=interface
network.wan.proto='dhcp'
network.wan.hostname='*'
network.wan.vendorid='BYGTELIAD'
network.wan.device='wan.100'
network.wan.delegate='0'
network.wan.peerdns='0'
network.wan.macaddr='*:*:*:*:*:*'
network.wan.keepalive='8 5'
network.wan.metric='1024'
network.wan6=interface
network.wan6.device='wan.100'
network.wan6.reqaddress='try'
network.wan6.macaddr='*:*:*:*:*:*'
network.wan6.proto='dhcpv6'
network.wan6.reqprefix='auto'
network.wan6.ip6assign='64'
network.wan6.ip6class='wan6'
network.wan6.peerdns='0'
network.wan6.sourcefilter='0'
network.@device[1]=device
network.@device[1].type='8021q'
network.@device[1].ifname='wan'
network.@device[1].vid='100'
network.@device[1].name='wan.100'
network.@device[1].macaddr='*:*:*:*:*:*'
network.guest=interface
network.guest.proto='static'
network.guest.ipaddr='192.168.16.1'
network.guest.netmask='255.255.255.0'
network.guest.ip6addr='fdaa::1/64'
network.guest.ip6prefix='fdaa::/64'
network.wg_admin=interface
network.wg_admin.proto='wireguard'
network.wg_admin.private_key='*'
network.wg_admin.listen_port='51823'
network.wg_admin.addresses='192.168.20.1/24'
network.wireguard_wg_admin_flipflop=wireguard_wg_admin
network.wireguard_wg_admin_flipflop.description='flipflop'
network.wireguard_wg_admin_flipflop.public_key='*'
network.wireguard_wg_admin_flipflop.persistent_keepalive='25'
network.wireguard_wg_admin_flipflop.allowed_ips='192.168.20.2/32'

flipflop · November 11, 2025, 10:01pm

Ok I tried setting up a new dedicated ddns (/domain name), with the same IPv4, but this time the IPv6 of the openwrt router, and it directly worked as intended.

Silly me, this never crossed my mind... Thanks LLEACHII for pointing me in the right direction !

system · November 21, 2025, 10:02pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.