Wireguard no connection via IPv6

Hello,
I'm unable to establish a wireguard connection and can't figure out where is the problem :frowning:
My final scenario is a pure IPv6 point to point connection, between the NanoPi's and IPv4 in both local networks.
When I hopefully get my fiber-line next month I don't need the Fritzboxes any more. But the connection requires IPv6 ...

IPv4 <-> NanoPi R2S <-> Fritzbox <-> Internet <-> Fritzbox <-> NanoPi R2S <-> IPv4

To make things easier to test I replaced one side with a IONOS Server.

IONOS Server -> Internet -> Fritzbox -> NanoPi R2S

The IONOS server is used as wg client. IPv6 is working.
I can ping the NanoPi via myipv6.dynv6.net. The dns is dissolved to the correct IPv6 address.

The NanoPi is configured as IPv6 exposed host in the FritzBox.

But no wireguard connection :frowning:
How to find out what is going on?

IONOS wg1.conf

[Interface]
Address = 172.16.200.3/32
ListenPort = 22022
PrivateKey = <Private-Key-Client>

[Peer]
PublicKey = <Public-Key-Server>
AllowedIPs = 172.16.200.0/24
Endpoint = myipv6.dynv6.net:22222

IONOS "wg show"

interface: wg1
  public key: <Public-Key-Client>
  private key: (hidden)
  listening port: 22022

peer: <Public-Key-Server>
  endpoint: myipv6.dynv6.net:22222
  allowed ips: 172.16.200.0/24

IONOS "netstat"

root@youthful-feistel:/home/fow0ryl# netstat -tulnp |grep :22
udp        0      0 0.0.0.0:22022           0.0.0.0:*                           -                   
udp6       0      0 :::22022                :::*

NanoPi "network definitons"

root@R2S:/etc/config# uci show network |grep wg
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.public_key='<Public-Key-Server>'
network.wg0.private_key='<Private-Key-Server>'
network.wg0.listen_port='22222'
network.wg0.addresses='172.16.200.1/24' 'fdf1:e8a1:8d3f:9::1/64'
network.@wireguard_wg0[1]=wireguard_wg0
network.@wireguard_wg0[1].description='IONOS VPS'
network.@wireguard_wg0[1].route_allowed_ips='1'
network.@wireguard_wg0[1].private_key='<Private-Key-Client>'
network.@wireguard_wg0[1].public_key='<Public-Key-Client>'
network.@wireguard_wg0[1].allowed_ips='172.16.200.3/30' 'fdf1:e8a1:8d3f:9::3/128'

NanoPi "netstat"

root@R2S:/etc/config# netstat -tulnp |grep 222
udp        0      0 0.0.0.0:22222           0.0.0.0:*   -
udp        0      0 :::22222                :::*                -

NanoPi "firewall"

root@R2S:/etc/config# uci show firewall |grep \\[6\\]
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-Wireguard-Input'
firewall.@rule[6].proto='udp'
firewall.@rule[6].src='wan'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].dest_port='22222'

This is wrong, use 172.16.200.3/32 . Also the ula ipv6 is not defined in IONOS config.
Make sure IONOS allows 22022 on its firewall.
You'll probably want to add a few more allowed IPs on IONOS, because as it is you'll be only able to access the NanoPi.

1 Like

It can be so easy ...
Of course I added my local network to "allowed ip's" too.
Everything seems to work perfect, so far.

iperf3 gives me about 40Mbit/s. That's nearly the native DSL line speed. Amazing.

My next step will be to test the remote site (Our son lives about 10km away from us). But I did not expect a big problem.

@trendy
kudos and more kudos to you

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.