WireGuard over IPv6

Hi everyone!
I start playing with my router with Openwrt v23.0 and WireGuard.
Unfortunately I use Deutsche Telekom, so O don't have static IPv4. For this reason I start with IPv6. I try to combine IPv4 setup with IPv6, but it seems, that it not so easy, as I think.
That, what I made:
interfaces:

config wireguard_wg0
        option description 'ipv6'
        option public_key 'mUMtl7CVCotFk6vXBGb++H+Zdlxxxxxxxx='
        option private_key 'KNW8i4BarLZP19jaQAqAXEE7xxxxxxxxxx='
        option route_allowed_ips '1'
        option endpoint_port '55255'
        option persistent_keepalive '25'
        list allowed_ips 'fd78:977c:d34a::2/64'
        list allowed_ips '::/0'

config interface 'wg6'
        option proto 'wireguard'
        option private_key 'WC6HCsaWUQ5R2cQiFwAIzkg3l/yxxxxxxxxxxx='
        option listen_port '51820'
        list addresses 'fd00:1234:5678::1/64'
        option defaultroute '0'
        option ip6assign '64'

Firewall:

config redirect
        option dest 'wg'
        option target 'DNAT'
        option name 'wg0'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_port '51820'
        option family 'ipv6'

config rule
        option name 'wgv6test'
        option family 'ipv6'
        option src 'wan'
        option target 'ACCEPT'
        list proto 'udp'
        option dest_port '51820'
        option src_port '51820'
        option dest 'wg'

config rule
        option name 'Allow-SSH-v6'
        option src 'wan'
        option dest_port '22'
        option family 'ipv6'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'WG_Port '
        option family 'ipv6'
        list proto 'udp'
        option src 'wan'
        option src_port '55255'
        option dest 'lan'
        option dest_port '55255'
        option target 'ACCEPT'

config forwarding
        option src 'wg'
        option dest 'wan'

I already start thinking, that I have problem with IPv6, but SSH work.

Also, I make a DDNS name for router on IPv6 with duckdns.
Over this name, I can reache router with SSH, but WireGuard - no.
My Telefon send packet, but log said: No handshake after 5 seconds

  • If your OpenWrt is the "client" - use /128
  • Just FYI, this isn't a Public IPv6 address
  • It seems you have a lot of forwarding rules for port 51820, but they seem unnecessary - the "client" doesn't need a listen port nor firewall rules

Lastly, you will need to verify that port 55255 is open on the remote WG device.

Thanks for answer

  1. I what to use Openwrt router as Server
  2. I think, that this ip use as internal ip address for clients
  3. Wich one I should delete?
  4. In normal I would use port 51820, but how I can check it (55255 that port, witch I use at First, I forgot to delete it)

To be clear, you have already successfully configured the remote WG peer, correct?

Then the OpenWrt should be /64 and the endpoint would use /128. You would configure your desired port and create an Input Firewall Rule instead.

You remove the port from the "client" device, it's not needed.

So:


That Peer:

I already try with aws debian on ipv6 and it worked. Then I try with openwrt, but have not so successful result

This is a kind of orthogonal suggestion, but while I was still at DTAG with their dynamic IPv6 prefixes, I resorted to using a (static /48) Hurricane Electric 6in4 tunnel for wireguard. Worked quite well for me back then.

1 Like

unfortunately I have not so much experience and I don't completely understand what You meen)

https://ipv6.he.net/

As I understand, this firma provides static ipv6 and routinng from ipv4 to ipv6? thats can help in future, but I already setup DDNS for router, so thank you for advice

Remove this

Remove src_port and dest 'wg'

You are configuring a peer for interface wg0 but the interface is wg6 ??

For the interface you can use a list address of: fd00:1234:5678::1/64
with a peer with allowed IP of fd00:1234:5678::2/128

For the peer you then use a peer list address in the peers configuration of fd00:1234:5678::2/64

1 Like
config interface 'wg6'
        option proto 'wireguard'
        option private_key 'WC6HCsaWUQ5R2cQiFwAIzkg3l/yjMxxxxxxxx='
        option listen_port '51820'
        option defaultroute '0'
        list addresses '2a00:6020:a580:a10::1/64'

config wireguard_wg6
        option description 'Imported peer configuration'
        option public_key 'zShqygPIodvDok6eUFHC55z3e3XR9lW/xxxxxxx='
        list allowed_ips '192.168.100.0/24'
        list allowed_ips 'fd00:1234:5678::2/128'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

My fail. wg0 that was my 1 try. I forgot to delete it.

wg6 is server with port 51820. Firewall I change as you show

Now work. Thanks a lot.

You now, is it possible in this setup, reache device, wich in local network, but don't have ipv6 adress? some of my IoT device can't work with ipv6, only ipv4

1 Like

Yes, you can allow IPv4 addresses and route them thru the tunnel as well.

You should now have an established Layer 3 tunnel, you can add IPs to the config as desired.

1 Like

Can You say, how?)

1 Like

Sure:

  1. Add the IPs/subnets to Allowed IPs.
  2. Enable routing or create a static route config for the CIDR range

You [should] now have 2 routers/devices with a Layer 3 tunnel, just add/route additional subnets as desired thru the interface.

  1. You meen here?
  2. Not completely understand were it is. Can you make some examples?
1 Like
  1. Yes.
  2. E.g. if you want to route 192.0.0.0/24 - just add it to the list of Allowed IPs

There should also be an allow routed IPs checkbox.

  1. Save and apply

That's it (assuming you actually have an existing subnet already to route).

Hm, now, when I start Wireguard on my phone I see packets, but network works not smooth. Youtube make update, but no video, google chrome didn't open site and I can't reach local devices

Try with lowering MTU on the WG interface both on client and server.
Default is 1420 lower to 1280 or even lower.
Recently I saw someone who claims he had to lower to 400

so, I plase MTU to 400, Youtube start work faster, but I steel have problem with browser. I can not open any site on phone

Handshake time: 2 minutes. Is it enough?