WireGuard over IPv6

Hromodeus · May 16, 2024, 7:59am

Hi everyone!
I start playing with my router with Openwrt v23.0 and WireGuard.
Unfortunately I use Deutsche Telekom, so O don't have static IPv4. For this reason I start with IPv6. I try to combine IPv4 setup with IPv6, but it seems, that it not so easy, as I think.
That, what I made:
interfaces:

config wireguard_wg0
        option description 'ipv6'
        option public_key 'mUMtl7CVCotFk6vXBGb++H+Zdlxxxxxxxx='
        option private_key 'KNW8i4BarLZP19jaQAqAXEE7xxxxxxxxxx='
        option route_allowed_ips '1'
        option endpoint_port '55255'
        option persistent_keepalive '25'
        list allowed_ips 'fd78:977c:d34a::2/64'
        list allowed_ips '::/0'

config interface 'wg6'
        option proto 'wireguard'
        option private_key 'WC6HCsaWUQ5R2cQiFwAIzkg3l/yxxxxxxxxxxx='
        option listen_port '51820'
        list addresses 'fd00:1234:5678::1/64'
        option defaultroute '0'
        option ip6assign '64'

Firewall:

config redirect
        option dest 'wg'
        option target 'DNAT'
        option name 'wg0'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_port '51820'
        option family 'ipv6'

config rule
        option name 'wgv6test'
        option family 'ipv6'
        option src 'wan'
        option target 'ACCEPT'
        list proto 'udp'
        option dest_port '51820'
        option src_port '51820'
        option dest 'wg'

config rule
        option name 'Allow-SSH-v6'
        option src 'wan'
        option dest_port '22'
        option family 'ipv6'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'WG_Port '
        option family 'ipv6'
        list proto 'udp'
        option src 'wan'
        option src_port '55255'
        option dest 'lan'
        option dest_port '55255'
        option target 'ACCEPT'

config forwarding
        option src 'wg'
        option dest 'wan'

I already start thinking, that I have problem with IPv6, but SSH work.

Also, I make a DDNS name for router on IPv6 with duckdns.
Over this name, I can reache router with SSH, but WireGuard - no.
My Telefon send packet, but log said: No handshake after 5 seconds

lleachii · May 16, 2024, 8:51am

If your OpenWrt is the "client" - use /128
Just FYI, this isn't a Public IPv6 address
It seems you have a lot of forwarding rules for port 51820, but they seem unnecessary - the "client" doesn't need a listen port nor firewall rules

Lastly, you will need to verify that port 55255 is open on the remote WG device.

Hromodeus · May 16, 2024, 8:57am

Thanks for answer

I what to use Openwrt router as Server
I think, that this ip use as internal ip address for clients
Wich one I should delete?
In normal I would use port 51820, but how I can check it (55255 that port, witch I use at First, I forgot to delete it)

lleachii · May 16, 2024, 9:00am

To be clear, you have already successfully configured the remote WG peer, correct?

Then the OpenWrt should be /64 and the endpoint would use /128. You would configure your desired port and create an Input Firewall Rule instead.

You remove the port from the "client" device, it's not needed.

Hromodeus · May 16, 2024, 9:08am

So:

That Peer:

I already try with aws debian on ipv6 and it worked. Then I try with openwrt, but have not so successful result

slh · May 16, 2024, 9:12am

This is a kind of orthogonal suggestion, but while I was still at DTAG with their dynamic IPv6 prefixes, I resorted to using a (static /48) Hurricane Electric 6in4 tunnel for wireguard. Worked quite well for me back then.

Hromodeus · May 16, 2024, 9:16am

unfortunately I have not so much experience and I don't completely understand what You meen)

slh · May 16, 2024, 9:16am

https://ipv6.he.net/

Hromodeus · May 16, 2024, 9:28am

As I understand, this firma provides static ipv6 and routinng from ipv4 to ipv6? thats can help in future, but I already setup DDNS for router, so thank you for advice

egc · May 16, 2024, 9:31am

Remove this

Hromodeus:

config redirect
        option dest 'wg'
        option target 'DNAT'
        option name 'wg0'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_port '51820'
        option family 'ipv6'

Remove src_port and dest 'wg'

Hromodeus:

config rule
        option name 'wgv6test'
        option family 'ipv6'
        option src 'wan'
        option target 'ACCEPT'
        list proto 'udp'
        option dest_port '51820'
        option src_port '51820'    <<<< remove
        option dest 'wg'     <<<< remove

Hromodeus:

config wireguard_wg0
        option description 'ipv6'
        option public_key 'mUMtl7CVCotFk6vXBGb++H+Zdlxxxxxxxx='
        option private_key 'KNW8i4BarLZP19jaQAqAXEE7xxxxxxxxxx='
        option route_allowed_ips '1'
        option endpoint_port '55255'
        option persistent_keepalive '25'
        list allowed_ips 'fd00:1234:5678::2/128'
        list allowed_ips '::/0'     <<<<< remove 

config interface 'wg6'      <<< change to wg0
        option proto 'wireguard'
        option private_key 'WC6HCsaWUQ5R2cQiFwAIzkg3l/yxxxxxxxxxxx='
        option listen_port '51820'
        list addresses 'fd00:1234:5678::1/64'
        option defaultroute '0'   
        option ip6assign '64'    <<< remove

You are configuring a peer for interface wg0 but the interface is wg6 ??

For the interface you can use a list address of: fd00:1234:5678::1/64
with a peer with allowed IP of fd00:1234:5678::2/128

For the peer you then use a peer list address in the peers configuration of fd00:1234:5678::2/64

Hromodeus · May 16, 2024, 9:44am

config interface 'wg6'
        option proto 'wireguard'
        option private_key 'WC6HCsaWUQ5R2cQiFwAIzkg3l/yjMxxxxxxxx='
        option listen_port '51820'
        option defaultroute '0'
        list addresses '2a00:6020:a580:a10::1/64'

config wireguard_wg6
        option description 'Imported peer configuration'
        option public_key 'zShqygPIodvDok6eUFHC55z3e3XR9lW/xxxxxxx='
        list allowed_ips '192.168.100.0/24'
        list allowed_ips 'fd00:1234:5678::2/128'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

My fail. wg0 that was my 1 try. I forgot to delete it.

wg6 is server with port 51820. Firewall I change as you show

Hromodeus · May 16, 2024, 10:01am

Now work. Thanks a lot.

You now, is it possible in this setup, reache device, wich in local network, but don't have ipv6 adress? some of my IoT device can't work with ipv6, only ipv4

lleachii · May 16, 2024, 10:13am

Yes, you can allow IPv4 addresses and route them thru the tunnel as well.

You should now have an established Layer 3 tunnel, you can add IPs to the config as desired.

Hromodeus · May 16, 2024, 10:13am

Can You say, how?)

lleachii · May 16, 2024, 10:15am

Sure:

Add the IPs/subnets to Allowed IPs.
Enable routing or create a static route config for the CIDR range

You [should] now have 2 routers/devices with a Layer 3 tunnel, just add/route additional subnets as desired thru the interface.

Hromodeus · May 16, 2024, 10:19am

You meen here?

image921×585 27.7 KB
Not completely understand were it is. Can you make some examples?

lleachii · May 16, 2024, 10:23am

Yes.
E.g. if you want to route 192.0.0.0/24 - just add it to the list of Allowed IPs

There should also be an allow routed IPs checkbox.

Save and apply

That's it (assuming you actually have an existing subnet already to route).

Hromodeus · May 16, 2024, 10:30am

Hm, now, when I start Wireguard on my phone I see packets, but network works not smooth. Youtube make update, but no video, google chrome didn't open site and I can't reach local devices

egc · May 16, 2024, 10:44am

Try with lowering MTU on the WG interface both on client and server.
Default is 1420 lower to 1280 or even lower.
Recently I saw someone who claims he had to lower to 400

Hromodeus · May 16, 2024, 12:53pm

so, I plase MTU to 400, Youtube start work faster, but I steel have problem with browser. I can not open any site on phone

Handshake time: 2 minutes. Is it enough?