kefwrt
February 10, 2022, 6:49am
1
Hello everyone,
Coming for help about a Wireguard server that was working like a charm on the 19.x firmware, and since the update on the 20.x, i just can't make it work anymore.
One strange thing, is that when i try to connect to wireguard on the router, i can see the connection, but it gives to the pair a IPv6 adress i don't use in anyway. It changes the domain point from sub.domain.com not with my wan IP.
I've tried to unchecked and delete all the possible IPv6 thing, without sucess, the connection still giving a v6 format.
Thank you in advance, best.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
cat /etc/config/network
and also please post your other peer's config.
kefwrt
February 10, 2022, 6:57am
3
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option hostname '*'
option vendorid ''
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config device
option name 'wan'
option macaddr ''
option ipv6 '0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'ODH4vPvG(...)YhALb0E='
list addresses '10.200.200.1/24'
option delegate '0'
option listen_port '51234'
config wireguard_wg0
option description 'kWG'
option public_key 'inrvYaz1UMpsNY(...)dUlh7D9vdvISxzDmk='
list allowed_ips '10.200.200.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host '192.168.1.1'
config device
option name 'wg0'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'lan1'
option ipv6 '0'
config device
option name 'lan2'
option ipv6 '0'
config device
option name 'lan3'
option ipv6 '0'
config device
option name 'lan4'
option ipv6 '0'
config device
option name 'wlan1'
option ipv6 '0'
And the other peer config?
Remove this line. It is sort of self referencing since the lan is using that address. It does not belong here.
1 Like
kefwrt
February 10, 2022, 7:09am
6
Here is the peer side of the configuration on iOS, disconnected.
remove the ::/0 from your iOS peer config. That is the IPv6 method specifying all traffic should go through the tunnel.
kefwrt
February 10, 2022, 7:11am
9
Done it, still the same, and now not even a small packet is going through. I really don't understand why it is always giving this IP, everything is in v4 on my routeur.
Even when i put the v4 ip of my provider, it's still going to give a v6.
are you using a dynamic dns service for your endpoint host address on the iOS system?
kefwrt
February 10, 2022, 7:14am
11
Yes, a sub domain wg.domain.com .
your domain almost certainly is the issue - it probably has an IPv6 address associated with it. You may need to manually clear that from the entry, but you first need to check the configuration of your ddns client that is performing the address check and updating the ddns service with your current address.
kefwrt
February 10, 2022, 7:19am
13
That's weird, because my DDNS don't managed ipv6 and my DNS domain neither, the DDNS is updated now with the good ip of my provider, an ipv4. And even when i put my v4 ip directly into the point, it still give me an ipv6, so it's not the DDNS.
It might be your cellular provider, then.
Try this: use wifi on the same network as the OpenWrt router and set the endpoint address as 192.168.1.1 -- this will point directly to your router from within your LAN. There should be no IPv6 at all. See what happens.
kefwrt
February 10, 2022, 7:27am
15
Yes when i stay connected to the wifi, and change for the router ip, nothing is changing when i activate the peer, and when i put back the sub domain, it finds well the good ip. But 6 hours ago, the Wireguard connection was working really fine on 19.x firmware, even with my cellar provider, for 2 years non stop.
Did you keep settings from 19.07 > 21.02?
Let's also look at your firewall file and your ddns config.
kefwrt
February 10, 2022, 7:32am
19
Something really basic :
config service 'WireGuard'
option use_ipv6 '0'
option lookup_host 'wg.xxxx.xx'
option enabled '1'
option update_url 'https://infomaniak.com/nic/update?hostname=[DOMAIN]&myip=[IP]&username=[USERNAME]&password=[PASSWORD]'
option domain 'wg.xxxx.xx'
option username 'kround'
option password 'xxxxxxx
option use_https '1'
option cacert 'IGNORE'
option ip_source 'network'
option ip_network 'wan'
option interface 'wan'
option use_syslog '2'
option check_unit 'minutes'
option force_unit 'minutes'
option retry_unit 'seconds'
kefwrt
February 10, 2022, 7:34am
21
Actually here is the all Firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option name 'WireGuard'
list proto 'udp'
option src 'wan'
option dest_ip '192.168.1.1'
option src_dport '51234'
option dest_port '51234'
option dest 'lan'
config zone
option name 'wg0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg0'
config forwarding
option src 'wg0'
option dest 'lan'
config forwarding
option src 'wg0'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wg0'
config rule
option name 'wireguard'
option family 'ipv4'
list proto 'udp'
option src 'wan'
option dest_port '51234'
option target 'ACCEPT'
