Wireguard Session Manager - Discussion (2nd) thread

[archiel]

Glad you figured it out!

It just occurred to me that if you plan on keeping Unbound outgoing-interface to a br0 alias 192.168.3.1 and a rule for this ip to go out a wireguard client, you need to add to wg custom config:

iptables -t nat -I POSTROUTING -s 192.168.3.1/32 -o wg11 -j MASQUERADE

Otherwise these packages will likely be dropped at the receiving end. You will find this in the YazFi part of my guide (as that's the only place I encounter other subnets)

I think the methode of br0 alias for this purpose proposed by @eibgrad is really clever and neat and takes care of not needing the ToLocalUseMain rule. However, not really sure if bottom end brings less complexity or more compared to using the actual br0 adress, could be dependant on how well you are in control over the routing rules/tables perhaps.

For now I had removed all of this (I was trying to work out what wasn't working) and have not yet put it back. I intend to do so but have some more questions first

So far I have a server (wg21) running and can connect with my phone - I set it up using the QR method. However it is only connecting over IPv4 and looking at the conf file I see

[Interface]
Address = 10.50.1.2/32
DNS = 1.1.1.1
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = nnnnnnnnnn.asuscomm.com:[port]
PersistentKeepalive = 25
PreSharedKey = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy=
PublicKey = zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz=

So although the server is setup for IPv6 (and it is enabled on on the router) the exported code for the phone seems to be only configured for IPv4. I could see your examples for adding this to a local client and where there is no IPV6 running, but did not follow what steps are needed for adding this to phone conf.

Do I need to add a specific IPv6 address (or range) to the basic WireGuard setup and if so does it matter what / can it be any arbitrary link-local IPv6 address?
How do I add the IPv6 connectivity to the phone.conf ?

and once this is solved and I have a Wireguard VPN client running successfully and want to re-employ @eibgrad's method, do I also need to add a link-local IPv6 address at each stage of the process (equivalent to 192.168.3.1)

 

[Martineau]

I have a server (wg21) running and can connect with my phone - I set it up using the QR method. However it is only connecting over IPv4
How do I add the IPv6 connectivity to the phone.conf ?

Not sure what model phone you are using, but for the Android client, as of Oct 2021, is this 'by-design' choice still relevant?

wireguard-android/tunnel/src/main/java/com/wireguard/config/InetEndpoint.java at bf84e26a86ae27963312c2dd1422674f479934db · WireGuard/wireguard-android

Mirror only. Official repository is at https://git.zx2c4.com/wireguard-android - WireGuard/wireguard-android

github.com

i.e. it wouldn't matter even if dual-stack Endpoint was configured, IPv4 is always preferred?

(P.S. Not able to test IPv6 although wireguard_manager may (if instructed) try to create an IPv6 tunnel?)

e.g. create IPv6 'server' Peer....

e  = Exit Script [?]

E:Option ==> peer new ipv6=

    *** Ensure Upstream router Port Foward entry for port:11503 ***

    Press y to Create (IPv6) 'server' Peer (wg23) fc00:50:3::1/64:11503 or press [Enter] to SKIP.
y
    Creating WireGuard Private/Public key-pair for (IPv6) 'server' Peer wg23 on RT-AX58U (v386.5_beta1)
    Press y to Start (IPv6) 'server' Peer (wg23) or press [Enter] to SKIP.
y

...and add/bind a Road-Warrior device (IPv6 only) to the IPv6 'server' Peer

e  = Exit Script [?]

E:Option ==> create myphone wg23

    Creating Wireguard Private/Public key pair for device 'myphone'
    device 'myphone' Peer Public     key=8p50DrhePTl2dOT8BufqN1po9d3QOIhM4+/ziNyHCzQ=
    device 'myphone' Peer Pre-shared key=brKpPCI2XnNNOn3C1VWtD6Nb29VEMBooOrITr/SU3oI=
    Using Public key for 'server' Peer 'wg23
    Warning: No DDNS is configured!
    Press y to use the current WAN IP or enter DDNS name or press [Enter] to SKIP.
y

    WireGuard config for device Peer 'myphone' (fc00:50:3::2/128) created (Allowed IP's 0.0.0.0/0, ::/0 # ALL Traffic)

    Press y to ADD device Peer 'myphone' to 'server' Peer (wg23) or press [Enter] to SKIP.

'myphone.conf'

# myphone
[Interface]
PrivateKey = yNzC2abN4WsPmbvCxV7h2XSUdqsL8jqZ+5gnz/QqyEE=
Address = fc00:50:3::2/128
DNS = 10.88.8.1,

# RT-AX58U IPv6 'server' (wg23)
[Peer]
PublicKey = zulTfZcV04qpF/pwm0xSIpx7UcDL/pptCtf87kTgJiI=
AllowedIPs = 0.0.0.0/0, ::/0     # ALL Traffic
# DDNS xxx.xxx.xxx.xxx
Endpoint = xxx.xxx.xxx.xxx:11503
PresharedKey = brKpPC1/XnNNOn3CIVWtd6Nb29VEMBooOr1TrQSU3oI=
PersistentKeepalive = 25
# myphone End

 

[ZebMcKayhan]

I could see your examples for adding this to a local client and where there is no IPV6 running, but did not follow what steps are needed for adding this to phone conf.

That is because I'm on ipv4 only and behind a cgnat so I cannot setup a server. And before I read @Martineau answer I would have said nobody tried it yet. Happy to be wrong. But I guess you were looking for a dual-stack server peer with dual-stack client peer config. Don't know how much is implemented in wgm along this line.

Do I need to add a specific IPv6 address (or range) to the basic WireGuard setup and if so does it matter what / can it be any arbitrary link-local IPv6 address?

Nope, Wireguard is peer2peer so there wouldn't be any link-local. It only works for pre-assigned static adresses. It would have to be assigned when the server/device is created. So if you have static ipv6 then it could (possibly) be used, especially if you have more than /64 assigned.

If you have dynamic ipv6 then you would need to generate a private ula and use ipv6 nat which breaks rfc compliance but still very useful.

How do I add the IPv6 connectivity to the phone.conf ?

I think you need to specify if you are talking about the vpn tunnel itself or connectivity through the tunnel. The vpn tunnel itself will be determined by wheither endpoint is looked up as ipv4, ipv6 or both and if both it will be client default choice (usually ipv4).
If you mean connectivity through the tunnel, I think for the time being if you want a dual-stack server peer you will have to add it yourself (or @Martineau ?) And maybee even ipv6 firewall rules and ip -6 routes.

and once this is solved and I have a Wireguard VPN client running successfully and want to re-employ @eibgrad's method, do I also need to add a link-local IPv6 address at each stage of the process (equivalent to 192.168.3.1)

Link-local don't work like that. You actually don't need ipv6 dns, especially if you are using Unbound. But if you want, after all you need to go through to get this working, this would be the easy part. All interfaces could have several ips so you could just add a fixed ula address to the br0 interface and use this for Ipv6 dns.

If you want to give it a go and configure this manually, I could try to assist you and hopefully we can contribute something to the community.

If you have a static ipv6 wan we could look into giving wg server a portion of your existing pool to make a proper un-nat:ed ipv6 connection over the server rfc-compliant...

 

[archiel]

Not sure what model phone you are using, but for the Android client, as of Oct 2021, is this 'by-design' choice still relevant?

wireguard-android/tunnel/src/main/java/com/wireguard/config/InetEndpoint.java at bf84e26a86ae27963312c2dd1422674f479934db · WireGuard/wireguard-android

Mirror only. Official repository is at https://git.zx2c4.com/wireguard-android - WireGuard/wireguard-android

github.com

i.e. it wouldn't matter even if dual-stack Endpoint was configured, IPv4 is always preferred?

(P.S. Not able to test IPv6 although wireguard_manager may (if instructed) try to create an IPv6 tunnel?)

e.g. create IPv6 'server' Peer....

e  = Exit Script [?]

E:Option ==> peer new ipv6=

    *** Ensure Upstream router Port Foward entry for port:11503 ***

    Press y to Create (IPv6) 'server' Peer (wg23) fc00:50:3::1/64:11503 or press [Enter] to SKIP.
y
    Creating WireGuard Private/Public key-pair for (IPv6) 'server' Peer wg23 on RT-AX58U (v386.5_beta1)
    Press y to Start (IPv6) 'server' Peer (wg23) or press [Enter] to SKIP.
y

...and add/bind a Road-Warrior device (IPv6 only) to the IPv6 'server' Peer

e  = Exit Script [?]

E:Option ==> create myphone wg23

    Creating Wireguard Private/Public key pair for device 'myphone'
    device 'myphone' Peer Public     key=8p50DrhePTl2dOT8BufqN1po9d3QOIhM4+/ziNyHCzQ=
    device 'myphone' Peer Pre-shared key=brKpPCI2XnNNOn3C1VWtD6Nb29VEMBooOrITr/SU3oI=
    Using Public key for 'server' Peer 'wg23
    Warning: No DDNS is configured!
    Press y to use the current WAN IP or enter DDNS name or press [Enter] to SKIP.
y

    WireGuard config for device Peer 'myphone' (fc00:50:3::2/128) created (Allowed IP's 0.0.0.0/0, ::/0 # ALL Traffic)

    Press y to ADD device Peer 'myphone' to 'server' Peer (wg23) or press [Enter] to SKIP.

'myphone.conf'

# myphone
[Interface]
PrivateKey = yNzC2abN4WsPmbvCxV7h2XSUdqsL8jqZ+5gnz/QqyEE=
Address = fc00:50:3::2/128
DNS = 10.88.8.1,

# RT-AX58U IPv6 'server' (wg23)
[Peer]
PublicKey = zulTfZcV04qpF/pwm0xSIpx7UcDL/pptCtf87kTgJiI=
AllowedIPs = 0.0.0.0/0, ::/0     # ALL Traffic
# DDNS xxx.xxx.xxx.xxx
Endpoint = xxx.xxx.xxx.xxx:11503
PresharedKey = brKpPC1/XnNNOn3CIVWtd6Nb29VEMBooOr1TrQSU3oI=
PersistentKeepalive = 25
# myphone End

The phone is a Samsung Galaxy 20 5G and I am using the standard WireGuard App for Android. I have followed the above, but cannot connect. What I do not know is whether the issue is due to the RTNETLINK message received during setup, or because asuscomm DDNS is IPv4 only, so an IPv6 connection will always fail to find the router.

E:Option ==> peer new ipv6=

        Press y to Create (IPv6) 'server' Peer (wg22) fc00:50:2::1/64:11502 or press [Enter] to SKIP.
y
        Creating WireGuard Private/Public key-pair for (IPv6) 'server' Peer wg22 on RT-AX88U (v386.4_0)
        Press y to Start (IPv6) 'server' Peer (wg22) or press [Enter] to SKIP.
y

        Requesting WireGuard VPN Peer start (wg22)

        wireguard-server2: Initialising Wireguard VPN (IPv6) [WAN IPv6] 'Server' Peer (wg22) on WAN IPv4:11502 (# RT-AX88U (IPv6) Server 2)

RTNETLINK answers: File exists
iptables v1.4.15: invalid mask `64' specified
Try `iptables -h' or 'iptables --help' for more information.
        wireguard-server2: Initialisation complete.

The same RTNETLINK message appears after adding the device and 'Restarting Wireguard 'server' Peer (wg22)'

In case it is relevant, looking at the routing table in the GUI I see the following entries for wg21 and wg22

Destination Gateway Genmaksk       Flags Metric Ref Use Iface
10.50.1.0       *    255.255.255.0    U      0         0    0    wg21
10.50.1.2       *    255.255.255.255  UH     0         0    0    wg21

IPv6
Destination   Flags Metric Ref Use Dev Iface
default        U    1024    0    0        wg21
default        U    1024    0    0        wg22
fc00:50:2::2   U    1024    0    0        wg22
fc00:50:2::/64 U    256     0    0        wg22
ff00::/8       U    256     0    0        wg22

What I had hoped, though this may not be possible is that the phone.conf would support ipv4 and IPv6 and as such would be able to find the router on IPv4 and connect on IPv6.

 

[archiel]

That is because I'm on ipv4 only and behind a cgnat so I cannot setup a server. And before I read @Martineau answer I would have said nobody tried it yet. Happy to be wrong. But I guess you were looking for a dual-stack server peer with dual-stack client peer config. Don't know how much is implemented in wgm along this line.


Nope, Wireguard is peer2peer so there wouldn't be any link-local. It only works for pre-assigned static adresses. It would have to be assigned when the server/device is created. So if you have static ipv6 then it could (possibly) be used, especially if you have more than /64 assigned.

If you have dynamic ipv6 then you would need to generate a private ula and use ipv6 nat which breaks rfc compliance but still very useful.


I think you need to specify if you are talking about the vpn tunnel itself or connectivity through the tunnel. The vpn tunnel itself will be determined by wheither endpoint is looked up as ipv4, ipv6 or both and if both it will be client default choice (usually ipv4).
If you mean connectivity through the tunnel, I think for the time being if you want a dual-stack server peer you will have to add it yourself (or @Martineau ?) And maybee even ipv6 firewall rules and ip -6 routes.


Link-local don't work like that. You actually don't need ipv6 dns, especially if you are using Unbound. But if you want, after all you need to go through to get this working, this would be the easy part. All interfaces could have several ips so you could just add a fixed ula address to the br0 interface and use this for Ipv6 dns.

If you want to give it a go and configure this manually, I could try to assist you and hopefully we can contribute something to the community.

If you have a static ipv6 wan we could look into giving wg server a portion of your existing pool to make a proper un-nat:ed ipv6 connection over the server rfc-compliant...

I suspect the key here is that I have a dynamic ipv6 (it is sticky, so it only changes on re-boots, but still dynamic). If I generate a ULA (as in your installation guide) does this mean I need to remove DHCP-PD (the setup is already stateless) and where/how do I setup IPv6 NAT.

In terms of connectivity I am looking for dual stack through the tunnel, I really don't care whether the tunnel is created using IPv4 or IPv6, rather that once it is setup both work.

 

[ZebMcKayhan]

If I generate a ULA (as in your installation guide) does this mean I need to remove DHCP-PD (the setup is already stateless) and where/how do I setup IPv6 NAT

Nope. You should still run your Lan as you are. The ULA would be for the server and it's clients only. Then you would have to NAT yourself out on wan or br0 using Masquarade, pretty similar as ipv4.

Setting up nat is just about adding the right firewall rules and prefferably in /jffs/addons/wireguard/Scripts/wg21-up.sh (and remove them in wg21-down.sh)

 

[ZebMcKayhan]

@archiel

I'm thinking something like this if you wish to give it a try:
1. Get ipv6 ULA, assumed fc00:10:50::/48, create a subnet for wg server: fc00:10:50:1::/64
2. Devide wg21 server ip: fc00:10:50:1::1
3. Devide wg21 device 1 peer ip: fc00:10:50:1::2
4. Setup wg21 as ipv4 server, create a device (device.conf) verify it is working.
5. Update /opt/etc/wireguard.d/device.conf with ipv6 info (leave ipv4 as is)

Address = 10.50.1.2/24, fc00:10:50:1::2/64
DNS = 10.50.1.1, fc00:10:50:1::1

6. Update /opt/etc/wireguard.d/wg21.conf with AllowedIPs and #PreUp:

# myphone device
[Peer]
PublicKey = <leave as it is>
AllowedIPs = 10.50.1.2/32,fc00:10:50:1::2/128
PresharedKey = <leave as it is>
#PreUp = ip -6 address add dev wg21 fc00:10:50:1::1/64
# myphone End

7. Update userconfig files:
/jffs/addons/wireguard/Scripts/wg21-up.sh

#!/bin/sh

#Remove redundant rules:
iptables -D FORWARD -o wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"
ip6tables -D FORWARD -o wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"

#Add missing rule (?):
iptables -I FORWARD -i wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"

#Masquarade ipv6 packets from clients to WAN
ip6tables -t nat -I POSTROUTING -s fc00:10:50:1::/64 -o eth0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

#Masquarade ipv6 packets from clients to br0 (is this needed/wanted)?
#ip6tables -t nat -I POSTROUTING -s fc00:10:50:1::/64 -o br0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

/jffs/addons/wireguard/Scripts/wg21-down.sh

#!/bin/sh

#Remove added wg21 rules:
iptables -D FORWARD -i wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"

#Masquarade ipv6 packets from clients to WAN
ip6tables -t nat -D POSTROUTING -s fc00:10:50:1::/64 -o eth0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

#Masquarade ipv6 packets from clients to br0 (is this needed/wanted)?
#ip6tables -t nat -D POSTROUTING -s fc00:10:50:1::/64 -o br0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

8. Make userconfig file executable
9. Restart wg21 server, check for error messages
10. Display the new qrcode in wgm and import to your device
11. Use Ping Tools for Android to diagnose ipv6 connection.

Edit:
Changed alot of stuff after I'd installed a server and tested from within my lan.

 

[ZebMcKayhan]

@Martineau
Tried to setup a server peer to test above. I'm currently on 4.15b9 (386.4)

I'm still running dual stack wan so I wanted to experiment with it given my reccommendations above. Figure I could test it from within my lan.

But when I try to create my server:

E:Option ==> peer new

        Press y to Create (IPv6) 'server' Peer (wg21) 10.50.1.1/24:11501 or press [Enter] to SKIP.
y
        Creating WireGuard Private/Public key-pair for (IPv6) 'server' Peer wg21 on RT-AC86U (v386.4_0)
        Press y to Start (IPv6) 'server' Peer (wg21) or press [Enter] to SKIP
.
y

        Requesting WireGuard VPN Peer start (wg21)

        wireguard-server1: Initialising Wireguard VPN (IPv6) [fdff:a37f:fa75:1::1] 'Server' Peer (wg21) on n.n.n.n:11501 (# RT-AC86U (IPv6) Server 1)

ERR: bdmf_attrelem_add_as_buf#4250: ucast: status:No resources. attribute:ipv
4_host_address_table  index:0
awk: cmd. line:1: Unexpected end of string
        wireguard-server1: Initialisation complete.

And when looking at the interface it never got the ipv6 address but it gets an ipv4 (what to expect?)

admin@RT-AC86U-D7D8:/tmp/home/root# ifconfig wg21
wg21      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.50.1.1  P-t-P:10.50.1.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Looks like its trying to assign br0 address to wg21 which will conflict? Or is it indeed setting up an ipv4 server, the text suggest otherwise?

Trying again:

E:Option ==> peer new ipv6=fc00::10:50:1:1

        Press y to Create (IPv6) 'server' Peer (wg21) fc00::10:50:1:1:11501 o
r press [Enter] to SKIP.
y
        Creating WireGuard Private/Public key-pair for (IPv6) 'server' Peer w
g21 on RT-AC86U (v386.4_0)
        Press y to Start (IPv6) 'server' Peer (wg21) or press [Enter] to SKIP
.
y

        Requesting WireGuard VPN Peer start (wg21)

        wireguard-server1: Initialising Wireguard VPN (IPv6) [fdff:a37f:fa75:
1::1] 'Server' Peer (wg21) on n.n.n.n:11501 (# RT-AC86U (IPv6) Server 1)

RTNETLINK answers: File exists
iptables v1.4.21: host/network `fc00::10:50:1:1' not found
Try `iptables -h' or 'iptables --help' for more information.
        wireguard-server1: Initialisation complete.


admin@RT-AC86U-D7D8:/tmp/home/root# ifconfig wg21
wg21      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00
-00-00
          inet6 addr: fc00::10:50:1:1/128 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Seems to work, an error message from iptables given ipv6 address (typo?)

Trying ipv4 again:

E:Option ==> peer new ip=10.50.1.1/24

        Press y to Create (IPv6) 'server' Peer (wg21) 10.50.1.1/24:11501 or p
ress [Enter] to SKIP.
y
        Creating WireGuard Private/Public key-pair for (IPv6) 'server' Peer w
g21 on RT-AC86U (v386.4_0)
        Press y to Start (IPv6) 'server' Peer (wg21) or press [Enter] to SKIP
.
y

        Requesting WireGuard VPN Peer start (wg21)

        wireguard-server1: Initialising Wireguard VPN (IPv6) [fdff:a37f:fa75:
1::1] 'Server' Peer (wg21) on n.n.n.n:11501 (# RT-AC86U (IPv6) Server 1)

ERR: bdmf_attrelem_add_as_buf#4250: ucast: status:No resources. attribute:ipv
4_host_address_table  index:0
        wireguard-server1: Initialisation complete.

admin@RT-AC86U-D7D8:/tmp/home/root# ifconfig wg21
wg21      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00
-00-00
          inet addr:10.50.1.1  P-t-P:10.50.1.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Seems to setup wg21 interface but never seen this wierd error message before.
Do you get this? Or know what it is?

//Zeb

 

[ZebMcKayhan]

If anyone is interested, I've setup an ipv4 server peer and device and updated this post and can confirm that it successfully gives you a dual stack connection in to your network and to wan. You will need to be on firmware 386.4 or later for it to work.

I will probably tinker abit more with it, mainly passtru and ipv6 lan access and write something about it in my tutorial.

//Zeb

 

[Martineau]

If anyone is interested, I've setup an ipv4 server peer and device and updated this post and can confirm that it successfully gives you a dual stack connection in to your network and to wan.​

I will probably tinker abit more with it, mainly passtru and ipv6 lan access and write something about it in my tutorial.

//Zeb

FYI

I have uploaded wireguard_manager Beta v4.15bA

• Creation of a 'server' Peer can now be IPv4 (default or forced via 'NOIPV6') or Dual-stack (IPv4+IPv6) or IPv6 ONLY.

peer help​

​

peer new [peer_name [options]] - Create new server Peer e.g. peer new wg27 ip=10.50.99.1/24 port=12345​

peer new [peer_name] {ipv6} - Create new IPv4+IPv6 server Peer e.g. peer new ipv6​

peer new [peer_name] {ipv6 noipv4} - Create new IPv6 Only server Peer e.g. peer new ipv6 noipv4​

• Creation of a Road-Warrior 'client' Peer will honour the 'server' Peer it is bound to - i.e. 'client' Peer Address = IPv4 (default) or IPv4+IPv6 or IPv6 Only

 

[ZebMcKayhan]

FYI

I have uploaded wireguard_manager Beta v4.15bA

• Creation of a 'server' Peer can now be IPv4 (default or forced via 'NOIPV6') or Dual-stack (IPv4+IPv6) or IPv6 ONLY.

peer help​

​

peer new [peer_name [options]] - Create new server Peer e.g. peer new wg27 ip=10.50.99.1/24 port=12345​

peer new [peer_name] {ipv6} - Create new IPv4+IPv6 server Peer e.g. peer new ipv6​

peer new [peer_name] {ipv6 noipv4} - Create new IPv6 Only server Peer e.g. peer new ipv6 noipv4​

• Creation of a Road-Warrior 'client' Peer will honour the 'server' Peer it is bound to - i.e. 'client' Peer Address = IPv4 (default) or IPv4+IPv6 or IPv6 Only

Woo-hoo! Will test it later this weekend, much appreciated!

By the way, was just reading up in the code, is there any way to custom set ipv4 AND ipv6 when creating the peer?

Ie:

Peer new ip=192.168.100.1/24 ipv6=fc00:192:168:100::1/64

Or
Peer new ip=192.168.100.1/24,fc00:192:168:100::1/64

 

[Martineau]

By the way, was just reading up in the code, is there any way to custom set ipv4 AND ipv6 when creating the peer?

Ie:

peer new ip=192.168.100.1/24 ipv6=fc00:192:168:100::1/64

Uploaded patched wireguard_manager Beta v4.15bB to GitHub dev branch

 

[ZebMcKayhan]

Uploaded patched wireguard_manager Beta v4.15bB to GitHub dev branch

View attachment 39998

Just gave it a spin and is really thrilled that the router seems to accept <64 ipv6 subnets!!! Really good news for all with fixed ipv6 /64 prefix!!

E:Option ==> peer new ip=192.168.100.1/24 ipv6=fc00:192:196:100::1/120

        Press y to Create (IPv4/IPv6) 'server' Peer (wg21) 192.168.100.1/24,fc00:192:196:100::1/120:11501 or press [Enter] to SKIP.
y
        Creating WireGuard Private/Public key-pair for (IPv4/IPv6) 'server' Peer wg21 on RT-AC86U (v386.4_0)
        Press y to Start (IPv4/IPv6) 'server' Peer (wg21) or press [Enter] to SKIP.
y

admin@RT-AC86U-D7D8:/tmp/home/root# ifconfig wg21
wg21      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.100.1  P-t-P:192.168.100.1  Mask:255.255.255.0
          inet6 addr: fc00:192:196:100::1/120 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:2 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

admin@RT-AC86U-D7D8:/tmp/home/root# ip -6 route
fc00:192:196:100::/120 dev wg21 proto kernel metric 256 pref medium

This would mean all with fixed ipv6 could run un-nat:ed ipv6 server as rfc compliant as could be!

It's probably gonna be a complicated tutorial based on all ipv4/ipv6 use cases, but I'll do my best.

 

[archiel]

@archiel

I'm thinking something like this if you wish to give it a try:
1. Get ipv6 ULA, assumed fc00:10:50::/48, create a subnet for wg server: fc00:10:50:1::/64
2. Devide wg21 server ip: fc00:10:50:1::1
3. Devide wg21 device 1 peer ip: fc00:10:50:1::2
4. Setup wg21 as ipv4 server, create a device (device.conf) verify it is working.
5. Update /opt/etc/wireguard.d/device.conf with ipv6 info (leave ipv4 as is)

Address = 10.50.1.2/24, fc00:10:50:1::2/64
DNS = 10.50.1.1, fc00:10:50:1::1

6. Update /opt/etc/wireguard.d/wg21.conf with AllowedIPs and #PreUp:

# myphone device
[Peer]
PublicKey = <leave as it is>
AllowedIPs = 10.50.1.2/32,fc00:10:50:1::2/128
PresharedKey = <leave as it is>
#PreUp = ip -6 address add dev wg21 fc00:10:50:1::1/64
# myphone End

7. Update userconfig files:
/jffs/addons/wireguard/Scripts/wg21-up.sh

#!/bin/sh

#Remove redundant rules:
iptables -D FORWARD -o wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"
ip6tables -D FORWARD -o wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"

#Add missing rule (?):
iptables -I FORWARD -i wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"

#Masquarade ipv6 packets from clients to WAN
ip6tables -t nat -I POSTROUTING -s fc00:10:50:1::/64 -o eth0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

#Masquarade ipv6 packets from clients to br0 (is this needed/wanted)?
#ip6tables -t nat -I POSTROUTING -s fc00:10:50:1::/64 -o br0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

/jffs/addons/wireguard/Scripts/wg21-down.sh

#!/bin/sh

#Remove added wg21 rules:
iptables -D FORWARD -i wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"

#Masquarade ipv6 packets from clients to WAN
ip6tables -t nat -D POSTROUTING -s fc00:10:50:1::/64 -o eth0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

#Masquarade ipv6 packets from clients to br0 (is this needed/wanted)?
#ip6tables -t nat -D POSTROUTING -s fc00:10:50:1::/64 -o br0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

8. Make userconfig file executable
9. Restart wg21 server, check for error messages
10. Display the new qrcode in wgm and import to your device
11. Use Ping Tools for Android to diagnose ipv6 connection.

Edit:
Changed alot of stuff after I'd installed a server and tested from within my lan.

@ZebMcKayhan

I have read the above and your installation notes and need further help.
I have also updated wgm to v4.15bB

Looking at this step by step
I have generated a ULA (e.g. fd36:7ef1:2add:eb25::/64) which you have said that I should now add as a subnet. Looking at my current IPv6 configuration I have one local subnet

WAN IPv6 Address        WAN IPv6 Gateway    LAN IPv6    LAN IPv6 Link-Local             LAN IPv6 Prefix 
2a02:c3ef:f0c3:1000::1  ::                  WAN/56      fe80::nnnn:nnnn:feae:1/64       WAN/56

1. Do I add the ULA subnet in addition to the existing link-local subnet and if so, how and where?

The next two steps you refer to deviding wg21, so with my ULA
2. Devide wg21 server ip: fd36:7ef1:2add:eb25:1
3. Devide wg21 device 1 peer ip: fd36:7ef1:2add:eb25:2

2. Are these notional steps or do I actually enter something here and if so, what and how?

The next steps 4 to 6 involve the creating of the new wg21. Are these still necessary or can I now just use the single step option created by @Martineau in v4.15bB

In regard to creating the up/down scripts you have added and the #'d out final lines e.g.

#Masquarade ipv6 packets from clients to br0 (is this needed/wanted)?
#ip6tables -t nat -I POSTROUTING -s fd36:7ef1:2add:eb25::/64 -o br0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

At this stage I am just getting the android client on my phone setup, I will only add local clients (e.g. NordVPN and/or Mullvad) once this is working.

4. Do I need to enable this now, or just once I am using local clients?

Thanks , Archiel

 

[ZebMcKayhan]

1. Do I add the ULA subnet in addition to the existing link-local subnet and if so, how and where?

The next two steps you refer to deviding wg21, so with my ULA
2. Devide wg21 server ip: fd36:7ef1:2add:eb25:1
3. Devide wg21 device 1 peer ip: fd36:7ef1:2add:eb25:2

You don't need to add them anywere but in wgm. But you have devided wrong, you got a /64 so it is already a single subnet, it should be:
Wg21: fd36:7ef1:2add:eb25::1/64

The devices will follow automatically.

Create your server as I did above, but use this ipv6 instead.

peer new ip=192.168.100.1/24 ipv6=fd36:7ef1:2add:eb25::1/64

Skip steps 4,5,6

The only rule you need to add in userconfig is the -o eth0 MASQUARADE

#!/bin/sh
#Masquarade ipv6 packets from clients to WAN
ip6tables -t nat -I POSTROUTING -s fd36:7ef1:2add:eb25::1/64 -o eth0 -j MASQUERADE -m comment --comment "WireGuard 'server'"
#Masquarade ipv6 packets from clients to br0 (is this needed/wanted)?
#ip6tables -t nat -I POSTROUTING -s fd36:7ef1:2add:eb25::1/64 -o br0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

You will probably want to change dns in the device.conf file you created to point to the router which will be:

DNS = 192.168.100.1, fd36:7ef1:2add:eb25::1

I think a good start would be to get ipv4 and ipv6 working out your lan and wan and that you have control over dns used. I will look into the passtru feature eventually to steer them over to vpn.

Or you wait acouple of days until I written about this in my tutorial.

I see you get a /56 prefix on your wan, are you sure it is dynamic? NPT6 would be better than masquarading then but don't think there is any in firmware or entware.

 

[Martineau]

I have also updated wgm to v4.15bB

I strongly suggest you re-apply wireguard_manager Beta v4.15bB

Auxiliary script wg_server was only updated 4hours ago... so you may not have the recommended/up to date package

Update wg_server · MartineauUK/wireguard@c8fded4

FIX: Reinstate missing 'iptables -I FORWARD -i $VPN_ID -j ACCEPT' rule - SNB Forums member @ZebMckayhan FIX: Only NAT IPv4 addresses CHANGE: Add both IPv4 & IPv6 addresses to interfac...

github.com

 

[archiel]

You don't need to add them anywere but in wgm. But you have devided wrong, you got a /64 so it is already a single subnet, it should be:
Wg21: fd36:7ef1:2add:eb25::1/64

The devices will follow automatically.

Create your server as I did above, but use this ipv6 instead.

peer new ip=192.168.100.1/24 ipv6=fd36:7ef1:2add:eb25::1/64

Skip steps 4,5,6

The only rule you need to add in userconfig is the -o eth0 MASQUARADE

#!/bin/sh
#Masquarade ipv6 packets from clients to WAN
ip6tables -t nat -I POSTROUTING -s fd36:7ef1:2add:eb25::1/64 -o eth0 -j MASQUERADE -m comment --comment "WireGuard 'server'"
#Masquarade ipv6 packets from clients to br0 (is this needed/wanted)?
#ip6tables -t nat -I POSTROUTING -s fd36:7ef1:2add:eb25::1/64 -o br0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

You will probably want to change dns in the device.conf file you created to point to the router which will be:

DNS = 192.168.100.1, fd36:7ef1:2add:eb25::1

I think a good start would be to get ipv4 and ipv6 working out your lan and wan and that you have control over dns used. I will look into the passtru feature eventually to steer them over to vpn.

Or you wait acouple of days until I written about this in my tutorial.

I see you get a /56 prefix on your wan, are you sure it is dynamic? NPT6 would be better than masquarading then but don't think there is any in firmware or entware.

Thanks, that all seems much simpler. Presumably I create the userconfig in wg21-up and reverse it in wg21-down.

In regard to the IPv6 it is 'sticky dynamic'. My ISP is Sky and they say

Whilst Sky do not offer strictly static DHCPv6 Prefixes, they should not change unless the DHCPv6 client changes its DUID, IAID, or intentionally sends a Release message to the DHCPv6 server. We will also hold a DHCPv6 PD lease for up to 7 days without activity.

I will give it a go tomorrow as I have used up my 'just rebooting the router' allotment for tonight.

 

[ZebMcKayhan]

I strongly suggest you re-apply wireguard_manager Beta v4.15bB

Auxiliary script wg_server was only updated 4hours ago... so you may not have the recommended/up to date package

Update wg_server · MartineauUK/wireguard@c8fded4

FIX: Reinstate missing 'iptables -I FORWARD -i $VPN_ID -j ACCEPT' rule - SNB Forums member @ZebMckayhan FIX: Only NAT IPv4 addresses CHANGE: Add both IPv4 & IPv6 addresses to interfac...

github.com

Found a bug,

If I create a server peer with

peer new ip=198.168.100.1/24 ipv6=fdff:a37f:fa75:100::1/120

Still when creating a device, the device.conf ip is:

Address = 192.168.100.2/32,fdff:a37f:fa75::2/128

And wg21.conf:

AllowedIPs = 192.168.100.2/32,fdff:a37f:fa75::2/128

So the :100: gets cut (like a /48) off which makes it don't work with other rules.

If I correct device.conf:

Address = 192.168.100.2/32,fdff:a37f:fa75:100::2/128

And wg21.conf:

AllowedIPs = 192.168.100.2/32,fdff:a37f:fa75:100::2/128

Everything works.

 

[miodzicho]

Hi all. I would like to replace exisiting openvpn with wireguard site2site configuration. I do have one router (ASUS AC86U) as main hub currently. Then is another FritzBox with Wireguard already installed and working, and LTE GlInet with Wireguard. Configuration I would like to achieve is to have all of them connected to ASUS, from each I would like be able see far networks. I have connected Fritzbox and GLinet to ASUS, and I see network behind ASUS, however I don't see network behind Fritzbox when trying from GLinet....Any hints please ? I suspect routing, but not sure....

 

[ZebMcKayhan]

Hi all. I would like to replace exisiting openvpn with wireguard site2site configuration. I do have one router (ASUS AC86U) as main hub currently. Then is another FritzBox with Wireguard already installed and working, and LTE GlInet with Wireguard. Configuration I would like to achieve is to have all of them connected to ASUS, from each I would like be able see far networks. I have connected Fritzbox and GLinet to ASUS, and I see network behind ASUS, however I don't see network behind Fritzbox when trying from GLinet....Any hints please ? I suspect routing, but not sure....

I think you need to tell us a bit more about your system:
1) what are the different LAN subnets on different sites?
2) how did you setup Wireguard? using Wireguard Manager Site-2-Site on Asus router? what about the other nodes? did you use wg-quick?
3) how do the .conf file looks for each site (remove keys and public ip's)

//Zeb