Wireguard Connecting via IPv6

[archiel]

Hi @ZebMcKayhan I was wondering if you could assist in some trouble shooting.

A couple of year back you helped me in setting up a IPv4/IPv6 setup on WireGuard. While all seemed to be well, my ISP has just moved me onto CGNAT and when I try to connect using mobile phone, the handshaking stage fails.

From WGM

E:Option ==> 3
interface: wg21 Port:11501      10.50.1.1/24                    VPN Tunnel Network      # RT-AX88U (IPv4/IPv6) Server 1
peer: xxxxxxx=      10.50.1.2/32,aa36:7ef1:2add:aa88:100::2/128             # pho21 "Device"

and where wg21-up.sh

#!/bin/sh
###############################################################################
# Example for Wg21 ipv6 = aa00:aaaa:bbbb:cccc:100::1/120
# Change to your needs but keep formatting
Wg21Prefix=aa36:7ef1:2add:aa88:: #Wg21 ULA prefix with aa instead of fd
Wg21Suffix=100::1  #Wg21 Device suffix (last 64 bits)
Wg21PrefixLength=120   #Wg21 Prefix Length (120 recommended)
WanInterface=eth0
# Changing below lines should not be needed:
WanIp6Prefix=$(nvram get ipv6_prefix)     #WanIp6Prefix=2001:1111:2222:3333::
Wg21_PrefIp=${Wg21Prefix%:*}${Wg21Suffix}/${Wg21PrefixLength}      #aa00:aaaa:bbbb:cccc:100::1/120
WanWg21_PrefIp=${WanIp6Prefix%:*}${Wg21Suffix}/${Wg21PrefixLength}   #2001:1111:2222:3333:100::1/120
##Execute firewall commands: with entware iptables
#ip6tables -t nat -I POSTROUTING -s ${Wg21_PrefIp} -o ${WanInterface} -j NETMAP --to ${WanIp6Prefix}/64
#ip6tables -t nat -I PREROUTING -i ${WanInterface} -d ${WanWg21_PrefIp} -j NETMAP --to ${Wg21Prefix}/64
##Or if no NETMAP (without entware iptables)
ip6tables -t nat -I POSTROUTING -s ${Wg21_PrefIp} -o ${WanInterface} -j MASQUERADE -m comment --comment "WireGuard 'server'"
#ipv6 alias (moved from wan-event for Split WG) - REM OUT if Router only
ip -6 address add dev eth5 aa36:7ef1:2add:aa88:100::9/128
###############################################################################

Kind regards, Archie

 

[ZebMcKayhan]

when I try to connect using mobile phone, the handshaking stage fails.

If the handshake fails then the tunnel does not work on a lower level. How are you setting the endpoint in your client? Are you using ipv6 as it is? Br0 ipv6 or wan iov6? Or are you using ddns, and if so, how do you know its trying to use ipv6).

Iirc i did setup wgm for direct connection using ipv6 and I dont remember that I needed to do something special, the handshakes just works... oh, there were something about ipv6 need to be in [ ] when written manually as an endpoint I believe.

 

[archiel]

If the handshake fails then the tunnel does not work on a lower level. How are you setting the endpoint in your client? Are you using ipv6 as it is? Br0 ipv6 or wan iov6? Or are you using ddns, and if so, how do you know its trying to use ipv6).

Iirc i did setup wgm for direct connection using ipv6 and I dont remember that I needed to do something special, the handshakes just works... oh, there were something about ipv6 need to be in [ ] when written manually as an endpoint I believe.

I am sorry but don't know what you mean by 'setting the endpoint'. The config for the mobile (connecting to wg21 on the router) is

E:Option ==> peer pho21

Device  Auto  IP                                           DNS                                   Allowed IPs      Annotate          Conntrack
pho21   X     10.50.1.2/32,aa36:7ef1:2add:aa88:100::2/128  10.50.1.1,aa36:7ef1:2add:aa88:100::1  0.0.0.0/0, ::/0  # pho21 "Device"  1765210797

In regard to connecting over DDNS (which is what I do) the the asus ddns is setup for IPv4 and IPv6 and testing over https://iplookup.asus.com/nslookup.php always returns both WAN addresses as shown on ifconfig eth0

eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:149.22.202.108  Bcast:149.22.202.127  Mask:255.255.255.128
          inet6 addr: 2a02:6b60:0:be::2db/128 Scope:Global

 

[ZebMcKayhan]

I am sorry but don't know what you mean by 'setting the endpoint'. The config for the mobile (connecting to wg21 on the router) is

No, I meant on the client device. As you cant make the handshake, your device is likely not reaching the router. Local wg ip hasnt come into play yet.

In regard to connecting over DDNS (which is what I do) the the asus ddns is setup for IPv4 and IPv6 and testing over https://iplookup.asus.com/nslookup.php always returns both WAN addresses as shown on ifconfig eth0

thats no cgnat address, so what have changed? I did see your other posts and it looks like your back on public ipv4?

 

[archiel]

No, I meant on the client device. As you cant make the handshake, your device is likely not reaching the router. Local wg ip hasnt come into play yet.


thats no cgnat address, so what have changed? I did see your other posts and it looks like your back on public ipv4?

Sorry, yes I have had CGNAT removed, so now I am just curious as to why the connection fails if IPv4 is CGNAT'd (or not otherwise available).

The conf file for pho21 is

 pho21
[Interface]
PrivateKey = xxxxxxxxxxx=
Address = 10.50.1.2/32,aa36:7ef1:2add:aa88:100::2/128
DNS = 10.50.1.1,aa36:7ef1:2add:aa88:100::1

# RT-AX88U (IPv4/IPv6) 'server' (wg21)
[Peer]
PublicKey = xxxxxxxxxxxx=
AllowedIPs = 0.0.0.0/0, ::/0     # ALL Traffic
# DDNS dancingb.asuscomm.com
Endpoint = dancingb.asuscomm.com:11501
PresharedKey = xxxxxxxxxxx=
PersistentKeepalive = 25
# pho21 End

 

[ZebMcKayhan]

Sorry, yes I have had CGNAT removed, so now I am just curious as to why the connection fails if IPv4 is CGNAT'd (or not otherwise available).

It would be up to the client trying to connect if should use ipv4 or ipv6.
If its trying to use ipv4 and it does not work Im not too sure it will try with ipv6 as Wireguard doesnt have any active connection tracking.

I have created a ddns with only ipv6 in it and no ipv4 to force ipv6 usage.

 

[archiel]

With the WAN IPv4 having a public ip, the wireguard connection works fine, hence my confusion as to why it failed completely when the IPv4 DDNS address was not available on the router due to CGNAT. I had hoped that it would connect over IPv6, it didn't

Would it be worth trying to create a new phone connection in WGM with no IPv4 and then adding the new client to the phone?

 

[ZebMcKayhan]

I had hoped that it would connect over IPv6, it didn't

Depending on what client you have and which app you are using perhaps there is a setting there somewhere??

Would it be worth trying to create a new phone connection in WGM with no IPv4 and then adding the new client to the phone?

No, as this is not related to peer ipv4/ipv6, it's about the udp tunnel. The tunnel is always over ipv4 OR ipv6, never both. It's always the client that chooses if the tunnel is over ipv4 or ipv6 depending on how that device prioritizes. Even if the tunnel is one or the other it may give both ipv4 and ipv6 connectivity inside the tunnel but that only works if the tunnel works.

As a quick test, try to replace the endpoint in the config with your router [ipv6] and import it on a client. It should work on either eth0 ipv6 or br0 ipv6.