Text only | Text with Images

OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: kasper93 on July 09, 2021, 08:30:19 PM

Title: WireGuard doesn't work over HE IPv6 Tunnel Broker
Post by: kasper93 on July 09, 2021, 08:30:19 PM
Hi,

I have fairly simple setup, but cannot make WireGuard work over IPv6.

Interfaces:
WAN: My ISP provided IPv4
WANv6: HE IPv6 Tunnel Broker
WG: WireGuard

Now when I use IPv4 endpoint on client peer it works flawlessly. But when I use IPv6 it doesn't work. Handshake packets come through from client as I see peer IPv6 address on opnsense and I see both TX/RX traffic. But on client peer I see only TX, never got any packet back. Looks like WG server responses are lost.

Any idea how to diagnose/resolve this?

Thanks,
Kacper
Title: Re: WireGuard doesn't work over HE IPv6 Tunnel Broker
Post by: newsense on July 10, 2021, 06:35:00 PM
Might need to adjust the MTU there, did you set any value for it ? Give it a shot with 1480

https://forums.he.net/index.php?topic=67.0
Title: Re: WireGuard doesn't work over HE IPv6 Tunnel Broker
Post by: 300cpilot on July 10, 2021, 08:37:47 PM
My experience with HE required a 1280 MTU. This was through a sonicwall though, just know that it took a while to figure out which value worked. The value you use has to divide by 8 evenly for it to work. (1280/8=160, no remainder) I am going to be setting up HE this week on this OPNSence firewall to replace the Sonicwall. So I am in here searching for others that have blazed the trail already.
Title: Re: WireGuard doesn't work over HE IPv6 Tunnel Broker
Post by: newsense on July 10, 2021, 09:03:46 PM
I've seen 1280 being discussed on much older threads so I'd try it as an option if 1480 won't cut it.
Title: Re: WireGuard doesn't work over HE IPv6 Tunnel Broker
Post by: Napsterbater on July 11, 2021, 04:59:12 PM
By default i believe GIF interfaces on OPNsense are 1280mtu, but you can go to your Tunnel interface and set the MTU of that assigned interface to 1480 (if you have a WAN MTU of 1500, otherwise WAN MTU - 20 = Tunnel MTU).

Then you can goto the HE Tunnel broker site and confirm the MTU for that tunnel is set 1480 there as well, though I think it is by default.

Then if you had to set the MTU of the tunnel interface to less then 1480, then (Tunnel Interface MTU) - 60 = (Wireguard MTU), note this must be set on both Wireguard Clients/server.
Title: Re: WireGuard doesn't work over HE IPv6 Tunnel Broker
Post by: kasper93 on July 19, 2021, 12:46:14 AM
Thanks guys for suggestions, but it turns out my ISP on mobile is a culprit. Actually it was working perfectly some time ago, but with pfsense, I made a switch to opnsense and it stopped working, so I assumed this is the problem. But it turns out in the same time my mobile ISP changed something on their end. I didn't have time to diagnose it further, but basically looks like the traffic is filtered...
Text only | Text with Images