OPNsense Forum
English Forums => Virtual private networks => Topic started by: Monviech on December 08, 2021, 03:04:25 pm
-
Hello,
I'm trying to configure Wireguard for IPv6 with GUAs on the OPNsense but the handshake times out.
Devices:
wireguard client (android 11) <->Telekom LTE <-> Telekom VDSL DualStack <-> Zyxel VMG3006-D70A modem <-> hn0 PPPoE OPNsense 21.7.5-amd64 <-> wireguard wg1 interface
Network:
2a02:3037:419:XXXX:7816:c474:1899:61a7/64 wireguard Client <-> 2003:a:1704:XXXX::/56 hn0 PPPoE Telekom ipv6 subnet <-> 2003:a:1704:XXXX:215:5dff:fe00:c956/64 Opnsense Wireguard wg1 interface
ipv6 only opnsense wireguard configuration:
[Interface]
Address = 2003:a:1704:XXXX:215:5dff:fe00:c956/64
ListenPort = 51860
PrivateKey = XXXXXXXX=
[Peer]
PublicKey = w7ZjzusY7Z+rR9yrJeJf2HQ8pWZme5cg9XXXXXXXXXX=
AllowedIPs = 2003:a:1704:XXXX:215:5dff:fe00:dddd/128
Endpoint = [2a02:3037:419:XXXX:7816:c474:1899:61a7]:44224
ipv6 only Android 11 wireguard configuration:
[Interface]
Address = 2003:a:1704:XXXX:215:5dff:fe00:dddd/128
ListenPort =
PrivateKey = XXXXXXXX=
[Peer]
PublicKey = 9fEJ8rvOXx0JwyCGlXXcwcnWNvS25VELRXXXXXXXXXX=
AllowedIPs = ::/0
Endpoint = [2003:a:1704:XXXX:215:5dff:fe00:c956]:51860
Troubleshooting:
The handshake packet sent by the android 11 device hits the pppoe interface of the opnsense, and the opnsense sends a response packet:
root@opn01:~ # tcpdump -i hn0 pppoes and port 51860 -vv
tcpdump: listening on hn0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:00:02.510775 PPPoE [ses 0x23ca] IP6 (flowlabel 0x45245, hlim 53, next-header UDP (17) payload length: 156) 2a02:3037:419:XXXX:7816:c474:1899:61a7.44224 > 2003:a:1704:XXXX:215:5dff:fe00:c956.51860: [udp sum ok] UDP, length 148
15:00:02.511393 PPPoE [ses 0x23ca] IP6 (hlim 64, next-header UDP (17) payload length: 100) 2003:a:177f:XXXX:215:5dff:fe00:c949.51860 > 2a02:3037:419:XXXX:7816:c474:1899:61a7.44224: [udp sum ok] UDP, length 92
There is traffic generated in the wireguard peer, and the endpoint socket (android 11) is assigned dynamically:
root@opn01:~ # wg
peer: w7ZjzusY7Z+rR9yrJeJf2HQ8pWZme5cg9XXXXXXXXXX=
endpoint: [2a02:3037:419:XXXX:7816:c474:1899:61a7]:44224
allowed ips: 2003:a:1704:XXXX:215:5dff:fe00:dddd/128
transfer: 7.95 KiB received, 4.94 KiB sent
Problem:
There is no incoming traffic on the android device. The android device just sends the handshake over and over because there is no response packet arriving. The OPNsense sends the response packet though, as seen in the tcpdump.
Could anybody give me a hint? Thank you.
EDIT1:
I just found out, if I change the config of the peer in the opnsense like this, the handshake it works:
[Peer]
PublicKey = w7ZjzusY7Z+rR9yrJeJf2HQ8pWZme5cg9XXXXXXXXXX=
AllowedIPs = 2003:a:1704:XXXX:215:5dff:fe00:dddd/128, 2a02:3037:419:XXXX:7816:c474:1899:61a7/128
Endpoint = [2a02:3037:419:XXXX:7816:c474:1899:61a7]:44224
But thats not ideal, because in the LTE network the android device gets a new IP Adress randomly. Is there any guideline for this? In the opnsense wireguard tutorial they all use link local ipv6.
EDIT2:
I have now tried a dual stack approach to it with those configurations:
And it just works, without having to configure the real ipv6 address of the android 11 device as allowed IPs in the opnsense peer config as in EDIT1.
dual stack opnsense wireguard configuration:
[Interface]
Address = 10.0.0.1/24, 2003:a:1704:XXXX:215:5dff:fe00:c956/64
ListenPort = 51860
PrivateKey = XXXXXXXX=
[Peer]
PublicKey = w7ZjzusY7Z+rR9yrJeJf2HQ8pWZme5cg9XXXXXXXXXX=
AllowedIPs = 10.0.0.2/32, 2003:a:1704:XXXX:215:5dff:fe00:dddd/128
Endpoint = [2a02:3037:419:XXXX:7816:c474:1899:61a7]:44224
dual stack Android 11 wireguard configuration:
[Interface]
Address = 10.0.0.2/32, 2003:a:1704:XXXX:215:5dff:fe00:dddd/128
ListenPort =
PrivateKey = XXXXXXXX=
[Peer]
PublicKey = 9fEJ8rvOXx0JwyCGlXXcwcnWNvS25VELRXXXXXXXXXX=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [2003:a:1704:XXXX:215:5dff:fe00:c956]:51860
Is the first behavior with ipv6 only configuration actually a bug in the wireguard implementation?