OPNsense Forum

English Forums => Virtual private networks => Topic started by: N0_Klu3 on February 28, 2022, 09:39:51 am

Title: Unable to get WG to work and IPv6 Showing instead
Post by: N0_Klu3 on February 28, 2022, 09:39:51 am: Hi all,

So I tried to follow the Road Warrior guide.
Got it all created and all.
I do have Dual WAN first thing to note, but I just used the 1 WAN connection.
As such I used this guide: https://docs.opnsense.org/manual/how-tos/multiwan.html
Note I had to setup DNS via DHCP for each interface

I have my WG client setup on my iPhone, it has the IPv4 external IP of that WAN connection.
So Endpoint: 212.69.45.xx:51820

I click connect, I can see transfer: 1.16 KiB received, 736 B sent increasing.
But if I look back at my client (iPhone) instead of the IPv4 endpoint address you see above its now showing a IPv6 address.
And I do not get a handshake.
Once it connects it goes from IPv4 WAN to IPv6 WAN even tho I do not have IPv6 setup on my OPNsense router.
And I cannot get it to handshake for the life of me.
Title: Re: Unable to get WG to work and IPv6 Showing instead
Post by: Greelan on February 28, 2022, 01:24:26 pm: I suspect your phone network provider uses only IPv6, and therefore translates from that to the IPV4 address. My provider does the same, so I see an IPv6 IP in my phone WG config as well

The issue shouldn't be that, it is likely a WG configuration issue. Suggest you post your WG configs on OPNsense and your phone and the related firewall rules to verify (mask out public IPs and private keys ofc)
Title: Re: Unable to get WG to work and IPv6 Showing instead
Post by: Patrick M. Hausen on February 28, 2022, 01:36:10 pm: If the phone is on an IPv6 only cellular network and the gateway is connected via IPv4, it is mandatory that the phone connects via a DNS name and not a literal IP address for NAT64 to work.

Lets pretend your gateway is at 1.2.3.4 and no IPv6 network and your phone has got only IPv6. You set up a DNS name of my.gateway.com pointing to 1.2.3.4.

Your phone asks the recursive nameserver of the cellular network for my.gateway.com with type AAAA.

The DNS server of your cellular provider sees that no AAAA record is available but an A record is with value 1.2.3.4.

It then translates that IPv4 address of 1.2.3.4 to the IPv6 address 64:ff9b::1.2.3.4 and sends that fake AAAA record back to your phone.

HTH
Patrick
Title: Re: Unable to get WG to work and IPv6 Showing instead
Post by: N0_Klu3 on February 28, 2022, 02:26:33 pm: Quote from: pmhausen on February 28, 2022, 01:36:10 pm
If the phone is on an IPv6 only cellular network and the gateway is connected via IPv4, it is mandatory that the phone connects via a DNS name and not a literal IP address for NAT64 to work.

Lets pretend your gateway is at 1.2.3.4 and no IPv6 network and your phone has got only IPv6. You set up a DNS name of my.gateway.com pointing to 1.2.3.4.

Your phone asks the recursive nameserver of the cellular network for my.gateway.com with type AAAA.

The DNS server of your cellular provider sees that no AAAA record is available but an A record is with value 1.2.3.4.

It then translates that IPv4 address of 1.2.3.4 to the IPv6 address 64:ff9b::1.2.3.4 and sends that fake AAAA record back to your phone.

HTH
Patrick

Ok dang... So I need to use a domain name and set it to forward to the IPv4 address of my WAN right?
Is there a guide anywhere to accomplish this?

Fortunately I have a spare domain
Title: Re: Unable to get WG to work and IPv6 Showing instead
Post by: Patrick M. Hausen on February 28, 2022, 04:36:52 pm: Quote from: N0_Klu3 on February 28, 2022, 02:26:33 pm
Ok dang... So I need to use a domain name and set it to forward to the IPv4 address of my WAN right?
Yes. Domain name --> A record with IPv4 address --> NAT64 at the cellular provider will do its magic.

Quote from: N0_Klu3 on February 28, 2022, 02:26:33 pm
Is there a guide anywhere to accomplish this?
Fortunately I have a spare domain
This depends on how your spare domain is connected and if your contract for that domain includes authoritative DNS services and possibly a management panel to create your own entries.

But you really need to contact whomever your domain is registered with.

Kind regards,
Patrick
Title: Re: Unable to get WG to work and IPv6 Showing instead
Post by: Greelan on February 28, 2022, 10:26:28 pm: The requirement for DNS is only an issue if the network provider is using DNS64+NAT64. If using 464XLAT, like my provider, then literal IPv4 IPs work fine (as evidenced by my WG working on my phone right now :) )
Title: Re: Unable to get WG to work and IPv6 Showing instead
Post by: N0_Klu3 on March 05, 2022, 07:12:52 pm: Quote from: pmhausen on February 28, 2022, 04:36:52 pm
Quote from: N0_Klu3 on February 28, 2022, 02:26:33 pm
Ok dang... So I need to use a domain name and set it to forward to the IPv4 address of my WAN right?
Yes. Domain name --> A record with IPv4 address --> NAT64 at the cellular provider will do its magic.

Quote from: N0_Klu3 on February 28, 2022, 02:26:33 pm
Is there a guide anywhere to accomplish this?
Fortunately I have a spare domain
This depends on how your spare domain is connected and if your contract for that domain includes authoritative DNS services and possibly a management panel to create your own entries.

But you really need to contact whomever your domain is registered with.

Kind regards,
Patrick

So I added an A record to a subdomain to my external WAN address.

Added my wg.domain.com:51820 to my config.
But my cell is still converting it to IPv6.

Did I miss a step somewhere?