Is it possible to use an IPv6 address for the endpoint address in Wireguard?

Started by agl, October 16, 2023, 11:21:37 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 16, 2023, 11:21:37 PM
Hello, I am a newbie as far as OPNsense or Wireguard is concerned.

I have looked quite far in this forum: I have only ever seen IPv4 addresses as the endpoint address for Wireguard. Is it possible to also use an IPv6 address for the endpoint address in Wireguard?

I did my configuration according to the https://docs.opnsense.org/manual/how-tos/wireguard-client.html and I selected "IPv4 + IPv6" everywhere it was specified, but it doesn't work. It only works with the IPv4 endpoint address.

Can the Wireguard server handle IPv6 traffic on the endpoint at all? Or is this a problem of OPNsense?

I have the same problem with OpenVPN! Also here only an IPv4 address works as endpoint address.

Best regards
Andreas
October 17, 2023, 08:41:08 AM #1
I use wireguard since a long time in the OPNsense with ipv6 as endpoint address.

You have to check what your WAN IPv6 address on the WAN interface is:
Interfaces: Overview
Expand "WAN"

Look at IPv6 address (Something like 2001:db8:1234:1231:aaaa:aaaa:aaaa:123/64)

Wireguard listens on ANY interface on the port you specify, so the endpoint for this IP Address should be [2001:db8:1234:1231:aaaa:aaaa:aaaa:123]:51820 on your client.

Then just create a firewall rule that allows incoming connections on your WAN interface from source any to destination WAN address on destination port 51820 and it should work.

If you have a dynamic IPv6 prefix you have to use a dynamic hostname on your client instead. But your wireguard client will always prefer ipv4 if you have a hostname with A and AAAA records.
Hardware:
DEC740
October 17, 2023, 02:27:50 PM #2
Quote from: Monviech on October 17, 2023, 08:41:08 AM
If you have a dynamic IPv6 prefix you have to use a dynamic hostname on your client instead. But your wireguard client will always prefer ipv4 if you have a hostname with A and AAAA records.

Interesting.  Is this just a WG quirk or something specific to the setup?  I wonder what happens with a domain with just an AAAA record.
October 17, 2023, 02:36:24 PM #3
@CJ AAAA-only works fine, that's what I mostly use. IPv4 being preferred over IPv6 is a quirk of some of the WireGuard clients, notably the official Android and Windows implementations.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
October 17, 2023, 03:13:28 PM #4
I noticed WireGuard does this:

https://github.com/opnsense/src/blob/08aa869336f6a7c19d5bbcaa61269a3f21ca1993/sys/dev/wg/if_wg.c#L2790L2791

I'm not a fan but it's safe to say the authors are aware of the IPv6 pitfalls having run into them for sure leading to such defaults. :>


Cheers,
Franco
October 18, 2023, 02:10:55 AM #5
Code Select

#ifdef INET6
ND_IFINFO(ifp)->flags &= ~ND6_IFF_AUTO_LINKLOCAL;
ND_IFINFO(ifp)->flags |= ND6_IFF_NO_DAD;
#endif


This applies to the wg interface though (IPv6 inside the tunnel), correct? Shouldn't have any impact on establishing a WireGuard connection over IPv6 (outside the tunnel).

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
October 18, 2023, 09:08:20 AM #6
It's per-device settings and NO_DAD in turn influences all IPv6 addresses being set on the device. It's not a big deal with static addressing, but it's funny nonetheless because someone must have had issues with tentative state addresses at some point in time.


Cheers,
Franco
Print
Go Up Pages1
User actions