Inbound wireguard over ipv6?

devilkin · July 16, 2025, 03:49:33 PM

Hi,

I'm trying to get wireguard working over ipv6 - so to start a tunnel on my public ipv6 ip address. For some obscure reason this won't connect.
Over ipv4 it works without issues.

The wireguard process is listening on port 16667, on both ipv4 and ipv6

Code Select

netstat -an | grep 16667
udp6       0      0 *.16667                *.*                    
udp4       0      0 *.16667                *.*

There are pf rules in place

Code Select

fctl -s rules | grep 16667
pass in log quick on igb0 reply-to (igb0 my_wan_ip) inet proto udp from <test_alias> to (self) port = 16667 keep state label "bb98ab23aa9424dfc474d537ac13aec4"
pass in log quick on igb0 reply-to (igb0 fe80::342c:zzzz:yyyy:xxxx) inet6 proto udp from <test_alias> to (self) port = 16667 keep state label "bb98ab23aa9424dfc474d537ac13aec4"

The alias contains both ipv4 and ipv6 address of the other side.

What am I missing? Strangely enough not even

Code Select

tcpdump -i igb0 port 16667 and udp and ip6 shows any traffic incoming.

Outgoing (both from the OPNsense machine itself as clients on the LAN) works fine.

Inbound wireguard over ipv6?

devilkin

July 16, 2025, 03:49:33 PM