Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
WireGuard doesn't work over HE IPv6 Tunnel Broker
« previous
next »
Print
Pages: [
1
]
Author
Topic: WireGuard doesn't work over HE IPv6 Tunnel Broker (Read 2978 times)
kasper93
Newbie
Posts: 11
Karma: 1
WireGuard doesn't work over HE IPv6 Tunnel Broker
«
on:
July 09, 2021, 08:30:19 pm »
Hi,
I have fairly simple setup, but cannot make WireGuard work over IPv6.
Interfaces:
WAN: My ISP provided IPv4
WANv6: HE IPv6 Tunnel Broker
WG: WireGuard
Now when I use IPv4 endpoint on client peer it works flawlessly. But when I use IPv6 it doesn't work. Handshake packets come through from client as I see peer IPv6 address on opnsense and I see both TX/RX traffic. But on client peer I see only TX, never got any packet back. Looks like WG server responses are lost.
Any idea how to diagnose/resolve this?
Thanks,
Kacper
Logged
newsense
Hero Member
Posts: 1036
Karma: 77
Re: WireGuard doesn't work over HE IPv6 Tunnel Broker
«
Reply #1 on:
July 10, 2021, 06:35:00 pm »
Might need to adjust the MTU there, did you set any value for it ? Give it a shot with 1480
https://forums.he.net/index.php?topic=67.0
Logged
300cpilot
Newbie
Posts: 3
Karma: 0
Re: WireGuard doesn't work over HE IPv6 Tunnel Broker
«
Reply #2 on:
July 10, 2021, 08:37:47 pm »
My experience with HE required a 1280 MTU. This was through a sonicwall though, just know that it took a while to figure out which value worked. The value you use has to divide by 8 evenly for it to work. (1280/8=160, no remainder) I am going to be setting up HE this week on this OPNSence firewall to replace the Sonicwall. So I am in here searching for others that have blazed the trail already.
Logged
newsense
Hero Member
Posts: 1036
Karma: 77
Re: WireGuard doesn't work over HE IPv6 Tunnel Broker
«
Reply #3 on:
July 10, 2021, 09:03:46 pm »
I've seen 1280 being discussed on much older threads so I'd try it as an option if 1480 won't cut it.
Logged
Napsterbater
Newbie
Posts: 33
Karma: 2
Re: WireGuard doesn't work over HE IPv6 Tunnel Broker
«
Reply #4 on:
July 11, 2021, 04:59:12 pm »
By default i believe GIF interfaces on OPNsense are 1280mtu, but you can go to your Tunnel interface and set the MTU of that assigned interface to 1480 (if you have a WAN MTU of 1500, otherwise WAN MTU - 20 = Tunnel MTU).
Then you can goto the HE Tunnel broker site and confirm the MTU for that tunnel is set 1480 there as well, though I think it is by default.
Then if you had to set the MTU of the tunnel interface to less then 1480, then (Tunnel Interface MTU) - 60 = (Wireguard MTU), note this must be set on both Wireguard Clients/server.
«
Last Edit: July 11, 2021, 05:06:04 pm by Napsterbater
»
Logged
kasper93
Newbie
Posts: 11
Karma: 1
Re: WireGuard doesn't work over HE IPv6 Tunnel Broker
«
Reply #5 on:
July 19, 2021, 12:46:14 am »
Thanks guys for suggestions, but it turns out my ISP on mobile is a culprit. Actually it was working perfectly some time ago, but with pfsense, I made a switch to opnsense and it stopped working, so I assumed this is the problem. But it turns out in the same time my mobile ISP changed something on their end. I didn't have time to diagnose it further, but basically looks like the traffic is filtered...
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
WireGuard doesn't work over HE IPv6 Tunnel Broker