wireguard vpn ipv6 no handshake

Started by snippem, February 13, 2025, 02:22:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 13, 2025, 02:22:47 PM
I have IPV4 wireguard working.
For IPV6 I have a working reference to the /128 address of the router via dynamic DNS.
I have created an ipv6 firewall rule that points to port 51821 of the firewall and on which the wireguard interface also runs.
To date, only a rule has been added to the interface that allows all IPv6 traffic. However, I see in the peer's logs that the handshake is not being achieved. Are there any steps needed to get a working ipv6 wireguard handshake ?
February 13, 2025, 07:42:20 PM #1
Update from my side. There were some errors in my configuration. The whole Handshake thing now works for IPv4 and IPv6. Now the following problem arises: IPv4 internet works as it should, only no internet on IPv6. And now I really have no idea what I'm doing wrong. here in my configuration. I hope maybe someone sees what I'm doing wrong?
I only have a standard rule in the firewall that allows IPv6 traffic.
February 14, 2025, 02:27:20 PM #2
another update from my side,

After a while, researching discovered that assigning a ULA as I did does not work. Now taken a GUA address using part of my /56 to use a GUA /64 network for Wireguard (and I think this applies to any VPN type).And what I now find out is that IPv6 is a real pain in the ass. For a consumer this is far too complicated compared to IPv4.
Since I have a dual stack connection, it is not that much of a problem, but more for me to gradually familiarize myself with IPv6. My conclusion for all the problems I have encountered with VPN and IPv6 is:
Do you want to set up a Wireguard VPN with world wide web access - Use a GUA address, where, depending on your provider, you create a network within, for example, the /56 part of your internet address. With opnsense you do not assign this internet address via slaac or dhcpv6, but manually. For a local IPv6 VPN you use ULA addresses as they do not have access to the world wide web.
With GUA you do encounter the fact that the addresses can be dynamic depending on the provider and could therefore change, resulting in a non-working connection.
Furthermore, for a WAN reference with a DCHP you use a hostname to IP. In short, you request a hostname from a provider. Yes, create an AAAA reference to your WAN ipv6 address and have this updated by dynamic DNS.
For now my conclusion is that if I want a secure connection with internet connectivity I need a wireguard connection with a GUA and for a local connection 1 with a ULA address. Which always means 2 Wireguard connections. Or can I also cram them into 1 Wireguard profile so that I have both?
Print
Go Up Pages1
User actions