How do I manage firewall rules for WireGuard
-
Thanks.
My question is about what to put in the DNS parameter of the WG settings. For IPv4, it’s obvious: it’s the address of the gateway.
But ::1 is the local peer’s interface (and doesn’t work) and I don’t understand how to determine the IPv6 address that represents pfSense’s IPv6 DNS (actually, unbound’s) address on the remote pfSense peer.
-
@yobyot said in How do I manage firewall rules for WireGuard:
My question is about what to put in the DNS parameter of the WG settings. For IPv4, it’s obvious: it’s the address of the gateway.
It is the same for both, the address of pfSense in that tunnel...
-
@yobyot said in How do I manage firewall rules for WireGuard:
I thought about posting this in the WireGuard topic but I think it's more appropriate here.
First off, I use OpenVPN and not WireGuard. However VPNs, once connected, all behave the same. That is you have an IP connection between 2 points and normal routing is used. So, separate your issues into two. Is it a VPN connection problem? Or routing? I see some mention of using ULA, which is fine, but is the remote device given a ULA address or global? If you don't have a global address, you won't be able to get beyond your own network. What size prefix are you getting from your ISP? I get a /56. If you have anything larger than a /64, then you can assign one of your own /64s to the VPN tunnel network. With OpenVPN, the endpoint addresses are automagically assigned.
-
Thanks.
But I’m done hacking at the IPv6 connection and endpoint.
WG is just too premature, esp. compared to OpenVPN which works like a charm.
I’ve noticed:
-
The current macOS peer client works differently with the exact same peer configuration than the current iOS peer (except for the keys, of course). And it’s buggy (doesn’t actually quit when exited; has to be terminated).
-
Netgate needs to document a prototype IPv6 config.
-
I have a /56 from FiOS but since that can change, hard-coding addresses is impossible for DNS and there’s no apparent way to specify an IPv6 DNS on the LAN network that a tunnel has access to.
The bottom line: WG really is experimental.
I do have an iOS peer working great — it even connects dynamically when leaving a WiFi network.
And thr iOS config actually works using my public IPv6 endpoint (tunneling only IPv4) on T-Mobile’s cellular network.
So, I (kinda) get it. But the macOS client (on either TMO’s or AT&T’s mobile network; I have a mobile hotspot for the latter) doesn’t work at all, with either IPv4 or IPv6 endpoints and any peer configuration.
-
-
@yobyot I agree on the lack of documentation. Not necessarily on Netgate's part, but on Wireguard in general. For example, I can't find a clear specification of the Wireuard config file parameters and frequently have to resort to other people's examples.
Everything works great for me though and I honestly cannot say that Wireguard in any sense feels experimental. I use it on pfSense, Linux, Windows and Android in remote access and site-to-site scenarios with IPv4 and IPv6.
-
@yobyot said in How do I manage firewall rules for WireGuard:
I have a /56 from FiOS but since that can change, hard-coding addresses is impossible for DNS and there’s no apparent way to specify an IPv6 DNS on the LAN network that a tunnel has access to.
Does it actually change? While I get my prefix with DHCPv6-PD, it's pretty much static and hasn't changed in years.
-
Yup, it can -- and does -- change.
I've had a bunch of /56s given to me as I have (slowly) been implementing IPv6 on 2.7 with FiOS.
Anyway, hardcoding the prefix in an IPv6 DNS entry would be a bad idea, even if you thought it wouldn't change.
My real frustration with PD is that I can never find the DNS IPv6 address on pfSense. It's there -- sometimes a regular nslookup will show its being used -- but how it got its address is a mystery to me. And I don't see it in the UI anywhere.
-
@yobyot said in How do I manage firewall rules for WireGuard:
Yup, it can -- and does -- change.
Do you have Do not allow PD/Address release selected?
-
Yup. All that does is signal VZ that you don’t want it to change. But they don’t guarantee that they won’t release the prefix for you for whatever reason they choose. It’s no more durable than a dynamic IPv4 address is.
-
My IPv4 address is so "durable" it's virtually static. Also, the host name, provided by my ISP, is based on the modem and router MAC addresses, so it never changes, unless I change hardware.
