Switching to OpenVPN and WireGuard IPv6 IP address (remote tunnel and endpoint)
-
My ISP dishes out a /56 prefix which I have used to provide /64 addresses for my network subnets.
I have got OpenVPN and Wireguard to work with IPv6. However, I want to take it to the next level and try to connect via IPv6 instead of the IPv4 WAN address.
Assume these are my IP addresses for reference:
WAN IPv4: 233.252.0.70
OpenVPN gateway (not sure where to find it in Pfsense - assuming its generated behind the scenes, because I can ping it externally): 2001:db8:100:aa02::1
Wireguard gateway (static IPv6): 2001:db8:100:aa03::1For my OpenVPN this is the config line:
remote 233.252.0.70 2335 udp
For Wireguard, this is the config line
Endpoint = 233.252.0.70 :4335
When I try to swap out the IPv4 address with the respective IPv6 gateway addresses, both OpenVPN and Wireguard do not connect. What do I need to do to use an IPv6 remote tunnel/endpoint address?
-
I don't know about WireGuard, as I have never used it. However, for OpenVPN, I had to set the server protocol to "UDP IPv4 and IPv6 on all interfaces (multihome)". Then, on the client, I just specified a host name that my external DNS server can provide both A & AAAA records for.
-
@JKnott Yes, I do have Multihome active.
Have I got the remote server address correct though?
2001:db8:100:aa02::1 and 2001:db8:100:aa03::1I will look at the DNS option.
-
Why 2 addresses? Normally, you´d use the WAN address for pfSense. There should be just one each for IPv4 and IPv6. If you don't get a public IPv6 address, you should be able to use the one on the LAN side of pfSense. Of course, no matter which way you go, you have to allow the VPN through the firewall.
Yeah, you need to use external DNS, if you want to use a host name. An alternative is to just create 2 different configs, for IPv4 and IPv6.
-
@JKnott The WAN address is fe80::xxx - that wouldn't be routable? Wouldn't I need separate addresses to reach the gateway for the Wireguard and OpenVPN interfaces respectively?
-
If you don't have a global address on the WAN interface, you should be able to use LAN address. While a link local address is fine for routing, you can't use it to reach your network from elsewhere.
-
@JKnott I didn't think the LAN address would work - will give it a shot and see how it works out.
-
Both the WAN and LAN addresses are on the same box. Just a few days ago, I was testing my OpenVPN while on my LAN. Worked fine. Connecting from elsewhere, to the LAN, is the same thing, just in the opposite direction. Just make sure your firewall will pass UDP port 1194.