Wireguard with IPv6

FreeYourMind

Do you guys have any other ideas?
I honestly don't know how to troubleshoot my issue.

Like i described earlier, the wireguard connection to one of the available (globally unique) IPv6 addresses on my Netgate router works fine and i can also ping the tun interface of wireguard once the connectiuon is established. I can also ping other (physical) interfaces on the netgate from the remote peer but i cannot connect to any service, doesn't matter if its DNS or accessing the web interface.
The firewall rules are all set up properly, i double checked but it just doesn't work.

The Party of Hell No

@FreeYourMind

On my WireGuardVPN server - for road warriors remote access. To access the WEB GUI I have a firewall rule in the WireGuardVPN server rules page directing/routing access to the WEBGUI the source I have is an Alias of all the Wireguard Client Static IP's, however to be less restrictive use wireguard/vPN Server address or Subnets and the destination should be the This Firewall (self) and the port you are using for the WEB GUI.

I also believe you will have to do the same to gain remote access to other computers, NAS etc.

Hope I am providing help, never sure.

Bob.Dig

@FreeYourMind said in Wireguard with IPv6:

The firewall rules are all set up properly, i double checked but it just doesn't work.

Maybe you should show them here.

stephenw10

Yup probably going to need some screenshots to review at this point.

FreeYourMind

@stephenw10

Sure. :)

Rule to allow access from anywhere to one IPv6 address on the UDP port WG is listening on:

Allow everything on the tunnel interface, so connected clients are not restricted at all. (for testing purposes only)

Let me know if you need some additional information.
Thank you.

Bob.Dig

@FreeYourMind said in Wireguard with IPv6:

Let me know if you need some additional information.

Usually one would use the WAN-address-Alias or, if you don't have one, the LAN-address-Alias for example (your first screenshot) and not a real address.

According to your problem description, the problem must be in the interface called WireGuard, show that. Or you need to set MTU and MSS to 1420 on your assigned interface.

stephenw10

Yup the WireGuard interface group will apply first before any assigned interface so if you have any rules there they will take precedence.

FreeYourMind

@Bob-Dig

Yes, i have just set it up for testing purposes. Once the problem is solved i will absolutely use an alias for the actual IPv6.
As far as i know (and correct me if i am wrong) the rules under the interface wireguard only apply for
"unassigned wireguard tunnel interfaces"
In my case i did assign an interface and named it TEST_VPN, hence why i showed your the firewall rules for TEST_VPN.
There are no rules for the wireguard interface at the moment.

I tried to change the MTU / MSS to 1420 like you said (under Interfaces -> TEST_VPN) but unfortunately it still did not work after that.

FreeYourMind

@stephenw10

Thats actually good to know, i wasn't aware of that. In my case there are no rules under the wireguard interface at the moment.

FreeYourMind

Sorry for bringing this up again but i wasn't able to find a solution so far.
There is one thing though that seems interesting which i didn't mention earlier.

I am still not able to connect to the pfsense webui from a wireguard peer.
Other than that there is a NAS in the network the wg peer has access to. Like i described earlier, i can ping the NAS just fine but i am not able to access the web interface of it. Interestingly enough, i can SSH into the NAS from said wireguard peer but i cannot find out why i am not able to connect to its web interface. There is still nothing that pops out in the firrewall logs and i am a bit out of ideas tbh.

Ok quick edit from me:
I was finally able to find the solution. You were already suggesting to lower the MTU to 1420 bytes. I tried that but it didn't work initially.
Now i tried it again but this time i lowered it to 1380 bytes and that did the trick for me. So the MTU suggestion was right after all.
Thank you very much for your help. :)

stephenw10

Ah, nice catch!

FreeYourMind

@stephenw10

Thank you stephen.

Allow me to come back to this topic one more time because i had a discussion with someone on another forum (about the same topic) and he insisted that my WAN interface is incorrectly configured because in his opinion i should definitely get a GUA IPv6 assigned to my
WAN interface. I told him my ISP doesn't assign a GUA to my WAN interface directly but only delegates a prefix to it and that is
(even if maybe not that common) a completely viable setup. Am i wrong here, cause i am starting to doubt myself a little bit based on what he said and you guys probably also have a lot of experience about IPv6 and how ISPs deal with it.

Thank you.

stephenw10

Nope you are not wrong. My ISP only provides only a prefix so I have no routable IPv6 address on the WAN directly. That's BT, the largest ISP here in the UK.

FreeYourMind

@stephenw10 said in Wireguard with IPv6:

Nope you are not wrong. My ISP only provides a prefix so I have no routable IPv6 address on the WAN directly. That's BT, the largest ISP here in the UK.

Thank you stepehen. Helps a lot. :)