Wireguard with IPv6

FreeYourMind

Hello,

my ISP uses CGNAT which makes it impossible for me to connect to the assigned IPv4 directly.
I get a IPv6 prefix assigned and use that to get globally unique IPv6 addresses on my interfaces other than WAN.
(WAN just has a link local IPv6)

This works fine so far but now i would like to be able to run Wireguard on my Netgate 4100 and connect to it directly via IPv6.
Unfortunately though i am stuck at the point where i am trying to get my wg interface (tun_0) an IPv6 address.
Track Interface doesn't seem to work and as soon as i try, all other interfaces that use track interface (wan) won't get an IPv6 either anymore.

I found this older article that discusses the same issue:
https://forum.netgate.com/topic/184397/ipv6-prefix-delegation-and-wireguard?_=1729130473454

What would be the best approach to get an IPv6 assigned to my wireguard interface, other than using track wan?

Thank you in advance for your help. :)

stephenw10

What are you using the WireGuard tunnel for? Do you actually need globally routable addresses on tunnel clients? You don't need that to connect using IPv6 outside the tunnel.

Steve

JKnott

@stephenw10

I think his issue is getting the tunnel to connect to pfSense from elsewhere. CGNAT blocks that. There is no problem with IPv6 in the tunnel, routable or not.

stephenw10

Well he's trying to use a delegated prefix on the assigned wireguard interface. But that's not the external address wireguard itself listens on.

Now he could be trying to do that so connecting clients get a routable address. Or there could be some confusion here.

FreeYourMind

@stephenw10

Thank you for your replies you all.
Here we probably have the first misunderstanding on my end.

What JKnott is saying is basically right. I want to connect to wireguard on my pfsense router from the outside.
Due to the fact that the WAN IPv4 is CGNAT'ed, i thought i need a globally unique IPv6 on the wireguard tunnel interface that i can connect to from remote clients.

If i understood your post correctly, that doesn't seem to be the case. But how will i then be able to connect from the outside to wireguard?
I guess i am bit confused about that.

I obviously could use a small cloud server instance, set up wireguard on that server and use it as a jump host or "host in the middle" if that makes sense but i thought i would take this as an opportunity to set it up over IPv6 instead.

Thank you in advance for your help.

stephenw10

The wireguard service itself listens on the WAN interface which already has a public IPv6 address. (Or any interface that has an IPv6 address)

The address on the assigned wireguard interface is used to communicate inside the VPN between the connected devices so it doesn't need to have an IPv6 address at all.

JKnott

@FreeYourMind said in Wireguard with IPv6:

What JKnott is saying is basically right. I want to connect to wireguard on my pfsense router from the outside.
Due to the fact that the WAN IPv4 is CGNAT'ed, i thought i need a globally unique IPv6 on the wireguard tunnel interface that i can connect to from remote clients.

While I have no experience with Wireguard, OpenVPN can work with either IPv4 or IPv6 tunnel interface. Of course, the tunnel should also carry both. If you're connecting from an IPv6 address, the VPN should work. But, as you've noticed, if you're on IPv4, you can't get there from here.

FreeYourMind

@stephenw10

I don't get any public IPv6 on WAN. My ISP only assigns a prefix but not an actual IPv6 address to my WAN interface.
Therefor my WAN interface only has a link local IPv6 address.
But if i understand you correctly, Wireguard binds itself to any IPv4 / IPv6 address of any interface, is that correct?

If that is the case i could just use one of the IPv6 addresses that are currently used on any of the other interfaces. (i have several addresses assigned already via Track Interface -> WAN)

stephenw10

@FreeYourMind said in Wireguard with IPv6:

My ISP only assigns a prefix but not an actual IPv6 address to my WAN interface.

Ok, no problem, Wireguard can listen on any public IPv6 address on the firewall as long as rules allow traffic to reach it.

Yes, just use one of the addresses you have already.

Still no need to use IPv6 on the Wireguard interface itself. Unless you specifically want to do that.

JKnott

@FreeYourMind said in Wireguard with IPv6:

I don't get any public IPv6 on WAN. My ISP only assigns a prefix but not an actual IPv6 address to my WAN interface.

You can use the LAN IPv6 address. It doesn't matter which interface you use, so long as it's on the pfSense box. Since you have an assigned prefix, any traffic for your system will be routed through your WAN interface.

BTW, this would have worked with IPv4 too. However, since you would have to have a public address on the WAN interface, you would normally use it.

People have to unlearn a lot of bad habits and ideas that came from having to use NAT on IPv4.

stephenw10

@JKnott said in Wireguard with IPv6:

People have to unlearn a lot of bad habits and ideas that came from having to use NAT on IPv4.

Yup, hard to unlearn that after all this time!

FreeYourMind

@stephenw10

Thank you very much, that helped me a lot. :)

@JKnott
Thank you JKnott. :)

FreeYourMind

Alright, i made progress but its still not working as i want it to be.
I am sure there is something i misunderstand or i am not doing properly.

Here is what i did so far:
I created a wireguard tunnel on my netgate router and gave it an interface IPv4 address and choose a port.
Lets say 192.168.4.4/24 on port 52490

After that i added a client as a peer which i want to access the netgate router from remotely.
I added the public key from my remote windows client and set allowed IPs for said peer on my netgate to 192.168.4.0/24

I also created a firewall rule on wan that lets me connect to the IPv6 address of one of my other interfaces
that - as we discussed earlier - gets a globally unique IPv6 assigned via track interface -> WAN.
In addition to that i created a "allow all" rule on the wireguard interface, so that wireguard clients are not restricted at all.
(just for testing purposes)

On the client i created a wireguard config with the aforementioned IPv6 address as the endpoint on port 52490.
For simplicity, i route all traffic through the wireguard tunnel by setting allowed IPs on the client side to 0.0.0.0/0.

Here is the thing:

When i connect from my windows machine to the netgate router over wireguard, i can see that the connection is established and working.
I can ping the tun_wgX interface on my netgate (192.168.4.4) from my client and get a correct response.
I can also ping other interfaces on the netgate router.
But i cannot connect to the pfsense webinterface that should be available on 192.168.4.4:443 (https)
The connection attempt doesn't get any log responses and its just times out after a while.

JKnott

@FreeYourMind said in Wireguard with IPv6:

But i cannot connect to the pfsense webinterface that should be available on 192.168.4.4:443 (https)

I could be wrong (Yeah, I know it's hard to believe. ), but I suspect the computer used to access the interface has to be on the LAN, though it may be possible to configure it for elsewhere.

FreeYourMind

@JKnott

From my experience the web interface bins itself to any interface available and you just regulate access via firewall rules.
I have a similar setup working, where the UI is in fact accessible over the ip address that is assigned to the tun_0 of wireguard.

I also cannot access any other services. (DNS on 192.168.4.4) doesn't work either but i can ping it properly without any issues.
I also opened up the firewall rules to make sure that this isn't the issue.

stephenw10

Hmm, interesting I would expect that to work.

There can sometimes be some odd routing behaviour on the VPN interface itself, though it's been a while since I've seen it.

Can you access the webgui on any other address? If you're passing all traffic over the VPN it should respond on any address.

FreeYourMind

@stephenw10

Thats the thing, i can try any IPv4 on any other interface and there is no response whatsoever.
There is also no entry in the system logs that would indicate the firewall rejects the request.

I tried it on a netgate 4100 and a netgate 1100. The only thing is, that both Netgates already have one wireguard connection active that is running for quite some time now. I don't know if that might be the issue.

Bob.Dig

@FreeYourMind said in Wireguard with IPv6:

I created a wireguard tunnel on my netgate router and gave it an interface IPv4 address and choose a port.
Lets say 192.168.4.4/24 on port 52490

What? Why would you do that.

FreeYourMind

@Bob-Dig

I guess i described that not correctly.
What i did is, i created a new tunnel with 192.168.4.4 as the interface address for tun1 and 192.168.4.0/24 as the network for tunnel clients.
As i learned earlier from stephen and JKnott, this address is not really the address wireguard listens on but instead wireguard listens on all addresses assigned to any interface, be it IPv6 or IPv4 (by default) and its up to the user to give grant access via firewall-rules.

Bob.Dig

@FreeYourMind said in Wireguard with IPv6:

As i learned earlier from stephen and JKnott, this address is not really the address wireguard listens on but instead wireguard listens on all addresses assigned to any interface, be it IPv6 or IPv4 (by default) and its up to the user to give grant access via firewall-rules.

It can not listen to that because this is the address space of your tunnel. To create that tunnel, WireGuard needs to listen on your WAN-IP for example on port 5120 or whatever. WireGuard is listening on all interfaces, every WAN and every LAN interface you got. But there is no point of listening on the tunnel-interface itself...