How to assign public IPs to peers.

[NickEckardt]

I am trying to use wireguard to assign public IPv6 addresses to my peers, so that I can ssh into them from anywhere. I currently have a setup working on a VPS which works with both IPv4 and IPv6, but it seems to NAT outbound traffic, so I cannot ssh into a specific peer.

My current config is as follows:
Server:

[interface]
#Address = 10.66.66.1/24,2607:x:y:z:1::57/88
ListenPort = 1194
PrivateKey = (hidden)
#PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
#PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey = (hidden)
AllowedIPs = 10.66.66.3/32,2607:x:y:z:1::57/100

Client:

[Interface]
PrivateKey = (hidden)
Address = 10.66.66.3/24,2607:x:y:z:1::57/100

[Peer]
PublicKey =(hidden)
Endpoint = 51.a.b.c:1194
AllowedIPs = 0.0.0.0/0,::/0

I've been stuck on this all weekend and not sure how to proceed. Let me know if there is a better place to ask this question. So far the most helpful thing I found were these docs 👍

Thanks!

[pirate]

What's the final ideal path you're trying to achieve?

SSH Client connects over the internet ->
  public IPv6 addr on VPS ->
      VPS's routing table ->
         wireguard outbound from VPS -> 
             IPv4 wireguard addr on destination server

or something else?

Unfortunately I don't know anything about IPv6 <-> IPv4 translation yet, so I don't know if I can be of any help. But maybe try posting the mtr/ping6 output showing the failing hops in a traceroute?

[NickEckardt]

The ideal path is pretty much what you mentioned:

Web browser connects over IPv6 ->
  public IPv6 addr on VPS ->
      VPS's routing table ->
         wireguard outbound from VPS -> 
             IPv6 wireguard addr on destination server

The destination server only connects to the internet and Wireguard via IPv4, but wg0 would have IPv6 addresses, so it should work.

I don't think IPv4 to IPv6 translation is a problem I need to worry about, Wireguard handles that.

Here's my relevant ifconfig output of wg0 on the destination server:

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.66.66.3  netmask 255.255.255.0  destination 10.66.66.3
        inet6 2607:a:b:c:1::57  prefixlen 100  scopeid 0x0<global>
        RX packets 112  bytes 32336 (32.3 KB)

Note: 2607:a:b:c:1::57 is a valid public IPv6 within the range of my VPS. My VPS has the range: 2607:a:b:c::55 prefixlen 64.

From the destination server, I can connect to the IPv6 internet, the problem is it connects via my VPS's public IP. test-ipv6.com works, but my IP shows up as 2607:a:b:c::55.

SSHing into the destination server works from any other peer on wireguard, and the VPS. It does not work from the outside world. It appears wireguard is setting up a local network (like 192.168.1.1/24) but using global IPs, but never exposing them to the outside world.

mtr -w -6 google.com:

HOST: misaka                     Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 2607:a:b:c::55       0.0%    10   24.7  25.7  24.3  35.4   3.4
  2.|-- 2607:a:b:c::1        0.0%    10   24.9  25.0  24.6  25.7   0.4
  3.|-- fd00::ffe                   0.0%    10   24.8  25.1  24.6  25.6   0.3
  4.|-- 2607:a:0:1:2::17f        0.0%    10   25.2  25.3  24.8  25.8   0.3
  5.|-- 2607:a:0:1:2::26         0.0%    10   25.0  25.1  24.6  25.4   0.2
  6.|-- 2607:a:0:1:2::4          0.0%    10   25.8  25.3  24.8  25.9   0.3
  7.|-- 2001:41d0:0:50::2:12c       0.0%    10   25.5  25.8  25.5  26.0   0.2
  8.|-- 2001:41d0:0:50::6:84a       0.0%    10   25.7  25.5  25.2  25.9   0.2
  9.|-- be100-100.bhs-g1-nc5.qc.ca 30.0%    10   29.2  26.8  26.1  29.2   1.1
 10.|-- ash-1-a9.va.us              0.0%    10   38.5  38.8  38.4  39.2   0.2
 11.|-- google.as15169.va.us        0.0%    10  111.2 111.1 110.7 111.5   0.2
 12.|-- 2607:f8b0:824c::1           0.0%    10  111.0 111.2 110.8 111.5   0.2
 13.|-- 2001:4860:0:1::20d2         0.0%    10  115.5 121.1 114.9 170.5  17.3
 14.|-- 2001:4860:0:1098::11        0.0%    10  118.5 116.6 112.1 143.0   9.5
 15.|-- 2001:4860::c:4000:da1a      0.0%    10  129.4 129.1 128.6 129.6   0.3
 16.|-- 2001:4860::c:4000:d5ff      0.0%    10  129.2 129.3 128.9 130.3   0.4
 17.|-- 2001:4860::9:4000:eec9      0.0%    10  126.2 126.0 125.5 126.5   0.3
 18.|-- 2001:4860:0:1::1f33         0.0%    10  125.9 125.6 125.4 126.1   0.3
 19.|-- ord37s07-in-x0e.1e100.net   0.0%    10  125.7 125.6 125.0 126.0   0.3

ping6 google.com:

PING google.com(ord37s07-in-x0e.1e100.net (2607:f8b0:4009:802::200e)) 56 data bytes
64 bytes from ord37s07-in-x0e.1e100.net (2607:f8b0:4009:802::200e): icmp_seq=1 ttl=44 time=127 ms

Thanks again for your help!

[finzzz]

Hello,

I got this works recently, you can check out my script https://github.com/finzzz/wgzero (use Full Routing option)
As far as I have tried, this only possible if the ISP/VPS provider assign you 1 IPv6 and 1 full IPv6 block (on different range).
I have tested this on linode and it works. You may need to open a ticket to request for that though.
Let me know if the script works on your case.