IPv6 Setup #1386
Replies: 5 comments 1 reply
-
You probably need to send the packet the other way through this NAT. Or maybe pay to have a port opened up to your server. |
Beta Was this translation helpful? Give feedback.
-
|
Many thanks for replying. You're right in that if I wanted to I could pay to have a static IPv4 address and just use old school IPv4 to get out of IPv4 CGNAT woes.... But it's an unneeded expense to solve the problem as according to my call with tech support at Hyperoptic (who had to ask someone admittedly) I do have a global/public IPv6 address range (assuming that's the range specified in the above perimeters from the router) and presuming the server I'm setting up supports IPv6 connections (which wireguard does it's just a pain to figure out what the settings need to be) the server should be reachable.... Essentially no need to pay to get rid of CGNAT on IPv4 when I've got a public (?and static?) IPv6 to start with and all the clients I want to connect to it support IPv6 anyway? In which case CGNAT I basically need to get my head around what the wireguard settings need to be to put into those config files and what to put in the filter in the router and, as I understand it, it should all then just work? |
Beta Was this translation helpful? Give feedback.
-
|
If your IPv6 is not behind NAT then just use it as normal. |
Beta Was this translation helpful? Give feedback.
-
|
My thoughts too TinCan but I'm struggling with the appropriate config to get it to work...any sign of where I went wrong above? |
Beta Was this translation helpful? Give feedback.
-
|
Hey did you ever get it working?I am also behind CGNAT and only have a public ipv6 address |
Beta Was this translation helpful? Give feedback.
-
|
It would be good to know if and how to get this to work |
Beta Was this translation helpful? Give feedback.
-
Hi folks,
Struggling to get Wireguard setup as I need to use IPv6 and the installer doesn't have any options to support this. Have therefore been manually editing config files over SSH...struggling to do so as I don't really have any prior experience with IPv6...but given I'm behind carrier grade NAT for IPv4 even DDNS won't provide an alternative...suspect with IPv4 addresses running out loads more will be in my situation soon...(I briefly looked into running an OpenVPN AS on a VPS and forcing a raspberry pi on my device to repeatedly open a connection - but finding a free one that'll do that job isn't easy...and ngrok doesn't really work well for VPNs that I can see?)
Goal:
Accessible VPN from outside of my home network to:
So a VPN that can access both the devices within my network (and potentially other devices connected to the VPN/bridging two networks), and also can direct all my internet traffic through the VPN to access the net. Presumably the content of the tunnel will be a dual stack mixture of IPv4 and IPv6 where only
The Issue:
I can't get wireguard to work with IPv6. I've spent ages playing with settings reading guides learning where to put random number 6s in old and familiar commands to use them with IPv6...but largely chasing an idiot proof explanation of what I needed to do! I suspect my complete lack of knowledge of IPv6 (and inexperience with wireguard itself) is part of the problem...
I installed it originally on a raspberry pi (using the pivpn script...which doesn't have an IPv6 option).... That set up the install and I created the users etc...
But /etc/wireguard/wg0.conf has no reference to IPv6 anywhere and I've had to modify it myself. Similarly the user config files....
I really need a totally baby friendly talk through on what to do IPv6 wise... as I understand it an IPv6 address beginning 'fe' is for the local network, but what I want for connection is the global address...
In my router's info on IPv6 I can see:
LLA: fe80::XXXX:XXXX:XXXX:XXXX Prefix: 2a01:YYYY:YYYY:YYYY::/56 DNS::/::/:: (might be because I've got my whole network using my pihole for DNS on both IPv4 and IPv6 for adblocking purposes - it is running on the same raspberry pi as wireguard which is behind my router) IPv6 Gateway fe80::ZZZZ:ZZZZ:ZZZZ:ZZZZMy understanding (which is probably wrong - IPv6 is completely new to me) is that LLA is similar to a ULA (and fe suggests it's just a local network thing)...as a result it's probably not what I want anywhere? the Gateway is probably the local IPv6 IP of my router itself? (would likely be 192.168.1.1 in a standard old IPv4 environment?) Is this the 'Endpoint?'
Prefix looks to me like (?the beging part of all of my?) the range of global IPv6 addresses I've been allocated...This also looks about right going to ifconfig.co or googling 'what is my IP'... I appreciate that the /56 somehow relates to my subnet mask and thus defines my block of IPv6 IPs...not quite sure what that would be in that format though....with IPv4 I used to use 255.255.255.0 (or equivalent) so I knew where I stood. How can I work out which addresses are and aren't in my allocated range from that? How can I specify a limited subset for my VPN as I've seen people talk about?? (and do I need to do that to make it all work?)
Anyway trying to slot all of this into appropriate client and server config files for wireguard... Here's what I've got:
/etc/wireguard/wg0.conf
``
[Interface]
PrivateKey = <KEY REMOVED=
Address = 10.6.0.1/24 2a01:YYYY:YYYY:YYYY::/56
ListenPort = 51820
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -t nat$
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -t n$
begin user 1
[Peer]
PublicKey = =
PresharedKey = =
AllowedIPs = 10.6.0.2/32 2a01:YYYY:YYYY:YYYY::/56
end user 1
(there are other users but the same so not repeated!)
``
And the user configuration file reads /etc/wireguard/configs/user.conf:
``
[Interface]
PrivateKey = =
Address = 10.6.0.2/24, 2a01:YYYY:YYYY:YYYY::/56
DNS = 10.6.0.1
[Peer]
PublicKey = =
PresharedKey = =
Endpoint = [2a01:YYYY:YYYY:YYYY:THE:GLOBAL:IP:OFRASPBERRYPI]:51820
AllowedIPs = 0.0.0.0/0, ::0/0
``
I've also set up an IPv6 filter on my router (ZTE)
``
Allow
UDP
Source Port range - empty
Destination port range - 51820 to 51820
Source IPv6 - empty (i.e. irrespective of where it comes from)
Destination IPv6: [Raspberry:Pi:Global:IPv6] /128
(assuming /128 is right here so it points at a single IPv6 address...if my rookie understanding is correct?!)
``
I suspect my failing is a total rookie error and obvious to many on here! Please forgive my noobdom - would love to get this up and running (then I'll be setting up OpenVPN as well as a fallback for when travelling - would like both options!)
Many thanks and sorry for the marathon post folks. Desperately keen to get this all working and it had been a case of deploying on IPv4 it would've been easy! A handholding addon to the script to handle IPv6 setups might not be a bad idea given how comparatively effortless it would've been with the PiVPN setup script over IPv4!
Many, many thanks for this great project all!
PS - All the Keys will be correctly generated for me and in the correct places as this aspect of the config is handled for me by the initial pivpn wrapper/script....so the problem likely my poor grasp of IPv6!
Edit: On looking up tables it looks like /56 is a pool of 4,722,366,482,869,645,213,696 IPs devices, surely they can't have allocated me this many :-D I like my tech more than most but this is one or two more devices than I own!!!!
Beta Was this translation helpful? Give feedback.
All reactions