What's new

Wireguard Session Manager - Discussion (2nd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Yep, alittle messy, but I think I covered most use cases with regards to Wireguard Server for ipv6 or ipv4/ipv6 dual stack.

Feedback is always appreciated!
https://github.com/ZebMcKayhan/WireguardManager#setup-wg-server

Because of this bug some parts will not work "out of the box" for the moment. But for the time being it could be worked around according to the post.

//Zeb

Ps. @heysoundude this was what you were looking for right?
 
Yep, alittle messy, but I think I covered most use cases with regards to Wireguard Server for ipv6 or ipv4/ipv6 dual stack.

Feedback is always appreciated!
https://github.com/ZebMcKayhan/WireguardManager#setup-wg-server

Because of this bug some parts will not work "out of the box" for the moment. But for the time being it could be worked around according to the post.

//Zeb

Ps. @heysoundude this was what you were looking for right?
From the quick scan I've just given that link, Yessir, you've hit my bullseye! Thank you!
 
@ZebMcKayhan Closer, but still not there yet (plus a new wrinkle).

I have setup as discussed above (and manually edited the wg21.conf and device.conf in respect of the bug and then recreated the QRcode) but I still have no IPv6 from the phone (IPv4 is fine)
Code:
# RT-AX88U (IPv4/IPv6) Server 1
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
#Address = 10.50.1.1/24,fd36:7ef1:2add:aa88::1/64
ListenPort = 11501

# sam20 device
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 10.50.1.2/32,fd36:7ef1:2add:aa88::2/128
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
# sam20 End
Code:
# sam20
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.50.1.2/32,fd36:7ef1:2add:aa88::2/128
DNS = 10.50.1.1,2620:119:35::35

# RT-AX88U (IPv4/IPv6) 'server' (wg21)
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 0.0.0.0/0, ::/0     # ALL Traffic
# DDNS xxxxxxx.asuscomm.com
Endpoint = xxxxxxx.asuscomm.com:11501
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
PersistentKeepalive = 25
# sam20 End
Note: the IPv6 DNS is OpenDNS, pulled from my IPv6 settings
Also, if it is relevant looking at wg21 in ifconfig
Code:
wg21      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.50.1.1  P-t-P:10.50.1.1  Mask:255.255.255.0
          inet6 addr: fd36:7ef1:2add:aa88::1/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:5045 errors:15 dropped:0 overruns:0 frame:15
          TX packets:5381 errors:2 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1126600 (1.0 MiB)  TX bytes:3237224 (3.0 MiB)
I can see that the IPv6 address Scope is flagged as Global, rather than Link.
From wgm
Code:
        interface: wg21  Port:11501     10.50.1.1/24                    VPN Tunnel Network      # RT-AX88U (IPv4/IPv6) Server 1
                peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=      10.50.1.2/32,fd36:7ef1:2add:aa88::2/128         # sam20 "Device"
                 latest handshake: 1 minute, 1 second ago
                 transfer: 1.16 MiB received, 3.53 MiB sent             0 Days, 00:23:02 from 2022-03-07 19:13:54
and
Code:
        Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet                                  Port   Annotate
wg21    Y     10.50.1.1/24,fd36:7ef1:2add:aa88::1/64  11501  # RT-AX88U (IPv4/IPv6) Server 1


        Peers (Auto=X - External i.e. Cell/Mobile/Site)
Device  Auto  IP                                  DNS                        Allowed IPs      Annotate
sam20   X     10.50.1.2/32,fd36:7ef1:2add::2/128  10.50.1.1,2620:119:35::35  0.0.0.0/0, ::/0  # sam20 "Device"

and (the wrinkle) I had noticed that on reboot Skynet was not loading. Also if I restart Skynet it also stops and restarts wgm, except that once Skynet is running, then the phone can no longer connect over WireGuard. For now I am happy to disable Skynet and focus on getting IPv6 running through WireGuard.

Edit, Skynet is probably a matter of one script treading on another's toes. I restarted Skynet with GUI disabled and once I could see that WireGuard was up, restarted the GUI - for now everyone is playing nicely.
 
Last edited:
@ZebMcKayhan Closer, but still not there yet (plus a new wrinkle).

I have setup as discussed above (and manually edited the wg21.conf and device.conf in respect of the bug and then recreated the QRcode) but I still have no IPv6 from the phone (IPv4 is fine)
Code:
# RT-AX88U (IPv4/IPv6) Server 1
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
#Address = 10.50.1.1/24,fd36:7ef1:2add:aa88::1/64
ListenPort = 11501

# sam20 device
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 10.50.1.2/32,fd36:7ef1:2add:aa88::2/128
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
# sam20 End
Code:
# sam20
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.50.1.2/32,fd36:7ef1:2add:aa88::2/128
DNS = 10.50.1.1,2620:119:35::35

# RT-AX88U (IPv4/IPv6) 'server' (wg21)
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 0.0.0.0/0, ::/0     # ALL Traffic
# DDNS xxxxxxx.asuscomm.com
Endpoint = xxxxxxx.asuscomm.com:11501
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
PersistentKeepalive = 25
# sam20 End
Note: the IPv6 DNS is OpenDNS, pulled from my IPv6 settings
Also, if it is relevant looking at wg21 in ifconfig
Code:
wg21      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.50.1.1  P-t-P:10.50.1.1  Mask:255.255.255.0
          inet6 addr: fd36:7ef1:2add:aa88::1/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:5045 errors:15 dropped:0 overruns:0 frame:15
          TX packets:5381 errors:2 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1126600 (1.0 MiB)  TX bytes:3237224 (3.0 MiB)
I can see that the IPv6 address Scope is flagged as Global, rather than Link.
From wgm
Code:
        interface: wg21  Port:11501     10.50.1.1/24                    VPN Tunnel Network      # RT-AX88U (IPv4/IPv6) Server 1
                peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=      10.50.1.2/32,fd36:7ef1:2add:aa88::2/128         # sam20 "Device"
                 latest handshake: 1 minute, 1 second ago
                 transfer: 1.16 MiB received, 3.53 MiB sent             0 Days, 00:23:02 from 2022-03-07 19:13:54
and
Code:
        Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet                                  Port   Annotate
wg21    Y     10.50.1.1/24,fd36:7ef1:2add:aa88::1/64  11501  # RT-AX88U (IPv4/IPv6) Server 1


        Peers (Auto=X - External i.e. Cell/Mobile/Site)
Device  Auto  IP                                  DNS                        Allowed IPs      Annotate
sam20   X     10.50.1.2/32,fd36:7ef1:2add::2/128  10.50.1.1,2620:119:35::35  0.0.0.0/0, ::/0  # sam20 "Device"

and (the wrinkle) I had noticed that on reboot Skynet was not loading. Also if I restart Skynet it also stops and restarts wgm, except that once Skynet is running, then the phone can no longer connect over WireGuard. For now I am happy to disable Skynet and focus on getting IPv6 running through WireGuard.
Install PingTools for Android and when connected on your phone, try to ping the router:
Code:
fd36:7ef1:2add:aa88::1
If it works, the tunnel works ipv6 to router that's a good start!

If it's not working, try to ping the phone from the router:
Code:
ping fd36:7ef1:2add:aa88::2
Do you get any error message?

try to ping an internet ipv6 from phone:
Code:
2600::

If it still works, head over to dns lookup and enter your dns under settings and see if they work.

Also, post your output of (from router shell):
Code:
ip6tables -nvL POSTROUTING -t nat

Ps. I'm running Skynet with Wireguard manager and don't have any problems.
 
Last edited:
Install PingTools for Android and when connected on your phone, try to ping the router:
Code:
fd36:7ef1:2add:aa88::1
If it works, the tunnel works ipv6 to router that's a good start!

If it's not working, try to ping the phone from the router:
Code:
ping fd36:7ef1:2add:aa88::2
Do you get any error message?

try to ping an internet ipv6 from phone:
Code:
2600::

If it still works, head over to dns lookup and enter your dns under settings and see if they work.

Also, post your output of (from router shell):
Code:
ip6tables -nvL POSTROUTING -t nat

Ps. I'm running Skynet with Wireguard manager and don't have any problems.
Code:
fd36:7ef1:2add:aa88::1
phone to router 3 sent, 3 received, no packet loss
Code:
ping fd36:7ef1:2add:aa88::2
router to phone 5 sent, 5 received, no packet loss
Code:
2600::
ICMP 3 sent,0 received 100% packet loss
Code:
ip6tables -nvL POSTROUTING -t nat
Code:
Chain POSTROUTING (policy ACCEPT 7411 packets, 1019K bytes)
 pkts bytes target     prot opt in     out     source               destination
 */ 0     0 MASQUERADE  all      *      eth0    fd36:7ef1:2add:aa88::/64  ::/0                 /* WireGuard 'server'
 
Code:
fd36:7ef1:2add:aa88::1
phone to router 3 sent, 3 received, no packet loss
Code:
ping fd36:7ef1:2add:aa88::2
router to phone 5 sent, 5 received, no packet loss
Code:
2600::
ICMP 3 sent,0 received 100% packet loss
Code:
ip6tables -nvL POSTROUTING -t nat
Code:
Chain POSTROUTING (policy ACCEPT 7411 packets, 1019K bytes)
pkts bytes target     prot opt in     out     source               destination
*/ 0     0 MASQUERADE  all      *      eth0    fd36:7ef1:2add:aa88::/64  ::/0                 /* WireGuard 'server'
Ok, good. Atleast you have a solid ipv6 connection between phone and router.

And you are sure eth0 will be the outgoing WAN interface? No wierd ipv6 routing policies or anything?
You could check this(usually) by:
Code:
ip -6 route get 2600::
See that the interface for this route is eth0 and that the scr address is your ipv6 wan address.
Since I don't have ipv6 wan this is maybee needed to be handled differently than MASQUARADE.


You could install tcpdump on router from Entware
Code:
opkg install tcpdump

And check your ping to 2600:: as it arrives on wg21:
Code:
tcpdump -i wg21 -vv icmp6

And on your wan:
Code:
tcpdump -i eth0 -vv icmp6

You could also see the package path:
Code:
tcpdump -i any -vv dst 2600::

See if the package ever gets to eth0 and what the source address is.
 
Last edited:
Ok, good. Atleast you have a solid ipv6 connection between phone and router.

And you are sure eth0 will be the outgoing WAN interface? No wierd ipv6 routing policies or anything?
You could check this(usually) by:
Code:
ip -6 route get 2600::
See that the interface for this route is eth0 and that the scr address is your ipv6 wan address.
Since I don't have ipv6 wan this is maybee needed to be handled differently than MASQUARADE.


You could install tcpdump on router from Entware
Code:
opkg install tcpdump

And check your ping to 2600:: as it arrives on wg21:
Code:
tcpdump -i wg21 -vv icmp6

And on your wan:
Code:
tcpdump -i eth0 -vv icmp6

You could also see the package path:
Code:
tcpdump -i any -vv dst 2600::

See if the package ever gets to eth0 and what the source address is.
As far as I can see the packages are not reaching eth0, the only traffic there appears to be from some link-local (fe80:: ) addresses.
Code:
admin@RT-AX88U-5050:/tmp/home/root# tcpdump -i wg21 -vv icmp6
tcpdump: listening on wg21, link-type RAW (Raw IP), capture size 262144 bytes
08:29:21.396491 IP6 (flowlabel 0xce5aa, hlim 64, next-header ICMPv6 (58) payload length: 64) fd36:7ef1:2add:aa88::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
08:29:25.460552 IP6 (flowlabel 0xce5aa, hlim 64, next-header ICMPv6 (58) payload length: 64) fd36:7ef1:2add:aa88::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
08:29:29.367051 IP6 (flowlabel 0xce5aa, hlim 64, next-header ICMPv6 (58) payload length: 64) fd36:7ef1:2add:aa88::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
Code:
admin@RT-AX88U-5050:/tmp/home/root# tcpdump -i eth0 -vv icmp6
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:38:35.281502 IP6 (class 0x40, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::4255:82ff:febd:9c3 > fe80::aa5e:45ff:feae:5050: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::aa5e:45ff:feae:5050
          source link-address option (1), length 8 (1): 40:55:82:bd:09:c3
            0x0000:  4055 82bd 09c3
08:38:35.281586 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::aa5e:45ff:feae:5050 > fe80::4255:82ff:febd:9c3: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::aa5e:45ff:feae:5050, Flags [solicited]
08:39:12.946149 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::21d:aaff:fe8a:3448 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 24
        hop limit 64, Flags [none], pref medium, router lifetime 0s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 00:1d:aa:8a:34:48
            0x0000:  001d aa8a 3448
08:42:10.281622 IP6 (class 0x40, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::4255:82ff:febd:9c3 > fe80::aa5e:45ff:feae:5050: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::aa5e:45ff:feae:5050
          source link-address option (1), length 8 (1): 40:55:82:bd:09:c3
            0x0000:  4055 82bd 09c3
08:42:10.281777 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::aa5e:45ff:feae:5050 > fe80::4255:82ff:febd:9c3: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::aa5e:45ff:feae:5050, Flags [solicited]
08:43:12.214495 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::21d:aaff:fe8a:3448 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 24
        hop limit 64, Flags [none], pref medium, router lifetime 0s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 00:1d:aa:8a:34:48
            0x0000:  001d aa8a 3448
Code:
admin@RT-AX88U-5050:/tmp/home/root# tcpdump -i any -vv dst 2600::
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
08:49:48.595684 IP6 (flowlabel 0xce5aa, hlim 64, next-header ICMPv6 (58) payload length: 64) fd36:7ef1:2add:aa88::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
08:49:52.579376 IP6 (flowlabel 0xce5aa, hlim 64, next-header ICMPv6 (58) payload length: 64) fd36:7ef1:2add:aa88::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
08:49:56.627650 IP6 (flowlabel 0xce5aa, hlim 64, next-header ICMPv6 (58) payload length: 64) fd36:7ef1:2add:aa88::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
where fe80::aa5e:45ff:feae:5050/64 is the routers link-local range.
 
As far as I can see the packages are not reaching eth0, the only traffic there appears to be from some link-local (fe80:: ) addresses.
Yep, seems so... guess that is why the MASQUARADE rule is not working for you. so were is the router sending wan ipv6 traffic? ppp0?
Test:
Code:
ip -6 route get 2600::
To find out were ipv6 packages are routed.
 
Yep, seems so... guess that is why the MASQUARADE rule is not working for you. so were is the router sending wan ipv6 traffic? ppp0?
Test:
Code:
ip -6 route get 2600::
To find out were ipv6 packages are routed.
Code:
admin@RT-AX88U-5050:/tmp/home/root# ip -6 route get 2600::
2600:: via fe80::4255:82ff:febd:9c3 dev eth0 src 2a02:c7f:f0c3:1000::1 metric 0 hoplimit 64 pref medium

Edit

Where 2a02:c7f:f0c3:1000::1 is the current IPv6 WAN address on br0 and fe80::4255:82ff:febd:9c3 is the puzzle. From the wan test in #727 this corresponds to MAC 40:55:82:bd:09:c3 which would appear to correspond to a Nokia device, but I have nothing in the LAN with that MAC (or even any Nokia devices).

Looking at the routing table in the GUI
1646743716176.png

1646743764101.png
 
Last edited:
Code:
admin@RT-AX88U-5050:/tmp/home/root# ip -6 route get 2600::
2600:: via fe80::4255:82ff:febd:9c3 dev eth0 src 2a02:c7f:f0c3:1000::1 metric 0 hoplimit 64 pref medium

Edit

Where 2a02:c7f:f0c3:1000::1 is the current IPv6 WAN address on br0 and fe80::4255:82ff:febd:9c3 is the puzzle. From the wan test in #727 this corresponds to MAC 40:55:82:bd:09:c3 which would appear to correspond to a Nokia device, but I have nothing in the LAN with that MAC (or even any Nokia devices).

Looking at the routing table in the GUI
View attachment 40049
View attachment 40050
Hmmm.... this would have been much easier if I had an ipv6 wan connection.

What bothers me is that the package does not appear on the eth0 interface at all. Does it appear if you do the same ping on lan?

If it does appear then, perhaps the MASQUARADE rule is borked when eth0 only has an fe80- link local address. Try to remove the rule and see if the package appears then on eth0 (with ula source address).

Depending on the output from above we might try
1. To assign an address to eth0 from your br0 subnet to see if the rule "behaves"
2. We could try SNAT instead but this is less preferred since I think you need entware iptables.
But ofcourse non matters if we can't make the package reach the wan interface.
 
Hmmm.... this would have been much easier if I had an ipv6 wan connection.

What bothers me is that the package does not appear on the eth0 interface at all. Does it appear if you do the same ping on lan?

If it does appear then, perhaps the MASQUARADE rule is borked when eth0 only has an fe80- link local address. Try to remove the rule and see if the package appears then on eth0 (with ula source address).

Depending on the output from above we might try
1. To assign an address to eth0 from your br0 subnet to see if the rule "behaves"
2. We could try SNAT instead but this is less preferred since I think you need entware iptables.
But ofcourse non matters if we can't make the package reach the wan interface.
As you have noted, the MASQUARADE rule does not seem to do anything
If if
Code:
ping 2600::
then it seems to work fine for a local PC on the LAN -> eth0
Code:
admin@RT-AX88U-5050:/tmp/home/root# tcpdump -i eth0 -vv icmp6
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:32:01.556707 IP6 (hlim 127, next-header ICMPv6 (58) payload length: 40) 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1086
18:32:01.662077 IP6 (hlim 52, next-header ICMPv6 (58) payload length: 40) 2600:: > 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b: [icmp6 sum ok] ICMP6, echo reply, seq 1086
18:32:02.572209 IP6 (hlim 127, next-header ICMPv6 (58) payload length: 40) 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1087
18:32:02.677133 IP6 (hlim 52, next-header ICMPv6 (58) payload length: 40) 2600:: > 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b: [icmp6 sum ok] ICMP6, echo reply, seq 1087
18:32:03.581225 IP6 (hlim 127, next-header ICMPv6 (58) payload length: 40) 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1088
18:32:03.686129 IP6 (hlim 52, next-header ICMPv6 (58) payload length: 40) 2600:: > 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b: [icmp6 sum ok] ICMP6, echo reply, seq 1088
18:32:04.585966 IP6 (hlim 127, next-header ICMPv6 (58) payload length: 40) 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1089
18:32:04.691086 IP6 (hlim 52, next-header ICMPv6 (58) payload length: 40) 2600:: > 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b: [icmp6 sum ok] ICMP6, echo reply, seq 1089
where 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b is the PCs current IPv6 address

I can try using an link local address (I can generate this from the phone's MAC), given the probable overlap is there any reason to use /64 or would a smaller subnet suffice? I will run up a second server instance (wg22) and see what happens.

Edit: cannot use a link-local address
 
Last edited:
@ZebMcKayhan The next step was to create a server as if I had a static IPv6 (which it virtually is unless I force it to change or disable IPv6 for over a week)
so peer new ip=10.50.2.1/24 ipv6=2a02:c7f:f0c3:1010::1/64 and a new device
Pinging 2600:: from the phone still times out but now I see traffic on wg22 and eth0
Code:
admin@RT-AX88U-5050:/tmp/home/root# tcpdump -i wg22 -vv icmp6
tcpdump: listening on wg22, link-type RAW (Raw IP), capture size 262144 bytes
19:20:18.311323 IP6 (flowlabel 0xa5c66, hlim 64, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
19:20:22.351451 IP6 (flowlabel 0xa5c66, hlim 64, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
19:20:26.391917 IP6 (flowlabel 0xa5c66, hlim 64, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
Code:
admin@RT-AX88U-5050:/tmp/home/root# tcpdump -i eth0 -vv icmp6
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:20:51.231640 IP6 (flowlabel 0xa5c66, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
19:20:55.271737 IP6 (flowlabel 0xa5c66, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
19:20:59.331206 IP6 (flowlabel 0xa5c66, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
Code:
admin@RT-AX88U-5050:/tmp/home/root# tcpdump -i any -vv dst 2600::
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
19:21:36.319445 IP6 (flowlabel 0xa5c66, hlim 64, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
19:21:36.319560 IP6 (flowlabel 0xa5c66, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
19:21:40.513810 IP6 (flowlabel 0xa5c66, hlim 64, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
19:21:40.513857 IP6 (flowlabel 0xa5c66, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
19:21:44.511245 IP6 (flowlabel 0xa5c66, hlim 64, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
19:21:44.511322 IP6 (flowlabel 0xa5c66, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:c7f:f0c3::2 > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1
HOWEVER still no IPv6 over the tunnel (checked using test-ipv6 and browserleaks), so the problem seems to be elsewhere.
 
As you have noted, the MASQUARADE rule does not seem to do anything
If if
Code:
ping 2600::
then it seems to work fine for a local PC on the LAN -> eth0
Code:
admin@RT-AX88U-5050:/tmp/home/root# tcpdump -i eth0 -vv icmp6
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:32:01.556707 IP6 (hlim 127, next-header ICMPv6 (58) payload length: 40) 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1086
18:32:01.662077 IP6 (hlim 52, next-header ICMPv6 (58) payload length: 40) 2600:: > 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b: [icmp6 sum ok] ICMP6, echo reply, seq 1086
18:32:02.572209 IP6 (hlim 127, next-header ICMPv6 (58) payload length: 40) 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1087
18:32:02.677133 IP6 (hlim 52, next-header ICMPv6 (58) payload length: 40) 2600:: > 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b: [icmp6 sum ok] ICMP6, echo reply, seq 1087
18:32:03.581225 IP6 (hlim 127, next-header ICMPv6 (58) payload length: 40) 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1088
18:32:03.686129 IP6 (hlim 52, next-header ICMPv6 (58) payload length: 40) 2600:: > 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b: [icmp6 sum ok] ICMP6, echo reply, seq 1088
18:32:04.585966 IP6 (hlim 127, next-header ICMPv6 (58) payload length: 40) 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b > 2600::: [icmp6 sum ok] ICMP6, echo request, seq 1089
18:32:04.691086 IP6 (hlim 52, next-header ICMPv6 (58) payload length: 40) 2600:: > 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b: [icmp6 sum ok] ICMP6, echo reply, seq 1089
where 2a02:c7f:f0c3:1000:25e9:7161:nnnn:890b is the PCs current IPv6 address

I can try using an link local address (I can generate this from the phone's MAC), given the probable overlap is there any reason to use /64 or would a smaller subnet suffice? I will run up a second server instance (wg22) and see what happens.

Edit: cannot use a link-local address
Link local (fe8- addresses) are not valid outside the link between 2 point so it would never be forwarded, that is why we use ula (fc, fd addresses) instead but they are never forwarded outside your network.

The only thing I could think of would be if you have an ipconflict now between br0 and wg22. Try using:
Wg22: 2a02:c7f:f0c3:1000::101/120

Wg22 Device: 2a02:c7f:f0c3:1000::102/128

the fact that you dont get a reply means that the packets gets rejected for some reason. (See Edit below)

if this doesn't work I have no idea.
Just from the top of my head of things to try, but could be a long shot (dont put any of the below in any script just execute them manually from the shell, this way a reboot will always clear it):

Give eth0 a proper adress, from your prefix and see if the MASQUARADE rule somehow starts working:

Code:
ip -6 address add dev eth0 2a02:c7f:f0c3:1000::2/128

Or you could try a different approach and use SNAT instead:
Code:
ip6tables -t nat -I POSTROUTING -s fd36:7ef1:2add:aa88::/64 -o eth0 -j SNAT --to-source 2a02:c7f:f0c3:1000::1

there is a risk that you get an error message when executing the last command which means you need to install iptables from entware but it will have to be at your own risk (im running it and it appears fine on ac86u, but cant guarantee for you, but you could always uninstall it after testing)

Edit: noticed that your wg22 address is infact not according to your wan prefix. You used:
Code:
2a02:c7f:f0c3::2
Instead of your intended:
Code:
2a02:c7f:f0c3:1010::2
Since you are using an address outside of your /56 prefix it will be dropped. Guess this is due to the wgm bug as this is what it does.
 
Last edited:
Found a bug,

If I create a server peer with
Code:
peer new ip=198.168.100.1/24 ipv6=fdff:a37f:fa75:100::1/120

Still when creating a device, the device.conf ip is:
Code:
Address = 192.168.100.2/32,fdff:a37f:fa75::2/128

And wg21.conf:
Code:
AllowedIPs = 192.168.100.2/32,fdff:a37f:fa75::2/128

So the :100: gets cut (like a /48) off which makes it don't work with other rules.

If I correct device.conf:
Code:
Address = 192.168.100.2/32,fdff:a37f:fa75:100::2/128

And wg21.conf:
Code:
AllowedIPs = 192.168.100.2/32,fdff:a37f:fa75:100::2/128

Everything works.
Thanks

Uploaded wireguard_manager Beta v4.15bC to Github dev branch


To apply the fix use
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 
Link local (fe- addresses) are not valid outside the link between 2 point so it would never be forwarded, that is why we use ula (fc, fd addresses) instead but they are never forwarded outside your network.

The only thing I could think of would be if you have an ipconflict now between br0 and wg22. Try using:
Wg22: 2a02:c7f:f0c3:1000::101/120

Wg22 Device: 2a02:c7f:f0c3:1000::102/128

the fact that you dont get a reply means that the packets gets rejected for some reason. (See Edit below)

if this doesn't work I have no idea.
Just from the top of my head of things to try, but could be a long shot (dont put any of the below in any script just execute them manually from the shell, this way a reboot will always clear it):

Give eth0 a proper adress, from your prefix and see if the MASQUARADE rule somehow starts working:

Code:
ip -6 address add dev wg21 2a02:c7f:f0c3:1000::2

Or you could try a different approach and use SNAT instead:
Code:
ip6tables -t nat -I POSTROUTING -s fd36:7ef1:2add:aa88::/64 -o eth0 -j SNAT --to-source 2a02:c7f:f0c3:1000::1

there is a risk that you get an error message when executing the last command which means you need to install iptables from entware but it will have to be at your own risk (im running it and it appears fine on ac86u, but cant guarantee for you, but you could always uninstall it after testing)

Edit: noticed that your wg22 address is infact not according to your wan prefix. You used:
Code:
2a02:c7f:f0c3::2
Instead of your intended:
Code:
2a02:c7f:f0c3:1010::2
Since you are using an address outside of your /56 prefix it will be dropped. Guess this is due to the wgm bug as this is what it does.
Sorry, had forgotten to correct for the bug in v4.15bB, have updated to v4.15bC and the phone connection using my pseudo static IPv6 is working fine on IPv4 and IPv6.

Next steps are to work out how to replicate with a ULA (I will test your suggestions above this evening) and to add a client to the router for outbound traffic.
 
Hi,

my ISP provides me a static prefix /48 and a public ipv4. Unfortunately my cellular carrier has not implemented ipv6 connectivity yet so no ipv6 on the phone. Is it possible to create a VPN tunnel over ipv4 my phone would receive a global IPv6 address?
 
Hi,

my ISP provides me a static prefix /48 and a public ipv4. Unfortunately my cellular carrier has not implemented ipv6 connectivity yet so no ipv6 on the phone. Is it possible to create a VPN tunnel over ipv4 my phone would receive a global IPv6 address?
YES! just make sure to update wgm using the latest dev version with uf dev from within wgm.

Just follow this guide to setup a dual stack server, the tunnel/Endpoint could be over ipv4 only, thats not problem. @archiel just verified above that this method works for static ipv6 (still working progress for dynamic assignements).

good luck!

//Zeb
 
wireguard_manager v4.15 Released

To upgrade
Code:
e  = Exit Script [?]

E:Option ==> uf
and to ensure new configuration options are available, it is prudent to issue
Code:
e  = Exit Script [?]

E:Option ==> createconfig

    Warning: WireGuard configuration file '/jffs/addons/wireguard/WireguardVPN.conf' already exists!...renamed to 'WireguardVPN.conf20220309-144455'

    Creating WireGuard configuration file '/jffs/addons/wireguard/WireguardVPN.conf'
and you will need to use command vx to check the configuration options still meet your requirements.
 
Just follow this guide to setup a dual stack server
FYI

In most cases, there is no need to explicitly specify any IPv4/IPv6 address when creating a new 'server' Peer........ be it IPv4 only (default), IPv6 only or Dual-stack IPv4+IPv6.

e.g. IPv4 only
Code:
peer new
IPv4+IPv6 Dual-stack
Code:
peer new ipv6
IPv6 only
Code:
peer new ipv6 noipv4
but if the default IP address/Port values etc. are deemed inappropriate or creates conflict then they should be specified etc.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top