Wireguard and IPv6

Troubleshooting
1

Hi guys,

I am on Dietpi with wireguard (split tunneling), pihole and unbound for a while.

To my surprise, (almost) everything just works (after weeks of fiddling around using other software packages).

Now, I am using wireguard out of the box and it seems, only IPv4 is part of the initial setup.
https://ipv6-test.com says ipv6 is not supported.

When I disable the VPN connection, IPv6 is supported (again). So, IPv6 should work with wireguard, shouldnt it?

So, the simple question is: What do I need to add to the wg0 and client.conf files to make tunneling via IPv6 work (additionally to IPv4)? IS there anythin else to change outside of wireguard?

I googled the internet but couldnt find anything relevant, so my hope lies in this forum :slight_smile:

I tried adding IPv6 adressess into the server and client conf files, but as soon as I enable the VPN connection on my smartphone, I dont have connectivity anymore.

This is my conf files for server and client:
As you can see, this is basically the conf files right after wireguard install with the added IPv6 addresses. The only new IP space I added to the client conf is the one of my pihole 192.168.100.0/24
Note: key information removed for security reasons


Any help would be much appreciated. What am I doing wrong?
I wouldnt want to have IPv6 traffic bypass my tunnel. There is a way, isnt there?


-K

wg0.conf:

[Interface]
Address = 10.9.0.1/24, fc00:23:5::1/64
PrivateKey = […]
ListenPort = 51820

PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE

Client 1

[Peer]
PublicKey = […]
AllowedIPs = 10.9.0.2/32, fc00:23:5::2/128


client.conf:

[Interface]
Address = 10.9.0.2/24, fc00:23:5::2/64
PrivateKey = […]
DNS = 10.9.0.1

[Peer]
PublicKey = […]
AllowedIPs = 192.168.100.0/24, 10.9.0.0/24, fc00:23:5::/64
Endpoint = publicIP:51820
PersistentKeepalive = 25

2
  1. Enable IPv6 on the Pi.
  2. Make sure that your Wireguard .conf includes parameters for IPv6.
  3. Make sure IPv6 is even enabled on your router.

Then reboot. If IPv6 isn’t working then see the P.S. at the bottom of this post, or consult your Wireguard provider if you have one.

Protip: Do not use IPv6. It’s garbage and is completely anti-privacy.

P.S. Wireguard and Pi-Hole are not compatible together. I would not be surprised if you’re getting a leak somewhere or generating additional overhead from using both at the same time. Unless you need absolutely the entire Pi running under Wireguard it’s best to just use a SOCKS5 and cover what you need, or use Docker and run the a service/app alongside a VPN inside a docker container.

P.P.S. Disable IPv6 entirely (via your router) and you don’t have to worry about any IPv6 traffic bypassing anything. Problem solved.

3

Thanks for the answers.

  1. Enable IPv6 on the Pi.
    I think I have. But just to be sure, how would I or how could I check?

  2. Make sure that your Wireguard .conf includes parameters for IPv6.
    What parameters exactly? I so have some, nur are they correct?

  3. Make sure IPv6 is even enabled on your router.
    It is, for sure. As I mentioned, when doing the ipv6 test with wireguard diabled, I have ipv6 connectivity as expected.

Disabling ipv6 by default is not an option. That would be too easy, wouldnt it? :wink:

Happy to read your thoughts in how to specifically setup wireguard to make it work with ipv4 and ipv6. I am sure I am missing something obvious.

-K

4

FWIW

Chrome was the issue as it was bypassing my settings (and DNS).

I had to disable its async DNS resolver.

Read more here: https://discourse.pi-hole.net/t/disable-async-dns-resolver-in-google-chrome/9500

5

As can be seen from the wg0.conf all IPv6 forwarding rules are added, thus it generally works, as long as enabled for the interfaces as well (not disabled via sysctl or on kernel level).

WireGuard (or any other VPN) DOES work with Pi-hole. But one needs to configure Pi-hole to allow DNS requests from all local interfaces, not just the main (e.g. eth0/wlan0): pihole -a -i local
This has been added to our online docs for WireGuard, OpenVPN an Pi-hole as well and will be done by default on dietpi-software installs with v6.26, if either a VPN server is installed while Pi-hole is already or the other way round.

Totila
So you mean Chrome was able to resolve the host elsewhere, ignoring the DNS = 10.9.0.1 entry of the WireGuard client config? Not nice, but at least, the request is still sent through the VPN. We could find this in other cases as well, e.g. if the DNS provided by WireGuard config is not available. Generally I think there is nothing that a WG client can do to force using a certain DNS. Generally there are several ways/commands/options to use a different DNS then the one offered by the system (e.g. via resolv.conf). The most important thing is that those requests are still passed through the VPN, so the DNS server is called from the VPN server/router as host.