Wireguard IPv4 to IPv6 tunnel

On your IPv6 only VPS, e.g. Mouse Server from Servarica:

root@ipv6_server:/etc/wireguard# cat wg0.conf
[Interface]
Address = 192.168.xx.2
ListenPort = 51820
PrivateKey = <ipv6_server privkey>
PostUp = ip route add default dev %i

[Peer]
PublicKey = <dual_home public key>
AllowedIPs = 192.168.xx.1/32
Endpoint = <dns AAAA record of dual home server>:<dual_home listenport>

On your dual homed VPS, e.g. one of the lowendspirit boxes:

root@dual_home:/etc/wireguard# cat wg0.conf
[Interface]
Address = 192.168.xx.1/24
ListenPort = <dual_home listenport>
PrivateKey = <dual_home privkey>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -i venet0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -A FORWARD -i venet0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE

[Peer]
PublicKey = <ipv6_server public key>
AllowedIPs = 192.168.xx.2/32
Endpoint = <ipv6>:51820

Please change venet0 to eth0 or ensX to match the internet interface of your VPS.
Please also ensure that you have enabled IPv4 forwarding, e.g. In /etc/sysctl.d/99-sysctl.conf:

net.ipv4.ip_forward = 1

For wireguard to work, I had to set AAAA records for IPv6 addresses and use them instead of entering the servers' IPv6 addresses directly.

Hope this post helps :)

Thanked by (3)tgl souen servarica_hani

Comments

  • Two days ago I successfully connected mouse VPS to my LA VPS, but speed performance is horrible.. less than 1 Mbps..

    I will try to configure & connect other server to find out the issue..

    A simple uptime dashboard using UptimeRobot API https://upy.duo.ovh
    Currently using VPS from BuyVM, GreenCloudVPS, Gullo's, Hetzner, HostHatch, InceptionHosting, LetBox, MaxKVM, MrVM, VirMach.

  • For the real cheap bastards who are on LXC/OpenVZ containers; Wireguard works based on a kernel module. In such cases, you'd probably have more luck trying a gre6 tunnel instead, same NAT/routing as mentioned above.

    Since we are only looking for outbound connectivity, it's really badass to simply forget about IPv4 and use NAT64. These amazing Dutch guys operate a public and free NAT64 service; https://www.tuxis.nl/blog/public-doh-dot-dns64-nat64-service-20191021/ - easy peasy to configure

    Thanked by (2)souen uhu
  • wireguard has a userland implementation: wireguard-go, so those without access to kernel won't be totally lost

    Thanked by (1)mikho

    The all seeing eye sees everything...

  • @Rick said:
    free NAT64 service; https://www.tuxis.nl/blog/public-doh-dot-dns64-nat64-service-20191021/ - easy peasy to configure

    Work great for me. Github doesn't use IPv6, FFS.

  • @hwt said:
    For wireguard to work, I had to set AAAA records for IPv6 addresses and use them instead of entering the servers' IPv6 addresses directly.

    That's strange. I use IPv6 on all my endpoints and it works well without AAAA records. Did you add the IP in brackets like this:
    Endpoint = [2606:4700:30::681b:86c3]:22334 ?

  • @ume said:

    @hwt said:
    For wireguard to work, I had to set AAAA records for IPv6 addresses and use them instead of entering the servers' IPv6 addresses directly.

    That's strange. I use IPv6 on all my endpoints and it works well without AAAA records. Did you add the IP in brackets like this:
    Endpoint = [2606:4700:30::681b:86c3]:22334 ?

    Hmm.. thanks! I didn't know you could use brackets for IPv6.

Sign In or Register to comment.