Wireguard IPv4 to IPv6 tunnel
On your IPv6 only VPS, e.g. Mouse Server from Servarica:
root@ipv6_server:/etc/wireguard# cat wg0.conf
[Interface]
Address = 192.168.xx.2
ListenPort = 51820
PrivateKey = <ipv6_server privkey>
PostUp = ip route add default dev %i
[Peer]
PublicKey = <dual_home public key>
AllowedIPs = 192.168.xx.1/32
Endpoint = <dns AAAA record of dual home server>:<dual_home listenport>
On your dual homed VPS, e.g. one of the lowendspirit boxes:
root@dual_home:/etc/wireguard# cat wg0.conf
[Interface]
Address = 192.168.xx.1/24
ListenPort = <dual_home listenport>
PrivateKey = <dual_home privkey>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -i venet0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -A FORWARD -i venet0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE
[Peer]
PublicKey = <ipv6_server public key>
AllowedIPs = 192.168.xx.2/32
Endpoint = <ipv6>:51820
Please change venet0 to eth0 or ensX to match the internet interface of your VPS.
Please also ensure that you have enabled IPv4 forwarding, e.g. In /etc/sysctl.d/99-sysctl.conf
:
net.ipv4.ip_forward = 1
For wireguard to work, I had to set AAAA records for IPv6 addresses and use them instead of entering the servers' IPv6 addresses directly.
Hope this post helps
Comments
Two days ago I successfully connected mouse VPS to my LA VPS, but speed performance is horrible.. less than 1 Mbps..
I will try to configure & connect other server to find out the issue..
⭕ A simple uptime dashboard using UptimeRobot API https://upy.duo.ovh
⭕ Currently using VPS from BuyVM, GreenCloudVPS, Gullo's, Hetzner, HostHatch, InceptionHosting, LetBox, MaxKVM, MrVM, VirMach.
For the real cheap bastards who are on LXC/OpenVZ containers; Wireguard works based on a kernel module. In such cases, you'd probably have more luck trying a gre6 tunnel instead, same NAT/routing as mentioned above.
Since we are only looking for outbound connectivity, it's really badass to simply forget about IPv4 and use NAT64. These amazing Dutch guys operate a public and free NAT64 service; https://www.tuxis.nl/blog/public-doh-dot-dns64-nat64-service-20191021/ - easy peasy to configure
wireguard has a userland implementation: wireguard-go, so those without access to kernel won't be totally lost
The all seeing eye sees everything...
Work great for me. Github doesn't use IPv6, FFS.
That's strange. I use IPv6 on all my endpoints and it works well without AAAA records. Did you add the IP in brackets like this:
Endpoint = [2606:4700:30::681b:86c3]:22334 ?
Hmm.. thanks! I didn't know you could use brackets for IPv6.