syedamer's comments

syedamer · on July 2, 2019

Location: Germany (NRW)

Remote: Yes

Willing to relocate: No

Technologies: Embedded, C++ 11/14/17, QT, Yocto, Linux, Python, Networks, IPv6, willing to learn new stuff

Résumé/CV: https://www.linkedin.com/in/syedamergilani

Email: syed.amer at gilani.eu

syedamer · on May 29, 2019

On Android the problem is the same. The Client only resolves the IP once. When the server gets a new ip, no connections can be made, although the client seem to be still connected.

syedamer · on May 29, 2019

Beware all examples in this don't cover ipv6. Should you have an ipv6 address, you are not using the vpn for most of your connections.

Sadly most Wireguard howtos don't cover ipv6.

stavros · on May 29, 2019

If you give me some sample config I can add it to my howto here: https://www.stavros.io/posts/how-to-configure-wireguard/

tg180 · on May 29, 2019

I based my configuration on yours. You just need to add another 'Address = <IPv6>' (client and server), and add ip6tables.

The address is going to be static: I'm not aware of a way to simulate privacy extensions with Wireguard. A workaround is to assign ULAs and apply NAT.

stavros · on May 29, 2019

I see, thank you. Unfortunately I don't have IPv6 on my network and don't know the IPv6 local addresses and ip6tables config, if you could give me the actual config you used I'd appreciate it, especially if it works with both IPv4 and IPv6 together.

tg180 · on May 29, 2019

Sure

------------------

[Interface] Address = 172.16.31.1/24 Address = 2001:__::1/64 PrivateKey = __ ListenPort = 443

[Peer] PublicKey = __ PresharedKey = __ AllowedIPs = 172.16.31.2/32, 2001:__::2/128

[Peer] PublicKey = __ PresharedKey = __ AllowedIPs = 172.16.31.3/32, 2001:__::3/128

[...]

------------------

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT

------------------

[Interface] Address = 172.16.31.2/24 Address = 2001:__::2/64 PrivateKey = __ DNS = 172.16.31.1, 2001:__::1 [Peer] PublicKey = __ PresharedKey = __ AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = <server_ip>:443 PersistentKeepalive = 25

------------------

stavros · on May 29, 2019

This is extremely helpful, thanks!

syedamer · on Aug 27, 2018

What bothers me in the Article, the official documentation and almost all guides for wireguard is that they ignore ipv6 completely. They either result in a leaking vpn or bad working one where all ipv6 connections fail.

bjoli · on Aug 27, 2018

Doesn't it just tunnel everything on one interface? In my tests, using a minimal config, ipv6 is tunneled just fine without extra consideration.

The only thing I have added is a kill switch that blocks internet access if the WG interface goes down.