Trying to create a Wireguard Server on the Flint/ Help Port Forwarding

I read somewhere that “IPv6 is not fully supported on the flint and may result in leakage on ipv6 connections. I would recommend you just not use it.”

Hopefully, I can still use it safely…

Hey, I actually found out I can do the following: " 1 Set up a public IPv4 subnet in the FRITZ!Box"

Does this work?

It was actually already set up and looks the following:

edit: i think you are right, it says "Internet, IPv4: FRITZ!Box uses a DS-Lite tunnel "

What you’re looking at here is your internal IPv4 network, not an internet facing one. If your ISP allows you to get an external IPv4 address that would be what you’re looking for. The help page you posted would require your ISP to hand out those addresses.

IPv6 will make things more complicated in several ways:

  1. If you’re planning on using it to connect back to your house while traveling you’ll need to have IPv6 at your remote site (generally not true in hotels). You can sort of get around this, probably, by building an IPv4->IPv6 tunnel (Hurricane Electric, maybe?), but goodness that’s a pain.
  2. IPv6 just makes it easier to make mistakes and/or leak traffic over the IPv4 tunnel. It’s not that you can’t do it safely (if obfuscation of your traffic is the goal), but you just have to be a lot more careful.

Can you contact your ISP and see if there’s any way you are able to get an external IPv4 address (can be static or dynamic).

Keeping everyone up to date, I’m going to try to help @pedritocs97 with a Tailscale solution, which I think may handle all of the IPv6 weirdness for us. Hopefully.

I am sure it will work, but lets make things more complicated with another service running.

K.I.S.S.

1 Like

You can use www.astrorelay.com to relay the wireguard server.

1 Like

Hey, I’m totally open to any suggestions you have for doing a pure Wireguard implementation where you’ve only got IPv6 running on the server (and where you may not have IPv6 running at all on the client side), since that’s something I’ve never attempted.

Tailscale seems like it will handle that with some penalty in performance (and, admittedly, without the main GL.iNet interface, which I generally don’t prefer anyway). In other words, it looks like it will potentially handle the tricky parts of this setup in its overlay and probably give you a direct connection (rather than relay) most of the time. May not work, but worth a try, I think.

(disclosure: I’m running TS as my main VPN solution on my AXT1800 right now, and at least for my purposes I’ve found it excellent. But I have a rather more complicated setup and need to access 6-10 data centers, which that allows me to do quite easily).

1 Like

wgserver configuration
adding the IPv4 rules

PostUp = iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE;
PostDown = iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE;

In the IPv6 rules,adding a rule to forward traffic to the internet interface.

PostUp = ip6tables -A FORWARD -i ens5 -o wg0 -j ACCEPT; ip6tables -A FORWARD -i wg0 -j ACCEPT;
PostDown = ip6tables -D FORWARD -i ens5 -o wg0 -j ACCEPT; ip6tables -D FORWARD -i wg0 -j ACCEPT;
Should look like this:

[Interface]
Address = 10.66.66.1/24, fd42:42:42::1/64
ListenPort = 60002
PrivateKey =
PostUp = iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE; ip6tables -A FORWARD -i ens5 -o wg0 -j ACCEPT; ip6tables -A FORWARD -i wg0 -j ACCEPT;
PostDown = iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE; ip6tables -D FORWARD -i ens5 -o wg0 -j ACCEPT; ip6tables -D FORWARD -i wg0 -j ACCEPT;

Client 1

[Peer]
PublicKey =
#PresharedKey =
AllowedIPs = 10.66.66.2, 2a05:d014:926:ffaa:87dd:ffff::2/128

but that is just making ipv6 preferred over ipv4.

1 Like

Right, but it’s not a matter of just adding firewall rules, it’s a matter of making the peer connection, right? If your server is v6 only (as a public), then your v4 only client can’t connect to it directly because, well, it can’t resolve the v6 public address.

The v6 server is (presumably) using some sort of tunnel to actually access v4 traffic, so it’s going to be able to reach an external v4 address. Which would be great, except that you don’t know what the public IP of your hotel is going to be before you get there.

To put the problem succinctly, if I’m at a hotel and I only have IPv4 access, and my home router only has an external IP address of a21b:b6f0:e9ec:9d11:5c48:7c4c:1054:2e32, how do I build a wireguard client config to connect back to that server?

All of the overlay networks (Nebula, Zerotier, Tailscale) kind of inadvertently solve that problem, though in different ways.

1 Like

A big shout out to @jdub who was able to fix my problem completely with ipv6 on server side and ipv4/ipv6 on client side, no need to port forward- WG running perfectly exactly as needed. You rock!!!

2 Likes