WireGuard VPN fails on boot when connecting to an IPv6 server

  • My home internet connection has a dynamic IPv4 address, but it has a IPv6 range assigned to it, meaning that I can assign a static public IPv6 addresses to my VPN server.

    I've successfully configured the WireGuard VPN client in LibreElec, using the current dynamic IPv4 address of my VPN server, as per this documentation. This works fine, even after reboots.

    I would like to move to connecting to the VPN server using it's static IPv6 address. I don’t want to use dynamic DNS and I can’t obtain a static IPv4 address for my internet connection.

    I’ve updated the WireGuard config to use the IPv6 address, updated the systemd service config file with the new connection name (which changes because the `Host` of the VPN config has changed) and then rebooted, I am unable to access any resources over the tunnel as the VPN connection has not been established. Note: At this point, I’ve confirmed that systemd launched the `connmanctl connect vpn_…` command and didn’t error.

    If I disconnect, then connect, it kind of works, but doesn’t (I've obfuscated my IPv6 address):

    If I disable the systemd service and manually connect the VPN after boot, it connects, but it really flaky:

    I have other devices (laptops and phone) that connect to the VPN server over IPv6 without any issues.

    Does any one have any ideas what I can do to make the LibreElec WireGuard VPN client work with accessing the VPN server over IPv6?

  • (1) I don't understand the weird things you're doing. To use a WireGuard IPv4 client I don't need any command. To activate the connection I go to Kodi System-LibreELEC-Connections-WireGuard_VPN, this connection can be configured in manual mode or automatic mode and then it establishes itself after each reboot.

    (2) I would like to have a dynamic IPv4 address because I think it gives more security, less vulnerability, and less problems. Using a ddns is no problem, for many years I used duckdns and a little command in /storage/.config/autostart.sh to update the ddns LE/CE IP address.

    (3) If IPv6 does not work for you, it is most likely a problem with your internet provider. To check this, go to Test your IPv6. with any device connected to the router or to the home WiFi.

    Edited 3 times, last by elonesna (January 20, 2021 at 1:23 PM).

    1. I'm not doing anything weird :) I'm using the client, as per the wiki WireGuard - LibreELEC.wiki.
    2. That's fine if you want to use IPv4; that's your opinion. DDNS is not something that I want to use and IPv6 is more convenient for me and that's my opinion. :)
    3. IPv6 does work for me. As I've said in my original post: I've got several clients working fine with WireGuard over IPv6 and I have no issues whatsoever with them. I therefore disagree that this is an ISP problem. Nonetheless, I've run the test that you linked to and I got 9/10 -- the only thing that failed is that my ISP doesn't use IPv6 for DNS. Seeing as I'm not using hostnames in any of the testing above, this isn't the issue.
  • (1) The WireGuard enablement method I have suggested may not be on the LE wiki but it is easier and does not require any special knowledge on the part of a user. If it is not included in the wiki it should be. Sorry if I use unusual expressions, it is the fault of my Google translator.

    (2) Not even the big companies use static IPs but ddns domains that point to several and different IPs. The reason is simple, protection against failures, intrusions and attacks. If you use a single IP and it is always the same, I hope you do not suffer attacks or enter any blacklist.

    (3) According to what you say WireGuard works fine in IPv6, I cannot check IPv6. There's nothing more to say.

    Edited once, last by elonesna (January 21, 2021 at 1:44 PM).

  • IPv6 support in ConnMan is currently quite broken. It works enough to get a connection for normal network, but WireGuard will not work over IPv6. It has been reported to the ConnMan developers but fixing it requires quite an effort so I am not expecting it to be fixed anytime soon.