Wireguard client (minimally Android & iOS) - IPv6 traffic not passing through tunnel

anav · December 21, 2021, 3:47pm

noted and modified…
Yes, but Im not the one who is so entitled (how dare they ignore the great jookraw),
When you get off the pedestal, then perhaps one will get a modicum of respect.

noradtux · December 21, 2021, 5:26pm

I also see this issue after upgrading from rc4 to rc5. I have one wg interface on my rb5009 with two Linux systems as peers. Sniffing on both peers and pinging both from the router I see echo-requests for both peers arriving on the peer that established its wireguard tunnel last.

xtaz · December 21, 2021, 6:57pm

This has been driving me mad trying to get wireguard to work with IPv6. I could get it to work with one peer but as soon as I added a second peer IPv6 stopped working.

I can see that the release notes for 7.2rc1 says “wireguard - fixed IPv6 LL address generation” so does this not fix the problem then as I see people saying it still doesn’t work in the rc.

noradtux · December 21, 2021, 7:43pm

Nope, LL addresses where an other issue.

jookraw · December 22, 2021, 11:19am

I’ve opened a new ticket yesterday, this time with 7.2rc1 on the title. Mikrotik replied in less than 12h, thanking the report and saying that it will be solved in coming versions, so, there is a light in the end of the tunnel, just idk how long that tunnel is…

noradtux · December 22, 2021, 4:35pm

Yesterday I got basically the same reply to my ongoing ticket. So they are working on it

aglabs · December 31, 2021, 6:25pm

Thanks to the folks in this thread for their research. Finding this thread saved me from a massive headache. Opened a case as well. Hope a fix is released soon.

grisu48 · January 6, 2022, 7:56am

I have the same issue (only one IPv6 wireguard peer active at the same time) and am glad to see, that this will be solved in an upcoming release.

noradtux · January 28, 2022, 12:06pm

Issue persists on 7.2rc2

anav · January 28, 2022, 1:21pm

S being the operative letter!

hcuk94 · February 4, 2022, 8:39am

I am so glad I found this thread!
I’ve been going round in circles for hours trying to figure out what I’ve done wrong - and eventually came to the conclusion that only one IPv6 peer could work at any one time, but still figured it was my issue.
Found this thread and am incredibly relieved at least to know I’m in good company.. lets hope MT manage a fix soon…

aglabs · February 21, 2022, 5:20pm

7.1.3 seems to fix this for me, hope everyone else having same luck

*) wireguard - fixed IPv6 traffic processing with multiple peers;

noradtux · February 21, 2022, 5:29pm

7.1.3 indeed fixes this issue for me

DjM · February 21, 2022, 5:50pm

7.1.3 is also working for me.

Thank you for all forum members who tested & supported to get this bug fixed

psiwray · February 22, 2022, 7:08am

I just upgraded to 7.1.3 but the issue is still there for me. I have four peers over two WireGuard tunnels. First one that I enable has IPv6 working fine, then I enable a second one and it stops working. What did you do to test that the setup was now working with the new release?

fruel · February 22, 2022, 7:52pm

I still have the same issue. Only the client that was enabled last works.

Clients also connect over IPv6 to the Wireguard server.
As shown I also tried different settings for “allowed addresses”

Configuration:

# feb/22/2022 20:45:44 by RouterOS 7.1.3
# software id = W604-HIX1
#
# model = RB4011iGS+
# serial number = 
/interface wireguard add listen-port=51820 mtu=1420 name=wg-test private-key="..."

/interface wireguard peers
add allowed-address=172.27.11.2/32,fd00:11::2/128 comment="Client A" interface=wg-test public-key="..."
add allowed-address=0.0.0.0/0,::/0 comment="Client B" interface=wg-test public-key="..."
add allowed-address=172.27.11.4/32,fd00:11::4/128 comment="Client C" interface=wg-test public-key="..."
add allowed-address=0.0.0.0/0,::/0 comment="Client D" interface=wg-test public-key="..."
add allowed-address=0.0.0.0/0,::/0 comment="Client E" interface=wg-test public-key="..."

/ip address add address=172.27.11.1/24 interface=wg-test network=172.27.11.0
/ipv6 address add address=fd00:11::1 advertise=no interface=wg-test 
/ipv6 firewall nat add action=masquerade chain=srcnat out-interface=!wg-test src-address=fd00:11::/64
/ipv6 firewall filter add action=accept chain=input dst-port=51820 protocol=udp

eworm · February 22, 2022, 9:01pm

You can not set allowed-address=0.0.0.0/0,::/0 on the peer that acts as the server. The symptoms are the same, but this is configuration issue. Only define the addresses and networks that are accessible on or behind the peer…

404Network · February 22, 2022, 9:19pm

Hold on lets be accurate.
You cannot have duplication of peer IP addresses, within the allowed IPs, for a single WG interface.

Fruel how will the router know which peer address to pick for 0.0.0.0/0
I Will tell you it will pick the first on on the list and the other peers will never be chosen.

Znevna · February 22, 2022, 9:24pm

What a mess of a config.
“Check yer peers”. I’ll add this to my sig.

fruel · February 22, 2022, 11:09pm

Ah of course, makes much more sense that way. Will change that, thanks!
(I had the proper adresses in there at some point before this IPv6 bug was introduced…)

Just because of the addresses or is there something else?