WireGuard Server with Home IPv6 Address in an OpenWrt + Starlink Environment
Hello, I'm Munou.
Since I was able to obtain a public IPv6 address for my home connection in the previous article, I will do the following.
Server: OpenWrt + WireGuard Server
Interface: wg1(10.2.0.0/24)
An environment where the exit IP is the home connection and there is no bandwidth limit (like the bandwidth limits on VPS).
Client: Smartphone, Laptop
Also, the goal this time is to enable communication from this WireGuard server to the interface wg0 (10.1.0.0/24) of the WireGuard server hosted on ConoHa VPS.
By creating a permanent VPN environment on the wg1 interface, you can always enable participation in the internal network without worrying about bandwidth. There is a concern that being able to join this network segment itself might be a vulnerability, but it's a bit better than exposing it via a public IP, and if someone can join the wg0 interface, it's game over anyway.
With this setup, I will be able to host an internal DNS server using Dnsmasq on the OpenWrt side and perform ad-blocking at all times.
WireGuard on OpenWrt
Install wireguard-tools.
root@OpenWrt:~# apk search wireguard
kmod-wireguard-6.12.74-r1
luci-proto-wireguard-26.120.35050~a611522
prometheus-node-exporter-ucode-wireguard-2024.02.07-r2
rpcd-mod-wireguard-2
wireguard-tools-1.0.20250521-r1
root@OpenWrt:~# apk add wireguard-tools-1.0.20250521-r1Also, I think installing luci-proto-wireguard-26.120.35050~a611522 would allow WireGuard configuration from LuCI on the Web UI, but I won't install it.
Configuration
/etc/config/network
Create the server-side interface as follows.
~~~
config interface 'wg1'
option proto 'wireguard'
option private_key 'wg1 server private key'
option listen_port '51820'
list addresses '10.2.0.1/24'
list addresses 'fd02::1/64'
option mtu '1420'
~~~Add the client-side settings to be allowed below. Ideally, you should set PreSharedKey and configure a pre-shared key, but I'll skip that for now.
config wireguard_wg1
option public_key 'wg1 client public key'
list allowed_ips '10.2.0.2/32'
list allowed_ips 'fd02::2/128'
list allowed_ips 'client ipv6 addr ::2/128'
option persistent_keepalive '25'
option route_allowed_ips '1'Create wg1.conf on the client side. All traffic will go through the OpenWrt router.
[Interface]
PrivateKey = "wg1 client public key "
Address = 10.2.0.2/24, fd02::2/64, client ipv6 addr::2/64
DNS = 10.2.0.1 # Already configured since a DNS server is already set up with Dnsmasq
[Peer]
PublicKey = "wg1 server public key"
Endpoint = "wg1 ipv6 addr :51820"
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25As it is, it will be blocked by the firewall, so I will create a wg zone, open port 51820/udp on the wan side IPv6, allow LAN access as the home environment, and allow wg to go out through wan.
Basically, NAT is not required for IPv6, so I will explicitly turn it off.
/etc/config/firewall
config zone
option name 'wg'
list network 'wg1'
list network 'wg0'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option masq6 '0'
config rule
option name 'Allow-WireGuard-IPv6'
option src 'wan'
option family 'ipv6'
option proto 'udp'
option dest_port '51820'
option target 'ACCEPT'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'wan'In this state, communication with wg0 is not possible, so add the following settings.
It is assumed that the settings on the wg0 server side will also be added accordingly (omitted here).
/etc/config/network
config route
option interface 'wg0'
option target '10.1.0.0/24'
config interface 'wg0'
option proto 'wireguard'
option private_key 'wg0 client private key'
list addresses '10.1.0.99/24'
config wireguard_wg0
option public_key 'wg0 server public key'
option endpoint_host 'wg0 server addr'
option endpoint_port '51820'
list allowed_ips '10.1.0.0/24'
list allowed_ips '10.2.0.0/24'
option persistent_keepalive '25'This basically completes the configuration, but for dnsmasq, see below.
In my environment, it was included from the start, so I just need to enable it.
/etc/init.d/dnsmasq enable/etc/init.d/dnsmasq startAfter that, block by adding a list like /etc/dnsmasq.d/adblock.conf .
/etc/init.d/dnsmasq restartOnce you've reached this point, all that's left is to reload.
/etc/init.d/network restart
/etc/init.d/firewall restartThis completes the dual-stack environment, which works with both IPv4 (even with CGNAT IP) and IPv6.
Speed test from the OpenWrt environment
The following is a wired environment without a WireGuard connection
$ speedtest-go -s 48463
speedtest-go v1.7.10 (git-dev) @showwin
✓ ISP: 206.83.125.125 (Starlink) [35.6893, 139.6899]
✓ Found 1 Specified Public Server(s)
✓ Test Server: [48463] 5.80km Tokyo by IPA CyberLab 400G
✓ Latency: 41.037747ms Jitter: 8.459256ms Min: 24.163074ms Max: 57.008632ms
✓ Packet Loss Analyzer: Running in background (<= 30 Secs)
✓ Download: 173.63 Mbps (Used: 211.22MB) (Latency: 35ms Jitter: 6ms Min: 25ms Max: 41ms)
✓ Upload: 45.99 Mbps (Used: 81.23MB) (Latency: 35ms Jitter: 29ms Min: 23ms Max: 136ms)
✓ Packet Loss: N/AThe following is from the wg1 VPN environment on a 5GHz Wi-Fi connection
$ speedtest-go -s 48463
speedtest-go v1.7.10 (git-dev) @showwin
✓ ISP: 206.83.125.125 (Starlink) [35.6893, 139.6899]
✓ Found 1 Specified Public Server(s)
✓ Test Server: [48463] 5.80km Tokyo by IPA CyberLab 400G
✓ Latency: 28.199611ms Jitter: 1.516613ms Min: 26.461289ms Max: 31.90411ms
✓ Packet Loss Analyzer: Running in background (<= 30 Secs)
✓ Download: 79.63 Mbps (Used: 114.99MB) (Latency: 98ms Jitter: 39ms Min: 27ms Max: 151ms)
✓ Upload: 65.86 Mbps (Used: 96.92MB) (Latency: 62ms Jitter: 73ms Min: 26ms Max: 285ms)
✓ Packet Loss: N/ANow you can access this wg1 VPN environment from your smartphone even when you're away.