Wireguard server with IPv6 - VPN at home

Hey everyone!

I’m interested in setting up a VPN at home using Wireguard. I want to deploy a NAS at home, but first I wanted to find out how can I reach it out of the house & how can I share it within family. I’m very much new to the world of networking but researching the topic proved interesting so far.

Current setup

I have the bare minimum ISP provided networking setup at home which I’m very much willing to expand: coax cable → ISP provided modem&router&wireless access point (model: Compat CH7465vf) → ethernet & wifi for devices.

Client side

I can install Wireguard on my devices which seem pretty straightforward. However, for the not so tech-savy family members I have a different idea: deploy a small VPN-capable router like GL.iNet GL-MT3000. I’m open for alternatives! I have to setup that only once, then every one of their devices connected there will have VPN access. In addition, they live in a different country and I would prefer if they would not leak their location info everywhere, I trust my ISP / country a bit more.

VPN server hosting

When I check the admin panel of CH7465vf, I see that I don’t have a public IPv4 address, but I have an IPv6 DS-Lite address. My IPv6 address is not static either, the prefix can change, which I assume from IPv6 lease expire field in the admin panel.

I have found tutorials how to setup a VPN server at home when you have to deal with changing IPv4 addresses (dynamic DNS service + port forwarding). However I couldn’t really find tutorials to do this with IPv6 routers. If you know some, please send the links!

As an alternative I can ask my ISP to set the CH7465vf to bridge mode so I can use my own router but in that case I’ll fall back to IPv4 according to the forums I’ve read.

VPN server hosting hardware

I have a Raspberry Pi around which can be repurposed for this. Probably the most efficient way to this would be to already run the VPN server on my upcoming NAS hardware. Or if I go with the bridge mode route and I need a router anyway I can use one with VPN server hosting functionality. However, I’m open to alternatives!

Summarized questions

I’m new to the topic so I’m welcome to any suggestions, ideas which I might not know about at all!

  1. Should I go with bridge mode and IPv4?
    1.1 If yes, which router do you recommend (up to 1 Gbps, currently 500 Mbps)? I’ve read about pfsense boxes, but they look a bit overkill for my use-case / I’m wary of it because I don’t know it well enough.
    1.2 If not, can you link me some tutorials how to host VPN server with non-static IPv6 addresses?
  2. Any device recommendation for client side router? Any alternatives how to handle the family situation?

Thank you in advance!

1 Like

I would rather stick to IPv6 so I’m thinking about setting Wireguard to listen for incoming IPv6 connections. I think the family router also has similar IPv6 and DS-Lite setup (is this what you can call CGNAT?) so they can use IPv6.

To overcome the changing prefix of my IPv6 I can use a DDNS provider (any recommendations?). I don’t think that my router supports DDNS so I’ll update my provider with the current IPv6 address using a simple cron job running on the VPN server host.

  • Do you think this would work?
  • What happens when a client (e.g. PC from family network connected to the VPN-capable router) wants to reach an IPv4-only site? Can I setup Wireguard so it handles that as well and uses the DS-Lite provided IPv4 address to reach that site?

I hope I’m on the right track, let me know if I have the wrong idea about something.

P.S. I have a /64 IPv6 subnet.

1 Like

What you probably end up doing is running a what is called dual stack meaning you will have both IP version 4 and IPv6 running on on your network. You are correct about CGNAT your ISP is using It to pass IPv4 traffic to your network. If you decied to go with the bridge mode plan I would see first if you can change the firmware for the router you already have to OpenWRT that will open a lot more options for you. If you can not change the firmware then any other comsumer router that is on OpenWRT support list will do.

PFsense is not really all that hard to learn. I use it my self. For those that find Pfsense to complicated or do not what to put the time in to learn how to use it properly I suggest OpenWRT.

1 Like

CGNat has nothing to do with IPv6. CGNAT is used to circumvent the shortage of IPv4 public addresses. It allows your IPS to assign many customers one public static IPv4 address.

The problem you will run into is you can not share resources with others on the internet. To get around this problem, you will need to do some research into an opensource project called Tailscale

If I were in your position, I would get my IPS to put your IPS-provided router in bridge mode (Turn the router into a modem). Then, I would look for any router the OpenWRT project supports. If you can not find a router that is supported by the OpenWRT Project, then I would purchase a Protectli Vault FW2B and install and configure the Protecctli as a router.

Thanks for the extra information and for the advice!

I did a bit of reading on CGNAT which you summarized nicely. Using bridge mode and a router with OpenWRT support as you suggest would solve the CGNAT problem as I would get a public IPv4 address. This is currently my plan B.

However, that would take away my IPv6 address and force me to use IPv4 exclusively. Since I have a public IPv6 address as of now, can I just use that with Tailscale (which I can see is based on Wireguard)? Of course, this would limit my clients to IPv6 connections.

Hypothesis:

  • I do not use the bridge mode.
  • I connect the Raspberry Pi to the modem & router & access point provided by my ISP, which has a globally findable IPv6 address (not static, so I still need a DDNS provider).
  • I let connections through my router’s firewall target this device. The Raspberry Pi is the one that runs Tailscale/Wireguard and waits for connections.
  • When the tunnel is established then the traffic can flow through toward the wild Internet from my router which allows the client to reach IPv4 & IPv6 sites as well due to the dual stacking (from DS-Lite) in my router.

Is there a flaw in my train of thought?
Thanks in advance!

You should be able to receive a block of public-facing static IPv6 addresses. You probably need to ask your ISP for that block.

If your ISP uses CGNAT, you will never get a proper public static IPv4 address. As I understand how CGNAT works, for example, let’s say your ISP has been assigned only one block of five public static addresses for all its customers, and these customers need to access the Internet using the IPv4 address. They will assign each customer a block of IPv4 addresses from the private IPv4 address range, then routed to their public-facing network.

It shouldn’t (unless your ISP has an uncommon IPv6 network). If you follow my advice, replace your IPS-provided router (meaning put the ISP router in bridge mode) with either an OpenWRT-supported consumer router or purchase the Prtectli or a device like it and install OpenWRT on the new device.

I don’t know much about how IPv6 works, so I can not give any advice on IPv6. I think the cheapest and easiest way to accomplish your goal is to go ahead with your Hypothesis.

1 Like

Thanks for your insights!
I already have a block of public IPv6 addresses, but I don’t think it’s static as it also has a 7-day lease timer on my router’s admin panel (although I might get the same address as we have an abundance of them).

Of course /64 is not ideal, since you shouldn’t subdivide that, but that’s up to my ISP…

Yes, that is my understanding as well. However, if I ask for a bridge mode, then according to other customers of this ISP who did the same, they should give me a non-static public IPv4. So then I am effectively opting out of their CGNAT.

Well, I don’t understand why do they do this, but other customers and their website states:

If you are using a static IP address or want to use the modem in bridge mode, you must always have the IPv4 protocol set.

I would really like to know why this is the case. Anyway, I will probably test my hypothesis and if it fails, I will follow your advice and go with a new router + OpenWRT.

If any of you have tutorials/guides/further information on setting up IPv6, I’d appreciate it. Fortunately, I’ve already found some good writings on IPv4 setup.

I find it strange you have a block of IPv6 addresses that can expire in 7 days. I never hear of expiring IPv6 addresses.

My ISP recently offered IPv6 addresses to its customers. They also now offer a synchronous connection, meaning the download speed is the same as the upload speed. I wish I were an expert in IPv6 systems because, as an expert with IPv6, I could get a job making $250,000 in the USA.

If you have any more networking questions, don’t hesitate to ask. If I don’t know the answer, I probably know someone who does.

Please let me and our forum buddies know how things are going.

1 Like

Well, finally I had time to test my theories and put together a setup.

IPv6 only setup

This was my initial idea, because I didn’t really want to bother with my ISP and I thought the public IPv6 address will be enough. Actually, it was enough. It was challenging and involved a lot of trial and error, but I managed to put together Wireguard on my Raspberry Pi running OpenWRT. Of course, this meant that I cannot reach my VPN server via IPv4 connections. There are workarounds for this, but I didn’t pursue them because one of my key initial assumption turned out to be wrong :sweat_smile:

IPv4 only setup

Only IPv4 is available in my family. So I went with Plan B, which @Shadowbane suggested at the beginning, and requested bridge mode on my ISP’s router and installed my own router running OpenWRT. I’ll probably give PFsense a try later, but I wanted to test a prototype that was relatively easy to set up. This configuration has been running for the last few days without any problems. And it gives me much more control over my network than before.

Thanks for all the encouragement! This was a blind spot for me and I’ve learned a lot about networking in general and I hope to put it into good use sometime. It’s time to research my next project… a NAS.

Cheers,
LeX

1 Like

Congrats @LeX77. I had a feeling you would end up going with plan B, but didn’t say anything for two reasons. One, I didn’t want to disappoint you , and secondly i could have been wrong.

1 Like