Redirecting traffic via Wireguard VPN

Question

I have a public IPv6 address but not an IPv4. Therefore I want to route the traffic via a VPS with a public IPv4 and an IPv6 address. My question is how to create this type of tunnel with Wireguard. The tunnel from the VPS to a device in my network is not the challenge, but rather how to redirect the packets on the server to that tunnel.

I've done a bit of research and my approach would look like this.

My Network device

[Interface]
Address = <DEVICE IPv6>
PrivateKey = <private key>
ListenPort = <DEVICE PORT>

# Peer to VPS
[Peer]
PublicKey = [PUBLIC KEY VPS]
AllowedIPs = [VPS IPv6]
Endpoint = [VPS IPv6]:[VPS PORT]

VPS

[Interface]
Address = <VPS IPv6>
Address = <VPS IPv4>
PrivateKey = <private key>
ListenPort = <VPS PORT>

# Peer to device
[Peer]
PublicKey = [PUBLIC KEY DEVICE]
Endpoint = [DEVICE IPv6]:[DEVICE PORT]
AllowedIPs = 0.0.0.0/0, ::/0


# Example peer of client
[Peer]
PublicKey = <client public key>
AllowedIPs = 0.0.0.0/0, ::/0

Example Client

[Interface]
PrivateKey = <private key>
ListenPort = <CLIENT PORT>

[Peer]
PublicKey = [PUBLIC KEY VPS]
Endpoint = [VPS IPv4]:[VPS PORT], [VPS IPv6]:[VPS PORT]
AllowedIPs = 0.0.0.0/0

Is this possible? Or do I need to create two WG interfaces and route the traffic between?

Answer 1

Sounds like you just want to be able to connect from your Network Device to your Example Client, and vice versa? If so, then this is the classic Hub and Spoke WireGuard scenario, with the VPS as the hub and the Network Device and Example Client as the spokes.

For connections tunneled inside your WireGuard network, you can use either IPv4 or IPv6 addresses -- it doesn't have to match the IP version of the packets carrying the tunnel connections. Here's a example that uses the IPv6 fd00::/56 address block for the WireGuard network; 198.51.100.123 as the public IPv4 address of the hub; and 2001:db8:1234:abcd::1 as the public IPv6 address of the hub:

Network Device (IPv6 spoke):

# local settings for Network Device
[Interface]
PrivateKey = <Network Device private key>
Address = fd00:0:0:2::1/64

# remote settings for VPS
[Peer]
PublicKey = <VPS public key>
AllowedIPs = fd00::/56
Endpoint = [2001:db8:1234:abcd::1]:51820
PersistentKeepalive = 25

VPS (hub):

# local settings for VPS
[Interface]
PrivateKey = <VPS private key>
Address = fd00:0:0:1::1/64
ListenPort = 51820

PreUp = sysctl -w net.ipv6.conf.all.forwarding=1

# remote settings for Network Device
[Peer]
PublicKey = <Network Device public key>
AllowedIPs = fd00:0:0:2::/64

# remote settings for Example Client
[Peer]
PublicKey = <Example Client public key>
AllowedIPs = fd00:0:0:3::/64

Example Client (IPv4 spoke):

# local settings for Example Client
[Interface]
PrivateKey = <Example Client private key>
Address = fd00:0:0:3::1/64

# remote settings for VPS
[Peer]
PublicKey = <VPS public key>
AllowedIPs = fd00::/56
Endpoint = 198.51.100.123:51820
PersistentKeepalive = 25

From your Network Device, you could then access say a webserver running on Example Client using Example Client's WireGuard IP address of fd00:0:0:3::1; or from your Example Client, SSH into Network Device using Network Device's WireGuard IP address of fd00:0:0:2::1.