I struggled to get this going so worth making a note!
I have a backup NAS at my mum’s house in Dublin. She uses Virgin Media as her ISP and while they support IPV4 outbound - everything is NATed through a big cloud which means they do not support IPV4 port forwarding inbound - Only IPv6 - which seems to work properly as I can reach an VM there on its V6 address (after setting up filtering through the hub)
At home I have just installed fibre from B4SH. (Broadband in the Surrey Hill). I totally love it (900M up and down symmetrically) but at the moment they are V4 only!
In normal operation thats fine - Wireguard connects out (using a V4 address) from Ireland to the Mother Ship. But if the mother ship blows up what do I do??
socat to the rescue!
I also have a VPS Which I use for other stuff … That is both V4 and V6.
On boot that starts a simple script
#!/usr/bin/env bash
/usr/bin/socat UDP4-LISTEN:51821,fork,su=nobody UDP6:example.com:51820
exit $?The following service file takes care of that
[Unit]
Description=IPV4 Forwarder to Ireland VPN (V6 Only)
Wants=network.target
After=syslog.target network-online.target
[Service]
Type=simple
ExecStart=/root/bin/ireland-vpn-ip4-forwarder.sh
Restart=on-failure
RestartSec=10
KillMode=process
[Install]
WantedBy=multi-user.target
The kicker was UFW - which wouldn’t play ball and let the packets through!
Turns out that for UDP you have to be specific about which interface to listen on.
So:
ufw insert 1 allow in on any proto udp from any to any port 51821
does not work!
I had to use
ufw insert 1 allow in on ens3 proto udp from any to any port 51821
Then all was good! By changing the endpoint address on the wireguard client it all works!!