Resolving Issues with TunSafe and WireGuard on Windows

WireGuard is an incredibly versatile VPN implementation. It’s incredibly fast, snappy and lightweight, but it comes with some incredibly finicky errors with it, that generally come from obscure config problems. There isn’t a ton of documentation behind these issues (but there’s a great community behind WireGuard that’s always willing to jump in and help).

Tunnel Error – IPv6 Binding (WireGuard for Windows, Pre-Alpha)

I recently installed the WireGuard Pre-Alpha for Windows. and encountered the dreaded Tunnel Error Prompt.

Unable to set interface addresses, routes, dns and/or adapter settings.

Please consult the log for more information.

I found that the issue was caused by the addition of ::/0 within the AllowedIPs parameter, when my server did not support IPv6. The Wireguard Pre-Alpha for Windows client doesn’t seem to like that very much.

After removing that parameter, and restarting my computer (to confirm that it wasn’t the WinTun driver acting up), I was able to initiate the WireGuard tunnel.

TunSafe doesn’t seem to suffer from the same issue. TunSafe will accept the ::/0 and ::0/0 paramters for AllowedIPs, but simply ignore it, causing your IPv6 to leak if you have IPv6 network adapters enabled.

IPv6 Leaking (TunSafe and WireGuard)

If your WireGuard server does not support IPv6, and the client is using IPv6, WireGuard will leak your IPv6 by default. There is no workaround for this other than disabling your IPv6 network adapters while using WireGuard on Windows.

If your WireGuard server does support IPv6, it is imperative that you add ::0/0 or ::/0 to your AllowedIPs parameter to ensure that it is capable of routing IPv6.

An example Peer block for your client config goes along as follows

[Peer]
PublicKey = pubkey___qwdijqwdqoiwdoijDOJIASD
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ip:port
PersistentKeepalive = 25

DNS Issues (TunSafe)

TunSafe does not support WireGuard config files with more than one DNS address attached to the config. When using TunSafe, your DNS parameter should look like:

DNS = 8.8.8.8

Instead of:

DNS = 8.8.8.8,8.8.4.4

Leave a Reply

Your email address will not be published. Required fields are marked *