Assistance understanding and improving IPv6-over-Wireguard PD

andyboeh · February 3, 2025, 10:49am

Hej,

my ISP does not provide me with IPv6 connectivity, but I"ve got a /56 subnet from my hosting provider. I set up OpenWrt as a VM on the hosting provider and assigned the complete /56 to this machine. Now I would like to delegate subnets over WireGuard to my home router, also running OpenWrt. I came up with a working configuration (see below), but I have the following questions:

Can this setup be improved? As of now, there are a lot of static IPv6 IPs.
What would I have to change to be able to delegate additional /64 subnets over Wireguard, e.g. for a guest network?
Would increasing the subnet to /60 over Wireguard allow me to delegate multiple /64 subnets on my home router, right?
I have a few comments in the configuration files with questions.

My configuration files are below, I redacted the IPv6 prefix to 2001:db8 and I removed all additional clients and interfaces. I hope that I didn't redact too much.

Hosting Provider

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf1:3eb1:24b3::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid '::5'
	option ip6hint '10'

config interface 'wan'
	option device 'eth1'
	option proto 'static'
	option ipaddr ''
	option netmask '255.255.255.192'
	option gateway ''
	list dns ''
	list dns ''
	list dns ''
	list dns ''
	option ip6gw ''
	list ip6addr '2001:db8:251:f500::1/56'
	option ip6prefix '2001:db8:251:f500::1/56'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '172.27.66.253/24'
	list addresses '2001:db8:251:f520::1/128' ## <- I picked an address from my assigned subnet - could this be a private address as well?

config wireguard_WireGuard
	option public_key ''
	option description 'Daheim'
	option route_allowed_ips '1'
	list allowed_ips '172.27.66.1/32'
	list allowed_ips '192.168.17.0/24'
	list allowed_ips '2001:db8:251:f520::/64'

Home Router

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd14:3bdd:21a7::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.17.1'
	option netmask '255.255.255.0'
	option ip6assign '60' ## This is probably a mistake and should read /64
	option ip6ifaceid '::3'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	option nohostroute '1'
	list addresses '172.27.66.1/24'

config wireguard_WireGuard
	option description 'hetzner.com'
	option public_key ''
	option endpoint_host 'wg.hetzner.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '172.27.66.253/32'
	list allowed_ips '192.168.30.0/24'
	list allowed_ips '::/0'

# I put that into an alias for prefix delegation to work. 
# Plus, my WG IPv4 interface is in the LAN firewalling zone,
# this one is in WAN.

config interface 'wan6'
	option proto 'static'
	option device '@WireGuard'
	option ip6prefix '2001:db8:251:f520::/64'
	list ip6addr '2001:db8:251:f520::2/64'
	option ip6gw '2001:db8:251:f520::1'

# The route below is required because I set WG to "no host routes". That's
# on purpose because of other peers that aren't shown here.

config route6
	option interface 'WireGuard'
	option target '2001:db8:251:f520::1/128'

/etc/config/dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '0'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	list address '/wg.hetzner.com/::' ## <- The WG peer provides an IPv6 address, this forces IPv4 for the WG tunnel

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'
	option ra 'server'
	option dhcpv6 'server'
	option ndp 'relay' ## <- Why is this required? My LAN clients required this.

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Thanks for your assistance!

mk24 · February 3, 2025, 11:30am

DHCPv6 works through a Wireguard tunnel, so you don't need any static assignments. Simply set an ip6assign on the source end and use an alias interface of proto dhcpv6 on the destination.

The received prefix will then be delegated to LANs in the usual way as if it were direct from the local ISP.

You are correct that a LAN only needs a /64 if there are no additional routers downstream on the LAN.

Link-local IPs must exist on the ends of the tunnel for DHCPv6 to work. They are not assigned automatically. Since there are only two hosts involved fe80::1/64 and fe80::2/64 will work.

Since this is a point to point tunnel, allowed_ips can be /0 on both ends then it does not matter what prefix is traveling in the tunnel. If you do use more restrictive allowed_ips, remember to include the link-locals.

andyboeh · February 3, 2025, 2:18pm

I didn't know that, and that would indeed greatly simplify the setup! I will give this suggestion a try.

Thanks for your other comments as well. Obviously, I still have a lot to learn when it comes to IPv6. I never had an ISP that supported IPv6, my current one does not support it when the cable modem is in bridge mode.

andyboeh · February 3, 2025, 9:21pm

This is actually working great! A few notes from my side:

fe80::1 is the gateway for my upstream IPv6 network at the hosting provider. I had to use a different link-local address for the tunnel. However, this could have also been due to the next issue:
I had to uncheck "Use default gateway" on the Wireguard "server" interface. This overwrote my default gateway and the Wireguard interface was shown as an upstream connection.
On the source end, I had to enable a DHCPv6 server for the wireguard interface. I enabled only the DHCPv6 server and disabled RA and NDP settings.
I was able to remove all manually configured static IPv6 routes.
I went with a /57 prefix for the tunnel as some addresses are needed for another VM at the hosting provider.

Here are the relevant config files:

Hosting provider

/etc/config/network

config interface 'WireGuard'                                                                                                        
        option proto 'wireguard'                                                                                                    
        option private_key ''                                                           
        option listen_port '51820'                                                                                                  
        option ip6assign '57'                                                                                                       
        option ip6hint '80'                                                                                                         
        list ip6class 'wan'                                                                                                         
        list addresses '172.27.66.253/24'                                                                                           
        list addresses 'fda3::1/64'                                                                                       
        option defaultroute '0'

/etc/config/dhcp

config dhcp 'WireGuard'             
        option interface 'WireGuard'                      
        option ignore '1'                            
        option dhcpv6 'server'

Home router

/etc/config/network

config interface 'WireGuard'                                                                                                   
        option proto 'wireguard'                                                                                               
        option private_key ''                                                      
        option listen_port '51820'                                                                                             
        option nohostroute '1'                                                                                                 
        list addresses '172.27.66.1/24'                                                                                        
        list addresses 'fda3::2/64'     

config interface 'wan6'                                                                                                        
        option proto 'dhcpv6'                                                                                                  
        option device '@WireGuard'                                                                                             
        option reqaddress 'try'                                                                                                
        option reqprefix 'auto'                                                                                                
        option norelease '1'

system · February 13, 2025, 9:21pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.