Automatic GUA IPv6 address for Wireguard client

Just a little guide, way to automatically assign GUA IPv6 addresses to road warrior Wireguard clients.

What you need:
OpenWRT router
ISP that gives you more than a single /64 GUA IPv6 subnet.

What you get:
Remote Wireguard clients will get an automatic assignment of GUA IPv6 address.
No need to adjust Wireguard or OpenWRT configuration if ISP changes your IPv6 prefix.
Privacy IPv6 address for some clients.

Some technical details and caveats:
GUA IPv6 will get assigned using using SLAAC, so you’ll need a separate /64 network and a separate interface for every Wireguard client in order for multicast to work. Basically a P2P link for every Wireguard device.
Adjust ip6hint: unique for every Wireguard client and according to the size of IPv6 prefix you get from your ISP.
IPv4 has to be static, DHCP doesn’t work over L3 tunnels like Wireguard, not a big deal since we are behind NAT in 99% of cases anyway.
Some Android clients assign random privacy IPv6, other won’t and will use LL address device identification part.
Android doesn’t seem to get DNS from RDNSS, so need so specify it like DNS=fe80::1. Systemd-networkd on Linux gets it just fine.
No idea if it works for Windows, macOS, iOS etc. clients, don’t care a bit. Feel free to test yourself.

OpenWRT configuration:
/etc/config/network

config interface 'myphone'
	option proto 'wireguard'
	option private_key '[SERVER PRIVATE KEY]'
	option listen_port '12305'
	list addresses '192.168.5.1/24'
	list addresses 'fe80::1/64'
	option ip6assign '64'
	option ip6hint '5'

config wireguard_myphone
	option public_key '[CLIENT PUBLIC KEY]'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

/etc/config/firewall

config zone
	option name 'lan'
	….
	list network 'lan'
	list network 'myphone'
config rule
	option name 'Wireguard myphone'
	option family 'any'
	option proto 'udp'
	option src 'wan'
	option dest_port '12305'
	option target 'ACCEPT'

/etc/config/dhcp

config dhcp 'myphone'
        option interface 'myphone'
        option dhcpv4 'disabled'
        option dhcpv6 'disabled'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'none'

Client Wireguard configuration for Android

[Interface]
Address = 192.168.5.2/32
Address = fe80::2/64
DNS = 192.168.5.2
DNS = fe80::1
PrivateKey = [CLIENT PRIVATE KEY]

[Peer]
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = [SERVER HOSTNAME]:12305
PersistentKeepalive = 25
PublicKey = [SERVER PUBLIC KEY]

Client Wireguard configuration for Linux systemd-networkd
/etc/systemd/network/myserver.netdev

[NetDev]
Name = myserver
Kind = wireguard

[WireGuard]
PrivateKey = [CLIENT PRIVATE KEY]

[WireGuardPeer]
PublicKey = [SERVER PUBLIC KEY]
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = [SERVER HOSTNAME]:12305
PersistentKeepalive = 25

/etc/systemd/network/myserver.network

[Match]
Name=myserver

[Network]
Address=192.168.5.2/32
Address = fe80::2/64
DNS = 192.168.5.1
2 Likes