I installed and configured WireGuard (as OpenWRT server on home gateway router and as OpenWRT client on mobile hotspot). It works great, both for IPv4 and for IPv6.
Congratulations to the developers, impressive!
On the router however there is a permanent log (every 25 seconds or so),
apparently some task is pinging all hosts periodically.
daemon.err odhcpd[PID]: Failed to send to ff02::1%wg0@wg0 (No error information)
Note indeed:
root@router:~# ping -I wg0 ff02::1
PING ff02::1 (ff02::1): 56 data bytes
ping: sendto: No error information
whereas:
root@router:~# ping -c 1 -I br-lan ff02::1
PING ff02::1 (ff02::1): 56 data bytes
64 bytes from fe80::21b:21ff:fe9c:9c0e: seq=0 ttl=64 time=0.086 ms
--- ff02::1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.086/0.086/0.086 ms
I don't think wireguard supports SLAAC or DHCP6, therefore there is no need to send RAs over the tunnel. Disable ra, dhcpv6, and ndp and the error messages will stop.
@trendy and @slh : thanks for expert replies. My purpose was to make a hotspot do v6 (and it succeeded!) but, I will take some steps back and try to avoid dhcpv6 (which succeeded but did not avoid the errmsg) and later also RA ... Keep you informed.
I entirely removed "config dhcp 'wg0'" it does not alter functionality indeed.
And the permanent 'failed to send' log stops indeed.
see topology below:
I have an OpenWRT router as home gateway (static IP addresses) and an OpenWRT router as 4G mobile hotspot. The hotspot is used when I travel to provide Internet to some phones, tablets and PCs.
This works fine for IPv4 (and also for IPv6 if mobile provider supports IPv6)
Basically the mobile wwan on the hotspot gets a /64 PD and the br-lan with the ethernet and wifi clients get addresses from it.
Internet
|
+-----+-----+
| home |
+ wg server +
| gateway |
+----++-----+
||
||
wg tunnel
||
||
+---------+ +----++-----+
| phone | | mobile |
| eth wifi+===+ wg client +---- Internet
| PC etc | | hotspot |
+---------+ +-----------+
Now If I connect hotspot with gateway via wg tunnel again both IPv4 and IPv6 work fine on hotspot, and, the phones, tablets and PCs on the br-lan also work both for IPv4 and for IPv6.
BUT: the devices on br-lan only go over the wg tunnel for IPv4 ... for IPv6 they take the mobile wwan from the hotspot to the Internet (except for devices at home).
Somehow I hoped I could delegate one of my home static /64 prefixes over the wireguard tunnel so that devices connected to the br-lan on the hotspot would get addresses from that range and use these to always go over the tunnel for IPv6.
This is why I attempted to configure the IPv6 RA DHCP ND part of the wireguard on the home router. But it did not get it over the wg tunnel to the mobile hotspot.
Note that there is a default IPv6 route over the tunnel (hotspot interface called vpn): default dev vpn metric 1024
But there is also a default IPv6 route for br-lan going over mobile (hotspot interface called wwan0): default from 2a02:1808:0:2777::/64 via 2a02:1808:0:2777:592f:377b:3cef:17fa dev wwan0 metric 1024
In fact, br-lan does only have address in delegated mobile prefix 2a02:1808:0:2777::/64 and none in any of my home prefixes.
The VPN does not seem to be able carry a PD prefix (even if I configure and advertise it from home gateway over wireguard to mobile hotspot).
You need to allocate a prefix from your home to the hotspot router. Then add the necessary static routes to the home router so that it will go via the wg tunnel to reach it.
On the hotspot router you'll have to give higher preference to the prefix from the home, to have precedence over the prefix delegated from the mobile internet.
@trendy : exactly that's a solution I also considered (bit did not try yet). I had hoped delegation/advertisement propagation would work seamlessly plug&play via GUI and without manual static intervention. Have a nice day.
fwiw :
I have some trouble to override the 'default route via mobile interface' wwan0, which happens to be SADR (source specific), and therefore is more specific than the 'default route via wireguard' vpn. The 2a02:a020:43:2e32::/64 prefix comes delegated from the mobile provider, and, I want packets from br-lan (where hotspot client devices are connected to) to go out via vpn client wireguard interface with next-hop 2a02:1807:3820:a09::1 being my home router wg0 server wireguard address.
I either try to delete the SADR route or to add a better one over the vpn, but, I seem to run into a syntax issue. Perhaps a trivial mistake ... but I could not get it right
ip: either "to" is duplicate, or "from" is garbage
root@offline-LTE:~# ip addr show br-lan | grep 2a02:a020:43:2e32
inet6 2a02:a020:43:2e32::1/64 scope global noprefixroute
root@offline-LTE:~# ip -6 route | grep ^default
default from 2a02:a020:43:2e32::/64 via 2a02:a020:43:2e32:410c:a6dc:95d6:9931 dev wwan0 metric 1024
default dev vpn metric 1024
root@offline-LTE:~# ip -6 route del default from 2a02:a020:43:2e32::/64 via 2a02:a020:43:2e32:410c:a6dc:95d6:9931 dev wwan0
ip: either "to" is duplicate, or "from" is garbage
root@offline-LTE:~# ip -6 route add default from 2a02:a020:43:2e32::/64 via 2a02:1807:3820:a09::1 dev vpn metric 512
ip: either "to" is duplicate, or "from" is garbage
It would be just easier to ignore the wwan ipv6 prefix in the lan network.
Use ip6class option in lan interface or there is an option to not delegate downstream the available prefixes from the wwan.
@trendy : thanks for kind follow up. I do not have setup available right now as I am packed to leave tomorrow. Note that I am good to go without (and even with) wireguard. I am very much interested to dive deeper though on getting both v4 and v6 over vpn for the hotspot clients. Without address from wwan ipv6 prefix the br-lan won't have an IPv6 address to begin with. But I have static /64 prefixes, and, as you suggested, I can try (and did try) to use them on the hotspot. In fact, the vpn interface in the hotspot has an address chosen to be 2a02:1807:3820:a09::200/64 (the home gateway peers with 2a02:1807:3820:a09::1/64), and I tried to assign 2a02:1807:3820:a09::20/64, or even another subnet 2a02:1807:3820:a0a::20/64 to hotspot br-lan and add static routes on both OpenWRT wireguard endpoints. But home gateway this time could not ping addresses on hotspot br-lan. I must spend some more time as the masks are probably inconsistent. Keep you informed.
Tunnel addresses do not need to be from the GUA that you have. But the lan interface of the hotspot router needs to be under the prefix the home router is delegated. You also need to allow the proper IPs in the tunnel. On the home router it needs to be the prefix you have in the hotspot lan and the wireguard tunnels. On the hotspot router allowed IPs are ::/0
@trendy : Thanks for constructive hints, I will try to use FC00::/7 (or perhaps better: FD00::/8) 'private' addresses on the wg-tunnel indeed. And next I'll try to static route a GUA static /64 prefix over the wg tunnel and turn off the mobile wwan delegation to not affect the hotspot lan. Since I am traveling I will for now not (yet) try this out (as I do not want to break working setup and prefer to not spend time on it during vacation). Nevertheless it is somewhat of a pity that, in a client server wireguard setup, the server router cannot 'automatically' delegate a (sub)prefix to the the client router over the tunnel for the client router to further split and advertise... Or can it? It would be a handy feature.
update:
I use wg tunnel both for directly VPN connecting end-devices (phones, tablets, laptops) as hotspot routers [which in their turn indirectly connect end-devices (phones, tablets, laptops)].
I guess I am perhaps asking for too much since:
using FD00::/8 'private' addresses on the wg-tunnel does not work for directly connected end-devices (these addresses are not global)
turning off mobile wwan delegation does not work for indirectly connected end-devices (they will need static config as well)
statically routing is hard to override as long as SADR route delegated from wwan is present
It would help if I set up two tunnels one for end-devices and one for hotspot routers.
But, to be honest. I do not really need a VPN v4+v6 to a hotspot router. One use would be to access a remote hotspot router from home, but being able to connect to it v4 is sufficient then...