How can I assign an IPv6 /64 to Wireguard clients?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi, everyone. It is my third day using OpenWRT so far and it is a great system, everything is working well for me except for IPv6 over Wireguard unfortunately. Here is my scenario: I have a WireGuard server located on a VPS server near me, the VPS server has an IPv4 address, as well as a /64 subnet of IPv6 addresses. When I connect my router (Wireguard client) to the WireGuard server and do tests using my computer which is connected to the router with ethernet, my IPv4 goes through the tunnel, however all IPv6 requests fail. But if I ssh into the router I can ping and traceroute IPv6 addresses and it works. I am wondering what I have to do/what configs I have to set up in order for IPv6 addresses to be handed out to the devices (my computer, phone) so that they all can use the IPv6.

Here is my WireGuard Server config:

[Interface]
Address = 10.5.1.1/24
Address = fd06:ea01:1111:1::1/48
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 5454
PrivateKey = [My Server's Private Key]

[Peer]
PublicKey = [My Router's Public Key]
AllowedIPs = 10.5.1.10/32, fd06:ea01:1111:2::1/128

Below is a screenshot of my Wireguard config on the router
Screenshot

I have been struggling with this for around the past 24 hours and I would greatly appreciate anyone more experienced than me who could point me in the right direction, thanks!

2

@User1426, welcome to the community!

First, you'll need to be issued a network larger than /64.

1 Like
4

Wireguard relies on routing, that means you must use a distinct subnet (both IPv4 and IPv6) for wireguard virtual ip range. If your VPS only gets a single /64 (which is the common scenario), you're missing the opportunity to use a second subnet for the routing (think of it like a normal WAN/ LAN scenario, where you need distinct subnets on WAN and LAN as well, even if that means to 'waste' a full /64 just for the WAN address).

5

Though it is not entirely clear but it sounds like that hosts connected to router being routed through the WG tunnel over ipv4 but not ipv6 - is that correct?

If so it would imply that a ipv4 route is in place but same is not for ipv6 (or some firewall issue). Perhaps check

ip -4 r | grep default and ip -6 r | grep default.

That is not required since the WG iface by design does not get a publicly routable ip, either ipv4 or ipv6. Any ip (4 | 6) address on a WG iface is from the private/local ip range (ULA for ipv6)

It does not require a secondary subnet on the publicly routable ipv6 prefix delegated from the ISP. WG ifaces live in the private/local address space (ULA for ipv6) and routing is being done by the kernel via its routing table(s).