There are many threads regarding how Wireguard doesn't work out of the box with IPv6 and many answers and different network environments but I'm not sure which or what to follow...
Currently, my network environment is as such for my wan6 interface:
IPv6: 2001:8f8:XXXX:XXXX::1/128
IPv6-PD: 2001:8f8:1825:a00d::/64
My Wireguard wg0 interface:
IPv4: 192.168.9.1/24
IPv6: fd00:9::1/64
I seem to get IPv4 only working but not IPv6, what could resolve this issue?
Just set ip6hint on the Wireguard interface?
But a peer on that interface is still unable to get it's address with slaac, don't?
What is your question/issue?
Ps: if you only get a single 64 then you can't not use PD to number your interfaces
I want my clients through wg0 tunnel to have IPv6 access, when loading whatismyip only my IPv4 address is shown and IPv6 doesn't resolve.
Also, I'm not sure about the single 64 issue...? How do I check that? I assume that's provided in my wan6 interface's PD field? Would this problem prevent me from letting me have IPv6 access through wg0 tunnel?
You cannot use PD if you only have a PD of /64, so use ULA addresses e.g. fd00:9::1/64.
If you only want WG clients connecting to your server your should be good, but if you want internet access (WG client -> WG server -> internet) then you have to enable NAT66 to NAT the ULA address out via WAN6
Would configuring NAT66 to NAT my ULA address from WAN6 break any connectivity or pose any issue? I'm pretty much a newbie when it comes to tinkering so I wanted so opinion as to if it's safe to do so?
I am not the leading authority on IPv6 but I have seen this done on occasion.
Would this guide help?
In the guide, it's mentioned
- Avoid using NAT66 and better use relay mode if you are provided with a /64 prefix.
Should I just ignore this warning and proceed with the guide and then later on which should I use here Prefer IPv6 by default or announce IPv6 default route?
Prefer IPv6 by default or announce IPv6 default route if necessary.
For WireGuard you can do selective NAT
Relay mode can be used for your LAN clients to use IPv6 if you only have a /64 PD
(question for the experts does relay mode uses NPT?)
But as said I am not an expert on IPv6
Do I need to configure IPv6 NAT?
If not just another doubt but what should I set my src_ip as?
uci set firewall.nat6.src_ip="fd00:2::/64"
The source IP of the WG subnet i.e.:
fd00:9::0/64
note I use the 0 which also can be omitted e.g.:
fd00:9::/64
I've configured selective NAT, anything else should I configure?
I can't seem to get my IPv6 Address yet.
You also have to setup the WG server and the WG client with not only an IPv4 address but also the IPv6 ULA addresses (and set those in the Allowed IP's exactly the same as for IPv4.
IPv4 /24 translates to /64 IPv6 and /32 translates to /128, 0.0.0.0/0 translates to ::0/0
You have to look it up there should be plenty of examples, I do not have on handy at the moment
I assume I've already implemented the ULA addresses? on the client side at least?
This is my server-side config.
On the client side you can use as address: fd00:9::2/64
Also consider setting PersistentKeepAlive = 25
On the server side the addresses look OK, on the peer config add allowed IP:
fd00:9::2/128
But again I am no expert so give no guarantee
Configuring those didn't seem to aid with the issue... could there be something else in play? Just to exhaust all possibilities this is how I've set up my Wireguard's port forward in Traffic Rules.
Also searching up the term selective NAT seems to pull this thread up
Should I set up the Announce IPv6 default route and Disable the IPv6 source filter?
NAT66 breaks end-to-end connectivity in the same ways as NAT44, but if your global IPv6 prefix isn't large enough then you may not have any choice.
Also there is a problem with ULAs since it's common for IPv6 hosts to prefer IPv4 over ULAs, which means you might only use IPv6 if the host name you are connecting to is IPv6-only. BTW they are working on an update to RFC 6724 to correct this: https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6724-update/06/.
I hope you don't plan to use a non-random ULA, that's not recommended. The whole point with ULA is to give you a unique /48 prefix, which requires a random prefix, otherwise people could have continued using site local addresses instead.
I assume it's not possible then with my current network environment to have IPv6 through the Wireguard tunnel?
Don't use ULAs as @mikma said most endpoint OS don't consider a ULA valid to originate a connection to a GUA on the v6 Internet.
To NAT you need to issue the LAN clients local IPs which look like GUAs but are never going to actually exist on the Internet, as trying to reach a site that has a public IP in the same subnet as your LAN IP will not route properly.
There is no officially reserved block of GUAs for this purpose. I have used "documentation" block this way: 2001:db8:<16 random bits>::/48.
From this /48 statically assign one /64 to each road warrior client e.g. 2001:db8:<same 16 random bits>:<16 bit client serial number 0001, 0002 etc>::/64. Install this as an allowed_ip for each client. route_allowed_ips is not needed on the server since you're routing the entire /48 to the overall wireguard interface. Wireguard will internally use the allowed_ip to send packets into the proper tunnel for each client.
Also allocate a LLA for each client (fe80::) and make it a /128 allowed_ip. The overall interface can be fe80::0/64.
Giving each client a full /64 allows them to randomly SLAAC their last 64 as most OS want to do for privacy. Of course in this case you're going to NAT everything out to one IP anyway.
Is there a guide on OpenWRT showing what fields I should exactly look for in my interfaces? I feel a bit lost with ULAs and GUAs...
I seem to still be confused and not sure how to proceed... Any assistance will be appreciated, but if I read this right in step-wise order.
2001:db8:<16 random bits>::/48.2001:db8:<same 16 random bits>:< 16-bit client serial number 0001, 0002, etc>::/64. Install this as an allowed_ip for each client.fe80:: range and make it a /128 allowed_ip. The overall interface can be fe80::0/64.I've also disabled ULA for my LAN interface...
EDIT: Working around with the wg0 interface it's currently set up as this when Following Steps 1 to 3. (Note: I've just blocked out the digits as it reveals my IP location but it's taken from the LAN IPv6 Address.
My Wireguard client configuration:
Are all of these correct? What should I do next or where have I gone wrong?
