How to setup Wireguard with IPv6-PD?

There are several ways to do it, I am not saying how I do it is the best way but I used exactly the steps as described by @vgaetera: Clients can't ping IPv6 addresses, but router can - #6 by vgaetera

So I use just ULA addresses for my WG (you already have that fd00:9::0/64) then use selective NAT66 for that subnet.

Then you need to take care of routing of the ULA WG subnet out of the WAN, I found out the hard way that there is no general default route for IPv6 as the source is normally taken into account.
If you disable source routing you will get a general default route which also routes the ULA WG subnet.

This assumes IPv6 is otherwise already working on your server and the server has a GUA which serves as the endpoint.

But I am not the expert so wait for the more knowledgeable users to chime in

The allowed_ips on the server should be of the form:
Client #1 allowed IP subnet: 2001:db8:0:1::/64
Client #2 allowed IP subnet: 2001:db8:0:2::/64
etc.
Then the client IP can be anything within its /64, though it would be simplest to just use 1:
Client #1 client IP: 2001:db8:0:1::1/64
Client #2 client IP: 2001:db8:0:2::1/64

On the server the wireguard interface has a /48 which includes all of these /64s.
Server wg interface IPv6: 2001:db8:0::/48

In all of these the 0 after db8 can be replaced with any 16 bit number (1-4 hex digits)-- of course use the same number on all these psuedo-GUA IPs associated with the wireguard interface. This may help in case any clients try to get smart and treat 2001:db8 as not a real IP.

I've configured it as follows:

image975×141 12.9 KB

Am I missing something or is this correct? I can't seem to get my public IPv6 address still. Only my public IPv4 is shown.

You don't have to redact 2001:db8 IPs as those are a reserved block that can exist only inside your network. They will never be reachable from the Internet.

Now that the addressing is in place make sure that wg0 forwards to wan6 and that IPv6 NAT is active. The simplest way to do that is to set masqv6 on the wan zone, but that will have the side effect that your LAN will also be NATd. It is a place to start for testing though. I'm not sure how to make it selective. Also srcfilter 0 must be set on the wg zone so that unexpected sources can be routed.

Ah man my bad, I got them confused with GUAs and thought I had to use my LAN's IPv6 address. Sorry for the confusion I'll change them up quickly.

@egc here pointed out about Selective NAT... would that resolve?

How do I do so? can't seem to find any documentation about it. Currently, this is my Firewall rules

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'

image955×853 44.1 KB

I do selective NAT for my Wg server:
In /etc/config/firewall:

config nat 'nat6'
	option family 'ipv6'
	option proto 'all'
	option src 'wan'
	option src_ip 'fddb:b40f:f9bc:4ba5::0/64'
	option target 'MASQUERADE'

as source IP you use the /48 WG subnet from @mk24

Disable source filter is the extra last option on wan6 (etc/config/network):

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '60'
	option sourcefilter '0'

I was wrong it's called sourcefilter. In the GUI it is the IPv6 Source Routing checkbox on the Advanced page-- it is checked by default; uncheck it.

Thanks a lot, @mk24 and @egc. Setting up the right addresses for the interface, configuring Selective NAT and Disabling the source filter seem to do the trick and now I can get my public IPv6 working as normal. Can't thank enough everyone here who've helped me through this.

Just a small doubt regarding this

Is there any reason to have 1 at the very end? I assumed you would just increment that for example 2001:db8::1, 2001:db8::2 and so on... Is there a much shortened version of the IPv6 addressing to make things a bit easier to manage?

Each client has a different 64 bit prefix, so the last 64 bits can be the same.
The double colon notation is a short version to specify IPv6 addresses. The complete address would be
2001:db8:0:1::1 = 2001:db8:0:1:0:0:0:1 or even 2001:0db8:0000:0001:0000:0000:0000:0001

So for the sake of simplicity, can I change these parts accordingly without breaking my IPv6 addressing?

2001:db8::1/64
2001:db8::2/64

and

Settings this to

2001:db8::1/64
2001:db8::2/64

No I do not think so, see the explanation of @mk24 above.
When @mk24 speaks, we the lesser gods listen

Thanks, I'll stick with what @mk24 provided. Should be smooth sailing from here on out...!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.