Hello Community,
i have setup a Wireguard server some months ago and it is working fine as long as the clients are connecting via IPv4. The problem is quite obvious because my WG0 interface on my OpenWRT-Wireguard-Server has no IPv6 address.
WireGuard doesn't support dynamic addresses inside the tunnel.
If you have a static prefix, then just split a /64 and delegate it to the VPN.
Otherwise, you can utilize a ULA prefix with NAT6, or set up a tunnel broker and use its static prefix.
Then ULA (private) addresses will do just fine.
However I noticed that you allow and route 0.0.0.0/0 and ::/0 to the client. Is that correct? Are you accessing the internet from your client?
If the client needs to access the internet via the OpenWrt wireguard server, then you got it wrong here.
The way you have it is that all traffic from OpenWrt will be routed via the Wireguard client.
This might not actually happen if you have assigned proper metrics but still it is wrong.
To force the client to use the internet from OpenWrt, then the 0/0 and ::/0 must be added in the config of the client.
Given that you do need to hardcode the IPv6 addresses in your client configuration, you're in sort of a pickle with dynamic IPv6 prefixes… One option would be to use a Hurricane Electric tunnel just for this purpose, to get a static prefix for VPN uses (only).
I don't think it really requires support in the WireGuard protocol. I tried using DHCPv6 between two OpenWrt devices and it did assign IPv6 addresses. The only thing that's missing is updating WireGuard's AllowedIPs with the assigned addresses (or prefixes). (Obviously it's a bit harder to implement it on a device that doesn't allow you to run code as root, i.e. Android etc.)
So im confused now. The problem is that my ISP is giving me a IPv6-PD/56 which changes. OpenWRT shares already this addresses to my local network with a /64 prefix. So my clients getting the right addresses for having fun in the internet, right?
The thing is now that these IPv6-PD which im getting from the Telekom is constantly changing and Wireguard does not support this.
I do have an ULA prefix pre configured in OpenWRT which has "fdb0:1474:eef6::/48" and my local clients are also getting addresses in this network.
Now if i understand that right i have to assign my WG-Server an address from this ULA prefix like
fdb0:1474:eef6:1234:1::/48
and the peers will go with fdb0:1474:eef6:1234:2::/48 and so on. So OpenWRT would do the routing because it "knows" about the changing /56 thing from the Telekom and the ULA addresses. But then there is NAT6 which i haven´t understood what it is for in this scenario.
Wow thanks a lot for this! I will try to understand it fully before just copy pasting it.
One thing is not very clear to me, so please forgive me question:
The address
fdb0:1474:eef6:1234:2::/64
is due to the /64 prefix a legit "subnet" as well as
fdb0:1474:eef6:1234:1AAA:AAAA::/64
right? Im not 100% sure if i understood this right in this whole ipv6 thing. Is in this case every IPv6 address beyond fdb0:1474:eef6:1234:.... a legitimate one because it comes with that prefix?
after that i edited the WG interface under advanced settings i set IPv6 assignment length to 64 and IPv6 prefix filter to wan6. After that i restarted the dhcp-service and now i can see that the WG interface has got an IPv6 address. Linux clients are now using the IPv6 address for default. This is working for me now. My ISP is the Deutsche Telekom.