I have got a /48 ipv6 block, is it possible to use public routable ipv6 in my vpn and sub level? like a v6 broker

youxiaojie · June 17, 2020, 4:42am

quiestion1:The ipv4 is easy to deal with nat, but I hope to assign public routable ipv6 in my vpn, and sub level clients (pc). is it feasible? using forward instead of nat in ipv6?

   +-------+                                +----------+          +--------+
   |       |                                |          |          | 2001:1:2:2:x:x:x:x/64 slaac
   |       |                                |          +----------+        |
   |       |                                |          |          |        |
   |       |                                |          |          +--------+
   |public |                                | openwrt  +
   |server |                              2001:1:2:2::1/64
 2001:1:2::/48                              |  radvd   +
   |       |                                |          |          +--------+
   |       |     wireguard                  |          |          |        |
   |       |                                |          +----------+ 2001:1:2:2:x:x:x:x/64 slaac
   |       +--------------------------------+          |          |        |
   +-------+                                +----------+          +--------+
         2001:1:2:1::1/127            2001:1:2:1::/127
in my view here 2 ipv6 can use fdxx in-site address,am I right?

question2: I roam my openwrt to a new place , but the server side's endpoint does not change automatically, why? I did not write down endpoint in server side's configure file.
server side:

interface: wghub
  public key: xxxxc=
  private key: (hidden)
  listening port: 41089

peer: xxxxE=
  preshared key: (hidden)
  endpoint: 60.247.127.220:2185 /* this part is autoadded by system when "wg show". not write in conf file and not change when roam*/
  allowed ips: 10.8.3.10/32, 2001:x:x::10/128, 2001:x:x:x:1::/80
  latest handshake: 7 hours, 55 minutes, 27 seconds ago
  transfer: 2.84 MiB received, 6.32 MiB sent

here I use /80 because the server has /64 block, and I hope to try dhcpv6 with /80 prefix.

Mushoz · June 17, 2020, 5:18am

Yes, it is the desired way to configure it.

Use /64 subnets in all of your networks. While you technically can use /80, the ipv6 spec dictates that networks should be at least /64. If you don't, some features of ipv6 will simply break, such as SLAAC among others. Since you have a nice /48 prefix, you should have plenty of blocks to give each subnet a dedicated /64.

youxiaojie · June 17, 2020, 8:48am

I roam my openwrt to a new place , but the server side's endpoint does not change automatically, why? I did not write down endpoint in server side's configure file.
do you know why?
this is the key of second question.

Mushoz · June 17, 2020, 9:11am

Make sure both ends of the tunnel DON'T have the SaveConfig option set. In the server's config leave the endpoint empty, but fill in a listen port (as you did), and in the client's config set the IP of the server as the endpoint, and leave the listen port empty. Roaming should work automatically.

youxiaojie · June 17, 2020, 9:21am

how and where to set SAVECONFIG? I use wg-quick up ./server.conf to up the interface.

Mushoz · June 17, 2020, 9:24am

If you don't have it added anywhere, it is disabled by default, so that's good. In the picture in your first post, is the "server" part roaming or the "openwrt" part?

youxiaojie · June 17, 2020, 11:22am

the server is public fixed ip, openwrt roam from different network.

Mushoz · June 17, 2020, 12:55pm

Can you share your /etc/config/network file? Make sure you first remove any sensitive data from the output before sharing, such as private keys, passwords, etc