-
An automatic link-local IPv6 won't and can't be placed on a new Wireguard interface, as is the default for other types of interfaces. It is necessary to manually enter an IP into the config file.
-
In an IPv6 only environment, it would be possible to have a nearly self-configuring Wireguard hub and spoke VPN by using DHCPv6 to push IPs to the clients. Unlike DHCPv4, RA / DHCPv6 is all layer 3 and works over Wireguard as long as both sides have a link-local IP to start with (see above.) The development that is necessary is a script on the server that would be triggered by a odhcpd lease issuance to load the client's address (and prefix, if assigned) into the kernel Wireguard allowed_ips for that client.
odhcpd does support a lease_trigger script, but it doesn't pass any information about the new lease to that script in the environment. The auto-allowed_ip script would need to collect data about the lease from other means. This doesn't look very simple so perhaps extending odhcpd to publish the new lease details in a way that could be used by such an autoconfigure script would be the way to go. This could also lead to automatic firewall, automatic SQM etc.
An interesting wrinkle to point 1 is that in order to be useful, each client's link-local IP must be known to the server and loaded as an allowed_ip before the client even begins to connect. It would make sense to derive these IPs from the client's public key, as in a "near zero configuration" that is the only thing that the server should need to know about a client.