IPv6 address not being configured on WireGuard (wg0) interface

brianjmurrell · October 31, 2025, 7:54pm

I feel pretty sure that this was working at one time but now, on 24.10.4 my Wireguard (wg0) interface is no longer getting it’s IPv6 address configured. Here’s what the interface’s addresses look like:

# ip addr ls dev wg0
181: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1200 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.14.0.1/24 brd 10.14.0.255 scope global wg0
       valid_lft forever preferred_lft forever

Relevant /etc/config/network lines:

…
config globals 'globals'
        option ula_prefix 'fd31:aeb1:48df::/48'
…
config interface 'wg0'
        option proto 'wireguard'
        option disabled '0'
        option auto '1'
        option private_key '[redacted]'
        list addresses '10.14.0.1/24'
        list addresses 'fd31:aeb1:48df:2::1/64'
        option listen_port '443'
        option mtu '1200'
        option ip6assign '64'
        option ip6hint '2'
        option ip6ifaceid '1'

Everything after the mtu '1200' I have added just today in trying to debug why the fd31:aeb1:48df:2::1/64 address is not be added when the interface is brought up. I didn't used to have those additional options (not that they seem to be helping now) and I do believe I was getting an IPv6 address on wg0 in the past.

Am I missing something obvious?

lleachii · October 31, 2025, 8:07pm

They don't do anything.

What about this?

Also this - it doesn't do anything either:

The lowest MTU an interface with an IPv6 address can have is 1280.

egc · November 1, 2025, 10:19am

You should use an IPv6 address which is different from your global ULA address, infact I would delete the Global ULA address if you have a GUA address.

WireGuard is a routed protocol which needs three different subnets, so the subnet of "server", "client" and WG subnet need to be different

My notes about setting up a WG server:
WireGuard Server Setup Guide

brianjmurrell · November 3, 2025, 6:12pm

The lowest MTU an interface with an IPv6 address can have is 1280.

Winner winner, chicken dinner! Fixing this to 1280 has made it plumb the IPv6 addresses. Now I just hope 1280 will work. I was reducing it because packets were getting dropped on a path to somewhere.

Thanks for the hint!

_bernd · November 3, 2025, 7:03pm

Do you have a "proper" Linux distro on hand? Check out tracepath which prints you the path mtu discovery.

brianjmurrell · November 4, 2025, 4:43pm

I do not own the address space my GUA is in. The owner (i.e. upstream) of it could revoke (or even just change it) at any time leaving me with an address numbering/name resolution nightmare until I can deal with it

My deciding what my ULA is provides a stable address space which I can count on.

With subnets inside the ULA address space, they are different. That is how routing works. Lesser specific routes act as paths/gateways to more specific paths. So my WG server, with a less specific route of fd31:aeb1:48df::/48 is the path to the more specific network fd31:aeb1:48df:2::1/64 and any other number of subnets I create inside of my /48 ULA. I.e. it could be one for each wireguard remote network I connect to.

The whole point of a /48 for the ULA is to be able to create subnets of it.

And I can confirm that this works just fine:

$ ip -6 addr ls bond0
4: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet6 fd31:aeb1:48df:0:12ff:bda9:3582:4de0/64 scope global dynamic noprefixroute 
       valid_lft 5346sec preferred_lft 2646sec
    inet6 [redacted GLA]/64 scope global dynamic noprefixroute 
       valid_lft 5103sec preferred_lft 2403sec
    inet6 fe80::486e:8cc2:fec:544e/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
$ ping -c 5 fd31:aeb1:48df:2::5
PING fd31:aeb1:48df:2::5 (fd31:aeb1:48df:2::5) 56 data bytes
64 bytes from fd31:aeb1:48df:2::5: icmp_seq=1 ttl=63 time=27.7 ms
64 bytes from fd31:aeb1:48df:2::5: icmp_seq=2 ttl=63 time=25.7 ms
64 bytes from fd31:aeb1:48df:2::5: icmp_seq=3 ttl=63 time=25.0 ms
64 bytes from fd31:aeb1:48df:2::5: icmp_seq=4 ttl=63 time=26.4 ms
64 bytes from fd31:aeb1:48df:2::5: icmp_seq=5 ttl=63 time=26.1 ms

--- fd31:aeb1:48df:2::5 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 24.999/26.186/27.719/0.900 ms

brianjmurrell · November 4, 2025, 5:47pm

Thanks for the suggestion. But I don't think it's actually any mystery where the 1280 is being hit:

# ifconfig -a
6in4-henet Link encap:IPv6-in-IPv4  
          inet6 addr: [redacted]::2/64 Scope:Global
          inet6 addr: fe80::c654:95b2/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1280  Metric:1
          RX packets:10210511 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4053028 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14354161064 (13.3 GiB)  TX bytes:909681717 (867.5 MiB)

That's a Hurricate Electric tunnel. Interestingly, at HE the tunnel is configured for the default MTU of 1480:

so this 1280 must be something that OpenWRT's 6in4 proto is configuring? Indeed it seems it is. I've bumped the mtu up from the default to 1480 on the 6in4 interface and removed the mtu … on the wg0 interface and all seems to be working just fine now.

Thanks for all of the pointers everyone!

lleachii · November 4, 2025, 6:12pm

Yes it does - I explicitly have 1480 MTU configured in my 6in4 interface.

_bernd · November 4, 2025, 6:43pm

Btw ifconfig is depreciated since I don't know 15 years by now!

Please use ip link

system · November 14, 2025, 6:43pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.