IPv6 with WireGuard

Hey everyone,

I'm using a setup where I have native IPv4 and tunneled IPv6 using WireGuard. I have a whole /48 routed, so I'd like to assign each client a separate /64; however I can't get it working. All clients only get assigned from the first /64 of /48. I've tried several combinations of all the configurations without any luck. I'm posting my configuration below, if anyone has an idea about what I'm missing it'd be great.

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd00::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '48'
	option delegate '0'
	option ip6ifaceid 'eui64'
	list ip6class 'wan6'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option delegate '0'

config interface 'wan6'
	option proto 'wireguard'
	option private_key 'redacted'
	option ip6prefix '2001:db8:111::/48'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config wireguard_wan6
	option public_key 'redacted'
	option preshared_key 'redacted'
	list allowed_ips '::/0'
	option route_allowed_ips '1'
	option endpoint_host 'redacted'
	option endpoint_port 'redacted'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option rebind_protection '0'
	option sequential_ip '1'

config dhcp 'lan'
	option interface 'lan'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '2'
	option limit '200'
	option leasetime '1h'
	option ra 'server'
	option ra_default '1'
	option dhcpv6 'server'
	option ra_management '2'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'redacted'
	option dns '1'
	option mac 'redacted'
	option ip '192.168.1.xxx'

config host
	option ip '192.168.1.xxx'
	option mac 'redacted'

This is confusing, perhaps you want to use ip6hint.
In addition, the VPN server should have a route to the VPN client's prefix via the client IP.

I gave this a try, setting ip6hint as aaaa, then the assigned addresses became from the prefix 2001:db8:111:aaa0::/64.

The clients need to use dhcpv6-pd (prefix delegation) if they want a separate prefix. The /64 addresses you see are SLAAC I guess. And if you have /128 addresses they are dhcpv6 addresses (without prefix delegation).

This is exactly what happens. I thought that the DHCPv6-PD was just default behavior in many clients and my setup had some issue.

So, with many clients are just able to get along with SLAAC and/or DHCPv6, what would be the absolute minimum required prefix size to route? A /60 maybe, or would a /64 be enough?

This is the minimum required for SLAAC and enough for DHCPv6.

Great, thank you all very much.

1 Like