Luci vs Wireguard IPv6 SLAAC

K2DLS · October 2, 2023, 5:00pm

I have SLAAC working for Wireguard IPv6 clients based upon this:

However, the Luci Network Interface dialog insists upon changing working settings so that the config no longer works.

Here are the relevant configs:

/etc/config/dhcp:

config dhcp 'clientvpn'
	option interface 'clientvpn'
	option ra 'server'
        option ra_slaac '1'
        list ra_flags 'none'
	option dhcpv6 'disabled'
        option dhcpv4 'disabled'

/etc/config/network:

config wireguard_clientvpn
	option description 'Some Laptop'
	option route_allowed_ips '1'
	option public_key 'somekey'
	option preshared_key 'somekey'
	list allowed_ips '192.168.254.123/32'
	list allowed_ips 'fe80::1/64'
	option ip6assign '64'
	option ip6hint 'd'

Luci wants to change ra from 'server' to 'hybrid', which then causes a number of other changes which breaks everything.

Using this config I get a nice SLAAC privacy address on my Wireguard client. I just wish Luci would not mess with it.

Chatmandu · October 2, 2023, 5:06pm

I've only just implemented ipv6 on my home network, but shouldn't the ip6hint be an integer that matches the VLAN/Subnet number?

Edit

I presume this is hexadecimal...

trendy · October 2, 2023, 6:33pm

This is wrong, you should allow all fe80::/64 plus the other addresses that will be handed over, or ::/0 as in the other post you used as an example. Also remove the option route_allowed_ips '1'

No, it should be hexadecimal and can be anything.

K2DLS · October 2, 2023, 9:15pm

After the suggested changes, Luci is still insisting that ra ought to be in hybrid rather than server mode. However, IPv6 SLAAC continues to work so far, pending further testing.

Update: SLAAC was removed from the config by Luci so stopped working.

lleachii · October 2, 2023, 10:25pm

Can we see the [broken] config LuCI actually creates?

K2DLS · October 3, 2023, 2:25am

Before Luci:

config dhcp 'clientvpn'
	    option interface 'clientvpn'
      	option ra 'server'
        option ra_slaac '1'
        list ra_flags 'none'
	    option dhcpv6 'disabled'
        option dhcpv4 'disabled'

After Luci:

config dhcp 'clientvpn'
	option interface 'clientvpn'
	list ra_flags 'none'
	option dhcpv4 'disabled'
	option ra 'hybrid'

trendy · October 3, 2023, 11:26am

Which version are you running?
ubus call system board

K2DLS · October 3, 2023, 12:53pm

ubus call system board

{
"kernel": "5.10.176",
"hostname": "openwrt-cm4",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi Compute Module 4 Rev 1.0",
"board_name": "raspberrypi,4-compute-module",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}

notgood · October 16, 2023, 10:00am

Yeah, this looks like a bug in Luci, can be easily replicated by creating new wireguard interface and trying to setup RA.. server mode is always greyed out.

Most likely some incorrect assumption like "no device MAC adress=no RA" or "only ethernet devices can do RA"

jow · October 31, 2023, 11:24pm

Well, selecting server mode in LuCI is currently only allowed if the interface the DHCP pool is bound to uses protocol static.

Wireguard is one of those netifd protocol handlers that conflate lower device configuration with IP configuration. Semantically it should be a "config device" with type "wireguard" and a separate logical network using the resulting "wg0" device to configure IP settings.

Will change the check to include "wireguard" too.

navaneeth-dev · January 7, 2024, 8:01am

Is this fixed I am having the same issue