Hi
I have a ULA and GUA on an Wireguard tunnel.
Is there a way to manually set additional prefixes in the config (my WG GUA) to send out for client SLAAC usage, as I want to route Internet traffic through this tunnel (I’d like to send out the ULA and GUA prefixes to clients).
Thanks
It helps if you show us your configs
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses as that is not needed:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show
Routing traffic is usually be done with Policy Based Routing but for a site-to-site setup using the Allowed IPs and routing those is also a possibility
Note that WireGuard is a routed solution it needs three different subnets for "client", "server" and the WG subnet
WireGuard Server Setup Guide
WireGuard Client Setup Guide
OpenWRT Policy Based Routing (PBR)
The relevant things I have already are below but the other pieces are not yet in place (but all the other bits I have on other OpenWRT device). This is for a Travel Router.
I’m using a custom script I have already running elsewhere on OpenWRT that add marks to set and I can manipulate which routing table to use based on firewall rules I can dynamically add. This all works on WG clients coming into a OepnWRT router.
e.g.
/sbin/ip -6 route add default via fd91:38a7:1789:2::1 dev wg1 table hiddenlcl
/sbin/ip -6 rule add fwmark 0x2 lookup hiddenlcl
The ULA pieces I use internally are all fine.
config globals 'globals'
option ula_prefix 'fd91:38a7:1789::/48'
config interface 'lan'
option device 'eth0'
option proto 'static'
option ipaddr '192.168.7.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint '7'
How can I send out to clients a piece of my upstream GUA range “2b01:1345:a68a:7::/64”as a prefix from “odhcpd”, as well as the above ULA ?
I can fiddle with routing tables on my own to send these correct way down WG and any allowed_ips in wireguard.
It's possible to add additional IPv6 prefixes (in "ip6prefix") on interfaces with static and dhcpv6 as protocol.
I guess it makes sense to add an static alias interface to the Wireguard tunnel interface, then you can add the prefix in "ip6prefix", since then the prefix will be removed if you take the tunnel down.
That did work mostly with an alias interface for the GUA address but for some reason I ended up setting a “/48” as well as the “/64” on the interface for no reason I can see i.e 2b01:1345:a68a:7::1/64 and a 2b01:1345:a68a::1/48. Despite the ip6hint on the alias set to '7’.
So just for reference by anyone else, for the path of least resistance I switched off “odhcpd”, and installed and enabled uradvd, with “/etc/config/uradvd”.
option enabled '1'
# send router advertisment over this device
# alternative: option device 'lan'
option ifname 'br-lan'
# lifetime of the default route (in seconds)
option default_lifetime '65534'
# option valid_lifetime '86400'
# option preferred_lifetime '14400'
# option max_router_adv_interval '600'
# option min_router_adv_interval '200'
list prefix_on_link ''fd91:38a7:1789:7::/64'
list prefix_on_link '2b01:1345:a68a:7::/64'
list dns 'fd91:38a7:1789:7::1'
, seems to be working fine. Let’s me set static IPv6 and set the prefixes easily.
Simply using a hotplug script to NAT the GUA if there is an ipv6 default route on the WAN side.
nft add 'chain inet fw4 postrouting_fix {type nat hook postrouting priority srcnat; policy accept;}'
nft add rule inet fw4 postrouting_fix ip6 saddr 2b01:1345:a68a:7::/64 masquerade
My script also removes this and adds a reject rule to the forward rule for this GUA if not default Ipv6 rule.
I can also switch to routing this via by WG tunnel.
As I say just for anyone searching.