[Solved] Assigning public IPv6 to roadwarrior Wireguard clients

Installing and Using OpenWrt Network and Wireless Configuration
1

Dear all,

As my ISP does not provide any IPv6, I am using an HE.net dual-stack interface to assign IPv6 addresses to my OpenWRT router and subnet (I fet a /56).

Now I would like to set up IPv6 addresses in a roadwarrior wireguard scenario. The OpenWRT wireguard documentation only indicates how to assign private IPv6.

How to assign a /64 subnet to Wireguard clients?
Would you be so kind to guide me?

Kind regards,

2

The same way you assign an ipv4 subnet.

2 Likes
3

IMHO, It is not clear to me as /64 delegations need to be requested via DHCPv6 or SLAAC, so I am not sure that adding IPv6 subnet and addresses can work out of the box with Wireguard.

Do you have a working conf with /64 delegation under Wireguard in a roadwarrior scenario?

4
1 Like
5

Since you have a static /48 prefix it should be easy to choose a /64 to use for static configuration in wireguard. (Wireguard doesn't use dhcpv6 or slaac.)

2 Likes
6

As a side remark I just realized that when I connect on local wireless network, I receive only an IPv4 from Wireguard and IPv6 from router. So if for some reason I connect to an IPv6 host, connection goes unencrypted. So I really need a public IPv6 on client.

The same applies when connecting to a wireless hotspot with IPv6 connectivity.

7

Well it doesn't if you're using WPA2 or WPA3, despite your belief that they are 'dead'.

But, aside from that, I'm not sure why you're not just doing what you've already been told, set up an IPv6 /64 subnet in the same way as you did an IPv4 /24 subnet.

1 Like
8

A clear documentation is:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/basic

If fdf1:e8a1:8d3f:9 is the /64 prefix assigned by HE.net out of the /48.

Server:
fdf1:e8a1:8d3f:9::1/64 is the configuration of the router

Peer:
fdf1:e8a1:8d3f:9::2/128 is the allowed IP

The problem is that Tunnelbroker assigns me a /48 and a /64 which are used for dual-stack browing.
The /64 is already been used to assign addresses. So I need to use a new /64 inside my /48?

ifconfig
6in4-wan6 Link encap:IPv6-in-IPv4  
          inet6 addr: fe80::4dce:6d3f/64 Scope:Link
          inet6 addr: 2001:xxx:xxx:xxx::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1424  Metric:1
          RX packets:14857672 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8961830 errors:0 dropped:1 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:34022831149 (31.6 GiB)  TX bytes:1146774486 (1.0 GiB)

The \48 is not even showing up ...

9

Yes, just like you would if assigning an IPv4 subnet...

Which is entirely expected when looking at the interface address.

10

I modified Tunnelbroker settings:
config interface 'wan6'
option proto '6in4'
option tunlink 'wan'
...
list ip6prefix '2001:xx::/48'
list ip6prefix '2001:yy:yy:yy::/64'

with the two IPv6 prefixes. Is this correct?

Anyway, only the /64 address is showing up in 6inWAN.

So technically when I am going to assign gateway address it wil not be with the /56 range.
The /56 range is not defined anywhere on any interface of the router.

I am lost.

11

Why are you messing around with the tunnelbroker interface? If you have a routed /48 prefix then that's all you should have in the interface config.

The command shows the address of the interface, which is a /64 address. It is not the same thing as the prefix.

If all you're trying to do is get IPv6 addresses on wireguard clients then I'm really not sure why you're not just doing what you were told right at the outset...

1 Like
12

When setting up router and peer Wireguard picking up a random /64 within my /48, this does not work.

13

It'd be a lot more useful if you shared the config you tried.

14

Sorry here it is, I configured only a/48:

config interface 'wan6'
	option proto '6in4'
	option tunlink 'wan'
        ...
	option peeraddr '216.66.84.42'
	option ip6addr '2001:aa:bb:cc::2/64'
        ...
	list ip6prefix '2001:dd:ee::/48'

config interface 'wg0'
	option proto 'wireguard'
        ...
	list addresses '10.0.10.1/24'
	list addresses '2001:dd:ee:abcd::1/64'

config wireguard_wg0
        ...
	option description 'samsunggalaxy'
	option persistent_keepalive '25'
	list allowed_ips '10.0.10.11/32'
	list allowed_ips '2001:dd:ee:abcd::11/128'

Wireguard status show router IPv6 address.

#ifconfig wg0

wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.0.10.1  P-t-P:10.0.10.1  Mask:255.255.255.0
          inet6 addr: 2001:dd:ee:abcd::1/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:1105 errors:32 dropped:22 overruns:0 frame:32
          TX packets:1177 errors:2 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:268901 (262.5 KiB)  TX bytes:549760 (536.8 KiB)

However, Android client is not picking the IPv6.

15

How do you write allowed IPs everything in IPv6 on the peer side ?
::/0 ?

16

These settings work on Debian peer ... but not Andoid.

cat /etc/wireguard/wg0.conf

[Interface]
PrivateKey =
Address = 10.0.10.10/24
Address = 2001:dd:ee:abcd::10/64 

[Peer]
PublicKey = 
PresharedKey = 
Endpoint = router:51820
AllowedIPs = 0.0.0.0/0,::/0
17

What are the settings on the android device?

1 Like
18

Android settings:

Adresses: 10.0.10.11/24, 2001:dd:ee:abcd::11/64
Allowed IPs : 0.0.0.0/0,::/0

IPv4 works, only IPv6 fails.

19

IPv6 works in Android too !!!
It is only that Android system is not displaying the IPv6 assigned.

Clap ... clap ... clap.
OpenWRT is great.

1 Like
20

One last question.
How do I sent OpenWRT router DNS to peer ?
I could not find this information on the wiki.