My ISP provides dynamic ipv6 /56 prefix (2a01:261:xxx:yyyy::/56) and my wan interface has a dynamic ipv6 address (2a01:261:0:9:zzzz/128). I try to enable clients to have ipv6 access to internet. Using ip6assign I have the following ipv6 addresses:
on lan interface: 2a01:261:xxx:yy00::1/60 and fd99:cd1f:xxxx::1/60
on vpn (wireguard) interface: 2a01:261:xxx:yy10::1/60 and fd99:cd1f:xxxx:10::1/60
I assign static ipv6 address to my client: fd99:cd1f:xxxx:10::2/64.
From wireguard clients, I have ipv6 access to my internal network, but ipv6 internet access does not work. However, if I enable NAT66, ipv6 internet works. Clients directly connected to router have ipv6 internet access without NAT66.
How to enable ipv6 internet access over wireguard without the need for setting NAT66?
ULAs have to be NATd to the Internet, since the Internet cannot route back to a ULA. In order to reach the Internet without NAT, the client must hold a GUA and originate its connection using the GUA as the source IP.
There isn't an automatic way to set up Wireguard allowed_ips when the prefix is subject to change. The workaround seems to be use one Wireguard tunnel per client, with an ip6assign of 64. Since the tunnel is point to point, it is acceptable to set allowed_ips to ::/0 on both ends. Do not route_allowed_ips at the router. The UCI system will install a route to each /64 as it sets up the interface.
You can use NPT to. Network prefix translation. Assign a /64 from ULA and use NPT to translate ULA to GUA. I consider this somehow a little bit cleaner but may be just a personal preference.