Wireguard - ipv6 access to internet (/56 prefix)

My ISP provides dynamic ipv6 /56 prefix (2a01:261:xxx:yyyy::/56) and my wan interface has a dynamic ipv6 address (2a01:261:0:9:zzzz/128). I try to enable clients to have ipv6 access to internet. Using ip6assign I have the following ipv6 addresses:

  • on lan interface: 2a01:261:xxx:yy00::1/60 and fd99:cd1f:xxxx::1/60
  • on vpn (wireguard) interface: 2a01:261:xxx:yy10::1/60 and fd99:cd1f:xxxx:10::1/60

I assign static ipv6 address to my client: fd99:cd1f:xxxx:10::2/64.
From wireguard clients, I have ipv6 access to my internal network, but ipv6 internet access does not work. However, if I enable NAT66, ipv6 internet works. Clients directly connected to router have ipv6 internet access without NAT66.
How to enable ipv6 internet access over wireguard without the need for setting NAT66?

ULAs have to be NATd to the Internet, since the Internet cannot route back to a ULA. In order to reach the Internet without NAT, the client must hold a GUA and originate its connection using the GUA as the source IP.

There isn't an automatic way to set up Wireguard allowed_ips when the prefix is subject to change. The workaround seems to be use one Wireguard tunnel per client, with an ip6assign of 64. Since the tunnel is point to point, it is acceptable to set allowed_ips to ::/0 on both ends. Do not route_allowed_ips at the router. The UCI system will install a route to each /64 as it sets up the interface.

1 Like

You need NAT66 as @mk24 already discussed.

I am not sure about the /64, some say it is necessary for Android devices.
But making a /64 tunnel per peer will certainly work.

You can use NPT to. Network prefix translation. Assign a /64 from ULA and use NPT to translate ULA to GUA. I consider this somehow a little bit cleaner but may be just a personal preference.

1 Like

I decided to keep only ipv4 configuration. I do not urgently need ipv6 and setting NAT66 or NPT is not worth it.

Get yourself a static prefix from some VPS provider or IPv6 tunnel broker.

1 Like

I talked to my ISP, we found out that dhcpv6 on wan interface was configured to send dns release message when the router/network was restarted. I added norelease=1 command to wan6 interface, the /56 PD and router IPv6 address now stay the same (they are still dynamic, but practically they do not change). I can now access ipv6 internet also over Wireguard.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.