Wireguard + IPv6 w/only /64

So, I spent a little time setting up wireguard, following this guide:

Unfortunately, while that guide was helpful in getting NATed IPv4 working, it doesn't really talk about IPv6.

I didn't want to do NAT'ed IPv6 (part of the point of IPv6, being, after all, having real, route-able addresses).

I tried assigning the Wireguard 'interface' to use a static ipv6 address from the same subnet that is assigned to my bridged lan+wlan, but, and also the other wireguard device to have a static ipv6 in that same subnet. However, once I brought up the Wireguard interface, IPv6 stopped working on my lan+wlan.

I'm thinking maybe to get routing working between wireguard endpoints and the internet, they would need to be on a separate subnet? That assigning an address in that subnet to the wireguard interface is changing the routing tables in the kernel such that it thinks all traffic to and from that /64 has to go to wireguard, essentially stealing that subnet away from the lan/wlan interface.

So, here's the thing, I think my ISP (Spectrum) only assigns me a /64? Is there some way to get OpenWRT to request a /48 instead of a /64?

Also, that /64 prefix is dynamically assigned, and could change in the future. So, preferably, whether I can get a /48, or only a /64, if I'm going to get this working, I'd rather not use statically assigned addresses in Wireguard, because that means when my prefix changes, wireguard will break. Is there some syntax to allow me to pass through the dynamic prefix, and just assign a static host address? Or even a randomly generated host address?

So far, I've not identified much in the way of features like that with the Wireguard interface. I also thought about trying to bridge it with the lan+wlan, so it could share the /64, but the option to bridge the interface doesn't seem to be supported by the wireguard interface (at least, not in Luci).

Wireguard depends on routing, so you do need a dedicated (IPv6) subnet (/64) for the wireguard interface and its peers, apart from your LAN subnet. If that isn't provided by your ISP via DHCPv6-PD, I don't think you'd be able to get it working (apart from getting a second prefix from a tunnel provider like tunnelbroker.net) - dynamic prefixes are also 'funny', personally I didn't get those working (but it's easy with static prefixes).

1 Like

I read about a spectrum customer which got a /56. Try to request a /48 or /56 in the ipv6 wan interface.

But I really don't know how to handle a changing prefix on wireguard, except that you can use network prefix translation (NPT) with ULAs.

1 Like

My workaround was a he.net tunnel with a static /48 prefix for the wireguard interface (making use of ip6class filtering, so the he.net tunnel is only used for wireguard, using the dynamic native ISP prefix for everything else).

1 Like

You're right - it was simple to get a /56; I just went into the WAN6 interface, and set "Requiest IPv6-prefix of Length" to 56, save&apply, and it worked. Hadn't noticed that option before. That's cool, makes it super easy.

1 Like

So, someone on the Wireguard IRC, suggested that I use IPv6 NPT (Network Prefix Translation), to allow setting static IPv6 addresses (within a ULA) to the Wireguard interface, and my peers, and then on the OpenWRT router, use Network Prefix Translation (NPT) to NAT between the ULA prefix of the Wireguard subnet, and the IPv6-PD assigned prefix.

I've setup an RFC4193 random ULA in OpenWRT (that was pretty simple). I then assigned the wireguard interface to use the ::1 address in a /60 subnet within the /48 ULA prefix, and configured my peer to use a static IP within the wireguard ULA /60 subnet.

Now, can anyone provide guidance on how to setup the NPT? I tried googling for a guide, but haven't found anything useful?

https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

Hope this helps.