Wireguard under IPv6 with dynamic PD

HI! I've been searching in the forum but the posts are too old or not exactly the same, so here is the environment:

  • I've configured wireguard for IPv4. The objective is simply connect in the lan from outside, to have access to my local network. Nothing more.
  • Now I want to configure it for connecting with IPv6.
  • My ISP gives me a 56 PD prefix, but is dynamic, so it changes.
  • I've assigned a 60 PD to the wireguard interface, and configured a ddns and afirewall rule to have access to the wireguard interface under IPv6 from outside.

Now the question:

  • Is possible to configure wireguard with IPv6 and PD prefix?
  • If yes, what IPs must I configure in the addresses and allowed_ips config? the ULA? Some combination of DDNS + host?


Yes. That is quite simple, you can add an ip6assign with the prefix length. Also explicitly assign a link-local on the wireguard interface, it is not automatically assigned.

config interface 'wg0'
   option private_key '...'
   option listen_port '51820'
   list addresses 'fe80::aabb:eeff:fe12:3456/64'
   option ip6assign '60'

Now what can this actually do? It sounds like you are trying to set up a VPN where remote sites can VPN in and get IP6 access including a routable prefix. I'm also looking at that, and it's going to require some development. See this thread:

The @mikma patched odhcpd makes possible automatically setting the allowed_ips. For each client site the allowed_ips should be:

  • the site's wireguard tunnel link-local /128 (this is statically set when registering a site on the server)
  • the site's wireguard GUA (in the same prefix as the wireguard interface) /128
  • the site's assigned /60 prefix.
    I'm still trying to understand how prefixes and subnets should be assigned (vs. how they actually are) but it would be great to have another person working on this as well.
1 Like

This sounds like you still have a publicy routable IPv4 address, which makes your options easier.
While I was still with DTAG (public IPv4, dynamic /56 IPv6 prefix), I still used a HE IPv6 tunnel with its static /48 prefix specifically (and only (ip6class)-) for wireguard, that solved the problem for me.

Your wireguard endpoint is still accessible via IPv6 anyways, but without either a static (e.g. from HE) prefix or NAT6 with link-local or ULA prefixes (or the pending odhcpd changes hinted at by mk24), you won't actually get full IPv6 connectivity over the tunnel to the outside.

1 Like

Looking at your link, the ipv6 link-local is needed to make it assign IP address using DHCP? But it seems is only a proposal and at this moment is not official. I will keep an eye on it, seems interesting.

I don't know what is HE, I suppose some way to get a static prefix for an external source, but seems to complicated at this moment. I don't like the idea of NAT6 or ULA prefixes neither :frowning:

Wireguard is working perfectly over IPv4 at this moment, the IPv6 was only to learn and add the possibility, so I think the better option is wait to see if the patch is merged at some moment or some other solution appears. It will be needed when IPv4 disappear (I know this will take a lot of time to happen) so some solution needs to be provided.

Thanks to both for your answers! I have learned a lot with your information.

I use ULA and NPT (network prefix translation) on my wireguard setup.
Clients have a static ULA and the router does NPT on the wan interface.
(If you want I can share the setup later. ATM I'm on mobile phone)

Yes please! One of the objectives of this is to learn more about IPv6, and I think your config can be interesting.

(We had this in January, too)

Enable peers' to connect to the IPv6 WAN through Wireguard's IPv4 connectivity - #6 by _bernd feel free to ask questions

Correct, https://ipv6.he.net/ - not saying it's the best solution, but it was a usable workaround for me.

I misunderstood the original question. To remotely access via IPv6 you would typically use a DDNS service so your public address can be found by name. Then open ports for Wireguard, OpenVPN, ssh etc. the same as it works for IP4.

But if your ISP keeps changing the prefix, yet you have a static public IPv4, what @slh said is the best plan-- use a static IP4 - 6 tunnel to a service like he.net (which I think is the only one left) for all of your IPv6 activity, and don't bother with the ISP's varying connection.