My ISP sometimes changes the IPv6-PD /56 delegated prefix, so I don't want to use addresses from within that prefix for my road-warrior VPN clients.
Reading a few other forum topics, I think it would work to do this. Before I dig too far into it, I'd appreciate a check that this is going to work:
Define a WG server interface on OpenWrt router
Define WG peers, setting the allowed addresses for each one on their own IPv4 RFC1918 address and an IPv6 ULA prefix address
Is it OK to assign IPv6 addresses to the peers from a /64 prefix within my OpenWrt router's ULA (which is /48)?
Or am I better off generating another random ULA prefix and selecting a /64 from that for the WG peers to use?
Enable NAT6 for IPv6 traffic heading out to the ISP from the WG peer's /64 (per the link above).
With this NAT6, will the WG peers have access to the public IPv6 internet? Or would using a ULA cause the OpenWrt system not to route and NAT their outbound traffic?
I'm aiming to keep the non-VPN outbound traffic using their ISP-delegated addresses, not NAT6.
Ah, so that gets into a question I had from the experiments I've done. I can indeed use addresses inside a ULAprefix:subnet::/64 as the wireguard peer addresses. But, those peers get their IPv6 traffic dropped with ICMP6, destination unreachable, unknown unreach code (5) unless I set up a default route for that network to go out the upstream ISP IPv6 interface. For example ip -6 route add default from ULAprefix:subnet::/64 dev <wan-interface>
I can manage that with a hotplug script to monitor the ifup on the wireguard interface (find the default route and add the same route for IPv6 source traffic from the ULAprefix:subnet::/64). But is there a better way, something I can do in the wireguard interface definition or the WAN IPv6 interface to get this route added automatically?
I looked in detail at the wiki, and if I read it right, its script is setting up NAT6 for all outbound traffic. I only want NAT6 for the WG peers, so in that case I believe the smaller script from the other forum post is a good fit for my configuration, since it uses a source-address filter on the NAT6 rule.
And thanks for the hints on the automatic routes. Is there any down-side to disabling source routing of IPv6 outbound traffic?
I don't think the ra_default section applies here, there's no DHCP or DHCP6 on the wireguard interface.
This setting appears to be used only by the DHCPv6 client scripting (/lib/netifd/proto/dhcpv6.sh and the things it calls), so it doesn't work for a 6in4 tunnel*. For that case, one can add the ULA prefix to the IPv6 routed prefix list, with something like:
uci add_list network.wan6.ip6prefix=$(uci get network.globals.ula_prefix)
[* yes, using a 6in4 tunnel likely means you have a stable IPv6 prefix and can assign a stable IPv6 address for the wireguard peers, but you still may want to use NAT6 in such a situation.]