WireGuard VPN with ULA and NAT6?

My ISP sometimes changes the IPv6-PD /56 delegated prefix, so I don't want to use addresses from within that prefix for my road-warrior VPN clients.
Reading a few other forum topics, I think it would work to do this. Before I dig too far into it, I'd appreciate a check that this is going to work:

  • Define a WG server interface on OpenWrt router
  • Define WG peers, setting the allowed addresses for each one on their own IPv4 RFC1918 address and an IPv6 ULA prefix address
    • Is it OK to assign IPv6 addresses to the peers from a /64 prefix within my OpenWrt router's ULA (which is /48)?
    • Or am I better off generating another random ULA prefix and selecting a /64 from that for the WG peers to use?
  • Enable NAT6 for IPv6 traffic heading out to the ISP from the WG peer's /64 (per the link above).

With this NAT6, will the WG peers have access to the public IPv6 internet? Or would using a ULA cause the OpenWrt system not to route and NAT their outbound traffic?

I'm aiming to keep the non-VPN outbound traffic using their ISP-delegated addresses, not NAT6.

Do I need todo the full NAT6 per the wiki: NAT6 and IPv6 masquerading, or is it sufficient in this case to do the simpler single MASQUERADE rule such as per this forum post: https://forum.openwrt.org/t/howto-use-ipv6-with-wireguard/76407/10?

Better use from the /48 to avoid the need to create static routes.

They should, however I have seen implementations where the host is using the IPv6 ULA with the lowest priority to access the internet.

I'd go with the wiki.

@vgaetera wrote the forum post with the simplified NAT6 (one rule). Maybe they could elaborate on how/why that's different from the wiki page?

Ah, so that gets into a question I had from the experiments I've done. I can indeed use addresses inside a ULAprefix:subnet::/64 as the wireguard peer addresses. But, those peers get their IPv6 traffic dropped with ICMP6, destination unreachable, unknown unreach code (5) unless I set up a default route for that network to go out the upstream ISP IPv6 interface. For example ip -6 route add default from ULAprefix:subnet::/64 dev <wan-interface>

I can manage that with a hotplug script to monitor the ifup on the wireguard interface (find the default route and add the same route for IPv6 source traffic from the ULAprefix:subnet::/64). But is there a better way, something I can do in the wireguard interface definition or the WAN IPv6 interface to get this route added automatically?

1 Like

Go with the wiki, it is way more advanced and complete solution.

I looked in detail at the wiki, and if I read it right, its script is setting up NAT6 for all outbound traffic. I only want NAT6 for the WG peers, so in that case I believe the smaller script from the other forum post is a good fit for my configuration, since it uses a source-address filter on the NAT6 rule.

And thanks for the hints on the automatic routes. Is there any down-side to disabling source routing of IPv6 outbound traffic?

I don't think the ra_default section applies here, there's no DHCP or DHCP6 on the wireguard interface.

This setting appears to be used only by the DHCPv6 client scripting (/lib/netifd/proto/dhcpv6.sh and the things it calls), so it doesn't work for a 6in4 tunnel*. For that case, one can add the ULA prefix to the IPv6 routed prefix list, with something like:

uci add_list network.wan6.ip6prefix=$(uci get network.globals.ula_prefix)
uci commit
ifup wan6

[* yes, using a 6in4 tunnel likely means you have a stable IPv6 prefix and can assign a stable IPv6 address for the wireguard peers, but you still may want to use NAT6 in such a situation.]

You can always adjust that.

With single provider not any.

Just use Hurricane Electric's tunnel broker which offers static prefixes. :wink:

1 Like

I wrote up my final solution as a new wiki page: https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.