WireGuard with IPv6 SLAAC Addresses?
-
I have WireGuard working with both IPv4 and IPv6, but in order to get this working I need to assign static IPs for both IPv4 and IPv6.
For IPv4 I'm not as concerned since my device is behind NAT (all of my devices on my network share the same public IP), but I'd like to do SLAAC for IPv6 instead of a static IP to take advantage of privacy addresses. Otherwise, my IPv6 address on the internet will be static and I can more easily be tracked.
I wasn't able to set WireGuard Interface to
Track Interfacelike my other interfaces as well as enabling RAs, as that broke IPv6. Same thing happened when I enabled IPv4 DHCP server for WireGuard (which broke DHCP for my network).In order for IPv6 to work, I need to set my WireGuard interface to
Static IPv6, put a static IP in for that interface, and then make up an IP for each of my WireGuard connections.I'm guessing things like DHCP and SLAAC are not possible right now with the current state of WireGuard? If not, would be be worth me submitting a Redmine feature request?
-
@offstageroller did you manage to fix this? I am trying to get WireGuard and IPv6 working based on Track Interface.
-
@eirikrcoquere I have been trying to get this to work it is pfsense that is not routing the traffic right
-
@eiríkr said in WireGuard with IPv6 SLAAC Addresses?:
@offstageroller did you manage to fix this? I am trying to get WireGuard and IPv6 working based on Track Interface.
No. I never got it to work and stopped trying since until now, I didn't get a response and I figured this was a me issue that no one else wanted/needed. That's often the case with IPv6 though :).
-
@sgc said in WireGuard with IPv6 SLAAC Addresses?:
@eirikrcoquere I have been trying to get this to work it is pfsense that is not routing the traffic right
Update I did get it working after some work.
-
I will work on a write up on how to get Wireguard working with a track interface and ipv6 working on the network too. It is not easy but with some setting changes it works fine. @OffstageRoller @Eiríkr
-
@sgc said in WireGuard with IPv6 SLAAC Addresses?:
I will work on a write up on how to get Wireguard working with a track interface and ipv6 working on the network too. It is not easy but with some setting changes it works fine. @OffstageRoller @Eiríkr
I would greatly appreciate it! :)
-
@offstageroller do you have ipv6 working on your network
-
@sgc said in WireGuard with IPv6 SLAAC Addresses?:
@offstageroller do you have ipv6 working on your network
@sgc Yep. I have IPv6 SLAAC enabled for every interface on my network except for my two WireGuard interfaces. For my WireGuard interfaces, I have it set to static currently and IPv6 only works when connected via WireGuard if I set each device to a static IPv6 address.
Since I don't want a static IPv6 address, I currently don't assign my WireGuard clients a static IPv6 and I only route IPv4 for right now.
-
@offstageroller on the wg inface set the ipv6 to stack and then open a new brower tab to the pfsense go to dhcp and look at the Subnet Prefix Delegation for each interface should look like XXXX:XXXX:XXXX:XXXX::/XX change the last number X::/XX to a number not in use by the other interfaces then paste it in to the wg interface do the same for each interface so like mine in XXXX:XXXX:XXXX:XXX2::/XX XXXX:XXXX:XXXX:XXX3::/XX then go to wg setting and add a 2nd ip to each pear XXXX:XXXX:XXXX:XXX2::1/128, XXXX:XXXX:XXXX:XXX2::2/128 and so on then go to wg on the device or make a new qr with the dns of the main lan or a different public dns
This sets up the network for ipv6
If you have problems let me know I can try to help. -
@offstageroller By the way I sorry I did not fuly read the post dhcp do not work with wg since the clients do not support dhcp that is why you can make a qr code.
-
@sgc said in WireGuard with IPv6 SLAAC Addresses?:
@offstageroller By the way I sorry I did not fuly read the post dhcp do not work with wg since the clients do not support dhcp that is why you can make a qr code.
@sgc If I'm following what you said correctly, that would result in a static IPv6 address which is what I'm trying to avoid. If you do things that way, you'll end up as a unique IP address on the internet that can be easily tracked.
At least with IPv4 and NAT, my device gets mixed in with all of the other devices on my network to make me more difficult to track.
What I'd want to do is set my WireGuard IPv6 to Track interface, and then enable Router Advertisements for that interface so that my devices will use SLAAC and use privacy IPv6 addresses that change at least daily.
-
@sgc Wondering if the write up is complete? :)
-
@sgc would also love to know the quick details (dont need a super detailed writeup) of how you got your WG remote access tunnel set up with SLAAC or DHCP6
