Routing IPV6 over site-to-site VPNs when they are globally unique assigned from a dynamic PA

jmmm

I'm looking for suggestions on how to set up a network and route IPV6 over a site-to-site VPN between several sites (3-4+), ideally using wireguard and globally unique IPV6 addresses.

Background

• I have several sites consisting of homes and offices. The IPV4 private address networks are connected together using Wireguard
• I use wireguard because it is very fast. I have fiber symmetrical gigabit and we get round trip latency of less than 3ms.
• For IPV4, for multicast traffic, I never managed to get PIMD to work properly or reliably, I was trying to deploy it over GRE/GIF over wireguard and also tried OpenVPN.
• So instead I just set up AVAHI to route mDNS over a separate OpenVPN site-to-site tunnel. This seems to resolve all ipv4 mDNS between sites for service discovery of supported devices.
• IPV4 routing is set up over Wireguard between sites using static routes.
• My fiber providers provide /60 PD, so I am able to get full /64 subnets for the main networks as well as guest and other networks. However, the PDs are assumed to be dynamically assigned
• One site is on TMobile internet, which does not provide prefix delegation. I'll probably use private IPV6 space for this network and NAT the IPV6 internet traffic until I find a better solution.

I would prefer to stick to Wireguard because it is very fast. What are my best options to set up IPV6 routing between sites?

• While I would prefer to set up static routing, the prefixes are dynamic making this impossible without some sort of automation
• I could assign private space IPV6 addresses to each network and then use NPt to map them globally unique IPV6 when they go out to the internet, but NPt in pfsense can't operate on dynamic prefixes.
• I could use OSPF which would require it running over a tunnel interface that supports multicast (not wireguard, unless it was within GRE/GIF), but even if the routing tables were automatically updated, wireguard only supports static IP routing
• Give up because IPV6 is dumb

So.... What is the best way to go about IPV6 site-to-site over a VPN?. Thanks for your suggestions.

JKnott

@jmmm

You could try Unique Local Addresses.

jmmm

@JKnott said in Routing IPV6 over site-to-site VPNs when they are globally unique assigned from a dynamic PA:

@jmmm

You could try Unique Local Addresses.

Now I understand that a device can have several IPV6 addresses at a time. (IP4 too, but it was a common design feature to do so on IPV6). Does this cause problems with

• Some clients like Android do not do DHCP and only do SLAC. Other clients prefer to do DHCP.
• the IPV6 addresses returned by discovery protocols like mDNS would return IPV6 addresses that include globally routable address that won't reach the other side's device. How do we make sure that the clients choose the private addresses returned from, for example, mDNS?

But a problem is that the NPt feature in pfsense allows a delegated prefix to be selected only if it is assigned to an interface. Otherwise, NPt won't allow selecting a delegated prefix. So I can't figure out how to use unique local addressing with NPt.

JKnott

@jmmm

The Android problem is with DHCPv6 only and has nothing to do with ULA. You can have both GUA and ULA on the same LAN, as I do here. The advantage of ULA is the prefix doesn't change, unless you change it.

BTW, do you have System/Advanced/Networking/Do not allow PD/Address release selected? If not, your prefix will change. However, not all ISPs honour it.

grantems

@jmmm I know this is an old post, not sure if you're still around - but did you end up finding something that works or just give up on IPv6 entirely?

I find myself in a similar boat trying to setup site to site VPNs between multiple sites that all have dynamically assigned prefixes that change regularly, and I can't seem to figure out how to make sure that traffic goes over the VPN tunnel instead of directly over the internet.

Bob.Dig

@grantems I guess I would use ULAs and NPt for that, but I just don't use IPv6 in any VPN-tunnel.

jmmm

@grantems The best solution I could come up with is to add globally unique private IPv6 IP subnet for each location. This should be distributed in addition to public IPv6 IP addresses, and link local IP addresses to each client. A major difference between IPv6 networking and IPv4 networking is that clients often (and in fact typically) have more than one ip address.

Link Local is used on the local network for printers and stuff.
Internet traffic is routed over its public IP and out the router/gateway to the internet.
VPN traffic is sent by its globally unique IPv6 private address and is routable across the private networks.

The advantage to include and ideally use IPv6 on the local network is that the IP addresses are globally unique. The subnet will never overlap any other IP address range used by any other service, vpn, or network.

grantems

@jmmm

Assigning ULA private addresses from the fc00::/7 range seems like the thing to do so I can have static addressing that's used internally. In addition to hosts having one or more public addresses that are part of the ever changing dynamic delegation. That doesn't seem too different from how it's done on IPv4.

I guess the part I can't wrap my head around is how to make sure hosts only use that private address and never the globally routable ones - which would end up not being routed over the VPN. It's not as simple as making a firewall rule to block it from going over the internet, because I'll never know what public subnets are at the other end of the VPN connection.

Not putting those public addresses in DNS entries would be the first step, but I'm not sure that just not having DNS is enough to stop hosts on either side of the VPN from trying to talk to each other over the internet. Even if pfsense at the far end blocks it from connecting, I don't want any of the traffic going out outside of the VPN in the first place.

jmmm

@grantems IPv6 has mechanisms to do this that I don't quite understand. I think a bunch of it comes down to dns. Your dns resolver should resolve ip addresses that are accessible from the requesting computer. For internal services, this is the private address. Of course this becomes an issue if you, for example, want a computer to be found on the internet, but only allow certain traffic in whereas from the private network all is allowed in. If you route mdns between subnets, I think it should resolve private addresses, but I'm not sure how it works.

to add private ip addresses without changing anything, add RA subnets in router advertisements