Join Log in
Score:0
async await avatar Server

How do I configure IPv6 via WireGuard?

cn flag
async await

I rented a VDS in order to set up WireGuard VPN on it and distribute all VPN clients /64 IPv6 subnets. From the hosting I originally got the address 2a0c:xxx:yyy::1/32. Here are the configurations of the network interfaces that I set up:

❯ ip a
2: wan0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 ...
    inet6 2a0c:xxx:yyy:1001::1/32 scope global
        valid_lft forever preferred_lft forever
    inet6 fe80::****:**:****:****/64 scope link
        valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue ....
    inet 172.22.9.1/24 brd 172.22.9.255 scope global wg0
        valid_lft forever preferred_lft forever
    inet6 fd4d:56d8:31d4:2001::1/56 scope global
        valid_lft forever preferred_lft forever

❯ ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2a0c:xxx:yyy:2000::/56 dev wg0 proto static metric 20 pref medium
2a0c:xxx::/32 dev wan0 proto kernel metric 256 pref medium
2a0c:xxx::/32 dev wan0 proto ra metric 1024 expires 2591851sec pref medium
fd4d:56d8:31d4:2000::/56 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev wan0 proto kernel metric 256 pref medium
default proto static metric 1024 pref medium
        nexthop via 2a0c:xxx::1 dev wan0 weight 1
        nexthop via fe80::****:****:****:**** dev wan0 weight 1

❯ sudo sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1

❯ cat /etc/ndppd.conf
proxy wan0 {
    rule 2a0c:xxx:yyy:2000::/56 {
        static
    }
}

# --- check routing to dns.google from one of the VPN clients ---
❯ ip -6 r get to 2001:4860:4860::8844 from 2a0c:xxx:yyy:2005::****:*
2001:4860:4860::8844 from 2a0c:xxx:yyy:2005::****:* via fe80::****:****:****:**** dev wan0 proto ra src 2a0c:xxx:yyy:1001::1 metric 1024 mtu 1500 pref medium

I give all VPN clients fd4d:56d8:31d4:20zz::/64 and 2a0c:xxx:yyy:20zz::/64 subnets (zz are different for each client). When I set it up the first time, everything worked and clients could access the Internet via IPv6. However, after I rebooted the VDS this configuration was no longer working.

When I tried to ping a VPN client with address 2a0c:xxx:yyyy:2005::****:* from another host that is not connected to a VPN, I received multiple neighbor solicitation packets (who has 2a0c:xxx:yyy:2005::****:*) to wan0 from the upstream router, to which the VDS would periodically respond with neighbor advertisement packets. However, the echo-request to neither wan0 nor wg0 never came.

What is wrong with my configuration? Why does IPv6 over WireGuard stop working after a VDS reboot?

Thanks in advance.

99-wg0.netdev

[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
PrivateKey=kH9-----------------------86u/Uw=
ListenPort=1194

[WireGuardPeer]
PublicKey=oXPdkrbDL---------------oKLW2HEEM=
PresharedKey=L9P------------------------jSiM=
AllowedIPs=2a0c:xxx:yyy:2005::/64
AllowedIPs=172.22.9.5/32

99-wg0.network:

[Match]
Name=wg0

[Network]
Address=172.22.9.1/24

[Route]
Destination=2a0c:xxx:yyy:2000::/56
Metric=20
145
0 + 0
ndp
A.B avatar
cl flag
A.B
You should add the content of `wg0.conf` (or equivalent config) and the output of `wg-quick up wg0` so all information is available in the question.
0
Reply
async await avatar
cn flag
async await
@A.B I solved the issue by changing the hosting where I rented the virtual machine. By repeating all the settings on the new virtual machine (with different IPv6 addresses, of course), I got a working IPv6 connection for all VPN clients. I assume that on the old hosting, the clients' IPv6 was not working because the upstream router was ignoring the neighbor advertisment from the virtual machine in response to its neighbor solicitation. Also, I was able to successfully distribute /64 subnets to clients via a tunnel broker, which further confirms my assumptions about problems on the hosting side
0
Reply
async await avatar
cn flag
async await
@A.B I configured the wg0 interface with systemd-networkd, all the settings I set there (interface address and route for /56 clients subnet) are shown in the output of `ip a` and `ip -6 r` commands.
0
Reply
async await avatar
cn flag
async await
@A.B Regarding the second question: I tried to be more specific in the hope that it would attract more people who know about the issue.
0
Reply
async await avatar
cn flag
async await
@A.B I added the contents of 99-wg0.netdev and 99-wg0.network to the question. All wg0 configuration is done only through them, I don't use wg-quick.
0
Reply
A.B avatar
cl flag
A.B
Ah never mind indeed there wouldn't be such rules if not run by wg-quick, I didn't get it wasn't in same format. And I just don't know why there's a problem in the other question.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.