IPV6 BGP Wireguard Link Local Issue/Error

[danderson]

So I have WG v4 and V6 tunnels working, V4 BGP works fine with the /30 network provided, but IPV6 with the /126 provided wont let a BGP neighbor establish even though both IPs ping across the WG tunnel.

The error i see in the frr logs is as follows.
Interface: wg1 does not have a v6 LL address associated with it, waiting until one is created for it


I found the following 2 links and they both state that the WG tunnel for V6 needs LL addresses but they are not getting assigned by default like they do on my IPSEC tunnels, does anyone know how/where to set it so the interface assigned for WG gets a Link Local address assigned?

https://www.reddit.com/r/OPNsenseFirewall/comments/10ch97m/wireguard_ipv6_ospfv4/

https://github.com/FRRouting/frr/issues/9544

[Maurice]

You can add multiple wg tunnel addresses (local) and allowed IPs (endpoints). Adding link-locals there could work.

Cheers
Maurice

[danderson]

either way, how/where do I get it to add the Link Local to any WG interface? Its not static ipv6 and add it there as thats the GUA address for the interface not the LL one. In local i  have disable routes set, and in Allowed IPs (endpoints) i have ::/0 as its going to be all and then whatever BGP routes get added into the route table will work.

I may try adding a LL on the local side under wg tunnel address as you recommend , on each instance near and far opnsense's and see what happens.  This works perfectly with V4 as it doenst need LL for V4

If this works cool, but doing this manually sucks as shouldnt each interface automatically get a LL address?

This is what it looks like now,

wg3: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet6 xxxx:xxxx:xxxx::xx prefixlen 126
        groups: wg wireguard
        nd6 options=101<PERFORMNUD,NO_DAD>


other IPSEC interfaces show  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
thinking maybe thats the issue, dont know where to set it in the config to make that change for WG

Basically trying to do VTI but in WG not IPSEC with BGP providing the routes not the tunnel or static routes.

[Maurice]

I don't understand why you consider adding link-locals manually to be so bothersome. All configured tunnel addresses get added to the wg interface, whether they are GUAs, ULAs or link-locals. Just add fe80::1/64 on one side and fe80::2/64 on the other and you should be done (since your allowed IPs are ::/0 anyway).

Cheers
Maurice

[danderson]

@Maurice

Its not that its a pain its just that I am used to the Link-Local being automatic on all interfaces on an IPV6 based system, I added some Link-Local addresses on each end of the WG tunnel in the Local section (server) and as soon as I did that the FRR BGP and BFD neighbor adjacency came right up.

Thx for the help/insight to get it working.