IPV6 BGP Wireguard Link Local Issue/Error

Started by danderson, September 21, 2023, 08:24:27 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 21, 2023, 08:24:27 PM
So I have WG v4 and V6 tunnels working, V4 BGP works fine with the /30 network provided, but IPV6 with the /126 provided wont let a BGP neighbor establish even though both IPs ping across the WG tunnel.

The error i see in the frr logs is as follows.
Interface: wg1 does not have a v6 LL address associated with it, waiting until one is created for it


I found the following 2 links and they both state that the WG tunnel for V6 needs LL addresses but they are not getting assigned by default like they do on my IPSEC tunnels, does anyone know how/where to set it so the interface assigned for WG gets a Link Local address assigned?

https://www.reddit.com/r/OPNsenseFirewall/comments/10ch97m/wireguard_ipv6_ospfv4/

https://github.com/FRRouting/frr/issues/9544

September 21, 2023, 09:12:02 PM #1
You can add multiple wg tunnel addresses (local) and allowed IPs (endpoints). Adding link-locals there could work.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
September 21, 2023, 11:50:56 PM #2 Last Edit: September 22, 2023, 12:31:53 AM by danderson
either way, how/where do I get it to add the Link Local to any WG interface? Its not static ipv6 and add it there as thats the GUA address for the interface not the LL one. In local i  have disable routes set, and in Allowed IPs (endpoints) i have ::/0 as its going to be all and then whatever BGP routes get added into the route table will work.

I may try adding a LL on the local side under wg tunnel address as you recommend , on each instance near and far opnsense's and see what happens.  This works perfectly with V4 as it doenst need LL for V4

If this works cool, but doing this manually sucks as shouldnt each interface automatically get a LL address?

This is what it looks like now,

wg3: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet6 xxxx:xxxx:xxxx::xx prefixlen 126
        groups: wg wireguard
        nd6 options=101<PERFORMNUD,NO_DAD>


other IPSEC interfaces show  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
thinking maybe thats the issue, dont know where to set it in the config to make that change for WG

Basically trying to do VTI but in WG not IPSEC with BGP providing the routes not the tunnel or static routes.
September 22, 2023, 12:30:51 AM #3
I don't understand why you consider adding link-locals manually to be so bothersome. All configured tunnel addresses get added to the wg interface, whether they are GUAs, ULAs or link-locals. Just add fe80::1/64 on one side and fe80::2/64 on the other and you should be done (since your allowed IPs are ::/0 anyway).

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
September 22, 2023, 03:45:10 AM #4
@Maurice

Its not that its a pain its just that I am used to the Link-Local being automatic on all interfaces on an IPV6 based system, I added some Link-Local addresses on each end of the WG tunnel in the Local section (server) and as soon as I did that the FRR BGP and BFD neighbor adjacency came right up.

Thx for the help/insight to get it working.
Print
Go Up Pages1
User actions