Wireguard Road Warrior with IPv6

[Snowstorm1491]

I have only IPv4 at home, and I would like to use Wireguard to add the possibility to get to IPv6 only servers.

I rented a VPS at netcup, installed OPNsense there, with the IPv6 subnet aaaa:bbbb:cccc:dddd::/64 and a IPv4 of www.xxx.yyy.zzz. In OPNsense, for WAN, I have set to use DCHP for IPv4 and Static for IPv6 with aaaa:bbbb:cccc:dddd::1/64 as my WAN IPv6 and fe00::1 as gateway. I check with ping that both IPv4 and IPv6 work.

I have followed the Road Warrior guide, initially with only IPv4 to test it out. So the Wireguard tunnel have the IPv4 subnet of 10.10.10.0/24. With only IPv4, the tunnel worked.

Now that I have IPv4 tunnel working, I started to add IPv6 to the Wireguard local interface (aaaa:bbbb:cccc:dddd::a:1/64 in addition to 10.10.10.1/24), and endpoint Allowed IPs (aaaa:bbbb:cccc:dddd::a:2/128 in addition to 10.10.10.2/32).

Client interface IP is aaaa:bbbb:cccc:dddd::a:2/64 and 10.10.10.2/24, allowed ips 0.0.0.0/0, ::/0

After applying the settings, I am able to connect to the tunnel on the client, ping works for aaaa:bbbb:cccc:dddd::1, aaaa:bbbb:cccc:dddd::a:1, but everything outside outside of the OPNsense's aaaa:bbbb:cccc:dddd::/64 is not reachable (I can't ping 2606:4700:4700::1111). However, IPv4 internet is available (I can ping 1.1.1.1).

What did I miss?

[Maurice]

You can't use the same subnet (aaaa:bbbb:cccc:dddd::/64) on two interfaces (WAN and WireGuard). Try getting more than just a single /64 from your VPS hoster.

Btw, tunnelbroker.net is way easier to set up and you can get a free /48.

Cheers
Maurice

[Snowstorm1491]

Is there any significance about /64? Can't I just split it into two /65 subnets? I apologize if this is a dumb question, I don't know much about IPv6

[Maurice]

You could use two /65s, but that would only solve one of multiple potential issues:

Your hoster might not route the entire /64 to your VPS WAN interface unconditionally, but perform Neighbor Solicitation instead. Depends on their configuration.

Is the WireGuard client an individual PC or your OPNsense box at home? For the latter, you'll also need IPv6 addresses for your LANs (a dedicated /64 for each LAN).

[Snowstorm1491]

I see. I'm currently testing with an individual PC, but subsequently I will need to route all the LAN via OPNsense box at home, so I have created a TunnelBroker account and requested a /48 subnet. Unfortunately my home Internet is behind an ISP firewall, so I can't allow ICMP to reach my home Internet to set up the tunnel. That means I will still have to use the VPS to somehow route the TunnelBroker's IPv6 to my home.

I followed the guide to add the subnet to OPNsense on the VPS. How do I proceed with Wireguard?

[Maurice]

No IPv6 and filtered IPv4? What kind of ISP is this? :o

So you have the GIF tunnel up and running on the VPS and want to route the /48 through the WireGuard tunnel to your OPNsense at home. Let's say your tunnelbroker.net routed /64 is 2001:470:ab:cde::/64 and the /48 is 2001:470:abcd::/48. Then you could e. g.:

On the VPS, set the wg tunnel address to 2001:470:ab:cde::1/64. Set the endpoint allowed IPs to 2001:470:ab:cde::2/128 and 2001:470:abcd::/48.

On the OPNsense at home, set the wg tunnel address to 2001:470:ab:cde::2/64. Set the endpoint allowed IPs to ::/0. Configure the LAN interfaces with static IPv6 addresses; LAN1 2001:470:abcd:1::1/64, LAN2 2001:470:abcd:2::1/64 and so on.

Cheers
Maurice

(As a side note, some commercial VPN providers offer IPv6 prefixes via WireGuard. No need to run your own server.)

[Snowstorm1491]

Thanks for the instructions! It worked!

No IPv6 and filtered IPv4? What kind of ISP is this? :o

It's actually my university's network, and every single device (even smartphones and such) gets its own public IPv4 (and IPv6 for some network, but my home network does not have IPv6), so it makes sense to filter everything incoming from outside.

(As a side note, some commercial VPN providers offer IPv6 prefixes via WireGuard. No need to run your own server.)

Yeah I know that but my current VPN provider does not support IPv6 at all, so I'm waiting for it to expire and get one that does.

[Snowstorm1491]

For future reference, I found Route 48 (https://route48.org/?act=privacy), it supports Wireguard, so it's much easier to setup for people with Internet that are behind CGNAT or ISP-filtered networks. They are very new, so I don't know how reliable they are. They provide /48 subnets, 5 tunnels for free.

[Cerberus]

I use netcup myself to provide my location with IPv6. I use Zerotier to tunnel the traffic from OPNsense at Netcup to my home OPNsense, but i need atleast 3 /64 to do that.

Route48 project looks really interesting, providing /48 with BGP, WIreguard or Zerotier is very exotic, i give it a try.

[Snowstorm1491]

I use netcup myself to provide my location with IPv6. I use Zerotier to tunnel the traffic from OPNsense at Netcup to my home OPNsense, but i need atleast 3 /64 to do that.

Route48 project looks really interesting, providing /48 with BGP, WIreguard or Zerotier is very exotic, i give it a try.

It is much easier to set up, but for some reason I cannot access my university's websites from it. Maybe it's still very new, so their IP range reputation are not that good yet. I have no issues with other websites tho.

With Hurricane Electric's IPv6s I have no problem with my university's websites. So despite higher latency (one more hop from my router to the netcup VPS), I have to fall back to Hurricane Electric's instead of using Route48. But I see potential with Route48 for it providing Wireguard for much easier setup. I believe they're the only broker that provides that right now.

[Maurice]

But I see potential with Route48 for it providing Wireguard for much easier setup. I believe they're the only broker that provides that right now.

ungleich.ch have been offering /48 via WireGuard for several years, but latency might be a bit of an issue - they only have endpoints in Switzerland.