Hi,
Networking n00b here with a traditional home network setup. My ISP provides me a dynamic /56 IPv6 prefix over PPPoE from which I am only using a /64 at the moment with the mikrotik built-in RA function. My entire home network gets IPv6 addresses that way and I am really satisfied because I don’t have to deal with DHCP renewals from the clients if the IPv6 prefix changes and RAs support privacy extensions too that work great.
However I wanted to use another /64 of that /56 if I have it anyway. I already have a road warrior Wireguard setup where the server is my Mikrotik router and the client is a dedicated server with a dedicated public IP rented from Hetzner. Right now it’s only IPv4, but I want the Hetzner dedi to be able to get an IPv6 address (or more) from the home’s /56 over Wireguard.
First, to confirm that it’s even doable on the MT side I assigned a /64 manually from the pool to a newly created wireguard interface called wireguard3, created a peer for the hetzner dedi and set the allowed_addresses accordingly.
Then on the client that runs Fedora Server I created a network namespace (didn’t want to touch the host networking while testing) and a wireguard interface in a regular way:
[Interface]
PrivateKey = stripped
[Peer]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = ip:port
PublicKey = stripped
After that I ran these commands:
# from the host
ip link add wg-home type wireguard
wg setconf wg-home wgtest_format.conf
ip netns add test
mkdir /etc/netns/test -p
echo "nameserver 9.9.9.9" > /etc/netns/test/resolv.conf
ip link set wg-home netns test
ip netns exec test bash
# from within the netns
export PS1="> "
ip addr add 192.168.99.2/24 dev wg-home
ip addr add 2001:redacted::2/64 dev wg-home
ip link set wg-home up
ip route add default dev wg-home
ip -6 route add default dev wg-home
After that I had IPv6 on the dedicated server.
This is one way to approach the problem indeed, but it doesn’t solve the issue of an IPv6 prefix change. So I took a look whether RA tunnelling would be posible over Wireguard or not and I bumped into this Github issue. If I understood correctly this ticket implies that RA is actually possible over Wireguard if I can assign a link local address to the wg interface on both ends and if I also enable multicast on the wg interface, it should work.
So then I tried to assign a LL address on the MT to the wireguard3 interface with not much success:
[admin@redacted] > /ipv6/address/add address=fe80::1234:5678:9123:1/64 interface=wireguard3
failure: can not add link local address
As it seems this is for some reason disabled, I figured the MT devs didn’t want us to add LL addresses. I wonder if there are plans to change that in the future?
But anyway after numerous desperate hours I came up with a backdoor that seems to work, I can add local addresses to interfaces with an ugly hack:
[admin@redacted] > /ipv6/address/print where interface=wireguard3
Flags: D - DYNAMIC; G, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
# ADDRESS FROM-POOL INTERFACE ADVERTISE
4 G 2001:redacted::1/64 telekom1 wireguard3 yes
5 L fe80::1234:5678:6420/64 pool1 wireguard3 no
6 DL fe80::1234:5678:6420/64 wireguard3 no
I wouldn’t want to tell the method, because I am worried it will be patched then, but I left a clue so it can be figured out very easily.
Last, but not least on the MT side, I added this IP to the allowed_addresses of the peer as well:
[admin@redacted] > /interface/wireguard/peers/print where interface=wireguard3
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-PORT, ALLOWED-ADDRESS
# INTERFACE PUBLIC-KEY ENDPOINT-PORT ALLOWED-ADDRESS
3 wireguard3 redacted 0 192.168.99.2/32
2001:redacted::2/128
fe80::1234:5678:6421/128
On the client side, I made sure that the configuration is as follows:
> ip a s dev wg-home
10: wg-home: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.99.2/24 scope global wg-home
valid_lft forever preferred_lft forever
inet6 fe80::4930:c3c8:cc07:48e8/64 scope link stable-privacy
valid_lft forever preferred_lft forever
inet6 fe80::1234:5678:6421/64 scope link
valid_lft forever preferred_lft forever
> ip -6 r
fe80::/64 dev wg-home proto kernel metric 256 pref medium
default via fe80::1234:5678:6420 dev wg-home metric 1024 pref medium
Yet, I still didn’t get RA to work. So my only assumption is that MT also doesn’t support multicast on wireguard interfaces out of the box. On my linux machine a simple “ip link set wg-home multicast on” was sufficient, but I obviously can’t do the same on my MT device. Are there any plans to solve this? Is my assumption even right?
And I am aware L2TP and the others exist, but I am already at 1400 MTU and I wouldn’t want to lose more if its seemingly doable over simple Wireguard. Also, this is rather a challenge for me to understand IPv6 a bit more than an actual real world need.
Alternatively a networking geek had an interesting thought, they claimed BGP could help me accomplish this without losing MTU, but I have never used BGP before and I don’t know how it works, so I am unsure.
Any ideas on this matter?
Much appreciated!