I’m setting up IPv6 to my ac2 with ROS 7.2.3 and have had success in getting it basically working, I have a /56 prefix from ISP, and IPs are assigned to my bridge(s) from the DHCP client pool. Client devices all work ok and pass IPv6 web tests.
I am now trying to add IPv6 support to Wireguard and here again I can get it to work by assigning an address from the same pool…
/ipv6 address add eui-64=yes from-pool=ipv6pool interface=wg-remote-access
Then in the ROS Wireguard Peer “allowed addresses” I copy the generated address 2XXX:XXXX:XXXX:cc04::/64
and add 2XXX:XXXX:XXXX:cc04::2/128 as address on Android client, and it works well and I see this same address as client IP on any test site.
…the problem is this gives the Wireguard peer a static public IP which is unacceptable from a privacy/tracking pov.
I see e.g. Windows does address randomization by default, but it seems Wireguard Android client does not, or cannot because here a specific /128 address is being mandated.
How do I achieve randomization on my WG peer client?
I found some examples in my reading that suggested to assign fd00 addresses instead which can be NAT’ed, so:
/interface wireguard peers add allowed-address=192.168.98.2/32,fd00:11::2/128 interface=wg-remote-access public-key=xxx
/ipv6 address add address=fd00:11::1 interface=wg-remote-access
with Android client set-up with Interface Addresses 192.168.98.2/32,fd00:11::2/128
I tried as a chancer
/ipv6 firewall nat add action=masquerade chain=srcnat out-interface-list=WAN src-address=fd00:11::/64
but I have no idea what I’m doing and it doesn’t work, breaks the Wireguard IPv6.
- am I on the right track trying to use fd00 and NAT to achieve randomization?
- how?