VPS IPv6 /64 for SLAAC at home via wireguard?

I'm looking to hand out public IPv6 addresses from my VPS /64 to my clients at home via SLAAC if possible. I have so far been able to get a single IPv6 public address to work via ndp_proxy (instructions here) BUT I have been unsuccessful at allowing multiple IPv6 thru the wireguard tunnel to become available to clients.

Here is a dirty diagram of how things would look like:

  1. VPS
    2602:fed2:8888:106:: /64 assigned
    eth0 = 2602:fed2:8888:106::1
    wg0 = 2602:fed2:8888:106:100::1
    -- wg tunnel --

  2. Home client
    wg0 = 2602:fed2:8888:106:100::10 (this will become a 'default gateway' at home - receiving traffic from multiple hosts)
    eth0 = 192.168.1.100

-- client 1 fowards packets to 192.168.1.100 asking for an IPv6 address. Hoping it automatically gets one from the available /64 space.

VPS provider won't give more IPv6 space than /64 unfortunately :( - I haven't tried asking for a /128 for a ptp thats routed to it - I was reading that may work but dont know.

I did try /etc/ndppd.conf with this config but did not see any requests comming from wg0 instance:

proxy eth0 {
  autowire yes
  rule 2602:fed2:8888:106::/64 {
      iface wghub
  }
}

Anyone with experience that could comment?

Tagged:

Comments

  • You have to use the "static" mode in ndppd. WireGuard is an level 3 interface, not level 2, so ndppd's dynamic tricks won't work with it. You just want it to bring the entire /64 onto your server. Then, from the server you can route it into the WG tunnel.

  • @rm_ said:
    You have to use the "static" mode in ndppd. WireGuard is an level 3 interface, not level 2, so ndppd's dynamic tricks won't work with it. You just want it to bring the entire /64 onto your server. Then, from the server you can route it into the WG tunnel.

    Ok, trying this config out but I may be missing something for it to work - do I need a static route setup in the VPS?

    Added an extra IPv6 address of 2602:fed2:730b:106:8888::13 to wgclient at home but it doesn't work.

    root@mia2:~/noproxy# ip -6 nei
    fe80::5e5e:ab03:fa43:85f0 dev eth0 lladdr 5c:5e:ab:43:85:f0 router STALE
    fe80::216:3eff:fe95:8b21 dev eth0 lladdr 00:16:3e:95:8b:21 STALE
    2602:fed2:730b::1 dev eth0 lladdr 5c:5e:ab:43:85:f0 router DELAY
    2602:fed2:730b:106::10 dev eth0  FAILED
    root@mia2:~/noproxy# ip -6 nei show proxy
    2602:fed2:730b:106:8888::12 dev eth0  proxy
    root@mia2:~/noproxy# ping6 2602:fed2:730b:106:8888::13
    PING 2602:fed2:730b:106:8888::13(2602:fed2:730b:106:8888::13) 56 data bytes
    ping: sendmsg: Required key not available
    From 2602:fed2:730b:106:8888::1: icmp_seq=1 Destination unreachable: Address unreachable
    ping: sendmsg: Required key not available
    From 2602:fed2:730b:106:8888::1: icmp_seq=2 Destination unreachable: Address unreachable
    ping: sendmsg: Required key not available
    From 2602:fed2:730b:106:8888::1: icmp_seq=3 Destination unreachable: Address unreachable
    ^C
    --- 2602:fed2:730b:106:8888::13 ping statistics ---
    3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 49ms
    
    root@mia2:~/noproxy# ip -6 r
    ::1 dev lo proto kernel metric 256 pref medium
    2602:fed2:730b::1 dev eth0 metric 1024 pref medium
    2602:fed2:730b:8f::/64 dev eth0 proto kernel metric 256 pref medium
    2602:fed2:730b:106:8888::/112 dev wghub proto kernel metric 256 pref medium
    2602:fed2:730b:106::/64 dev eth0 proto kernel metric 256 pref medium
    fe80::/64 dev eth0 proto kernel metric 256 pref medium
    default via 2602:fed2:730b::1 dev eth0 metric 1024 onlink pref medium
    root@mia2:~/noproxy# cat /etc/ndppd.conf
    route-ttl 30000
    proxy eth0 {
    router yes
    timeout 500
    ttl 30000
    rule 2602:fed2:730b:106::/64 {
    static
    }
    }
    
    

    I did see something come in thru the ndppd logs indicating that something happened but I don't see this ::13 in the ip -6 neighbors of the VPS and it isn't pingable from the internet:

    (debug) iface::read() len=86
    (debug) iface::read_solicit() saddr=fe80::5e5e:ab03:fa43:85f0, daddr=ff02::1:ff00:13, len=86
    (debug) proxy::handle_solicit() saddr=fe80::5e5e:ab03:fa43:85f0, taddr=2602:fed2:730b:106:8888::13
    (debug) checking 2602:fed2:730b:106::/64 against 2602:fed2:730b:106:8888::13
    (debug) session::create() pr=6ba7c8a0, saddr=fe80::5e5e:ab03:fa43:85f0, daddr=ff02::1:ff00:13, taddr=2602:fed2:730b:106:8888::13 =6ba7d830
    (debug) iface::write_advert() daddr=fe80::5e5e:ab03:fa43:85f0, taddr=2602:fed2:730b:106:8888::13
    (debug) iface::write() daddr=fe80::5e5e:ab03:fa43:85f0, len=32
    (debug) session::~session() this=6ba7d830
    (debug) iface::read() len=24
    (debug) iface::read_advert() saddr=fe80::88ca:d481:fd7f:0, taddr=fe80::5e5e:ab03:fa43:85f0, len=24
    
    

    thanks for the help :)

  • do I need a static route setup in the VPS?

    Yes. Just static in ndppd, and aside from that forget about anything related to "neigh" or proxy, it's all regular routing from then on.

  • @topogio Finally you were able to bring ipv6/64 to your house, I'm just starting this. I also want to try it. How did you do it?

  • edited December 2022

    @JerryPaml said:
    @topogio Finally you were able to bring ipv6/64 to your house, I'm just starting this. I also want to try it. How did you do it?

    Route48 would be an easier option to setup if you have a router that supports openwrt.

  • edited December 2022

    @contactwajeeh Thanks I'm reading about 6to4.

Sign In or Register to comment.