VPS IPv6 /64 for SLAAC at home via wireguard?
I'm looking to hand out public IPv6 addresses from my VPS /64 to my clients at home via SLAAC if possible. I have so far been able to get a single IPv6 public address to work via ndp_proxy (instructions here) BUT I have been unsuccessful at allowing multiple IPv6 thru the wireguard tunnel to become available to clients.
Here is a dirty diagram of how things would look like:
VPS
2602:fed2:8888:106:: /64 assigned
eth0 = 2602:fed2:8888:106::1
wg0 = 2602:fed2:8888:106:100::1
-- wg tunnel --Home client
wg0 = 2602:fed2:8888:106:100::10 (this will become a 'default gateway' at home - receiving traffic from multiple hosts)
eth0 = 192.168.1.100
-- client 1 fowards packets to 192.168.1.100 asking for an IPv6 address. Hoping it automatically gets one from the available /64 space.
VPS provider won't give more IPv6 space than /64 unfortunately 
- I haven't tried asking for a /128 for a ptp thats routed to it - I was reading that may work but dont know.
I did try /etc/ndppd.conf with this config but did not see any requests comming from wg0 instance:
proxy eth0 {
autowire yes
rule 2602:fed2:8888:106::/64 {
iface wghub
}
}
Anyone with experience that could comment?
Comments
You have to use the "static" mode in ndppd. WireGuard is an level 3 interface, not level 2, so ndppd's dynamic tricks won't work with it. You just want it to bring the entire /64 onto your server. Then, from the server you can route it into the WG tunnel.
Ok, trying this config out but I may be missing something for it to work - do I need a static route setup in the VPS?
Added an extra IPv6 address of 2602:fed2:730b:106:8888::13 to wgclient at home but it doesn't work.
root@mia2:~/noproxy# ip -6 nei fe80::5e5e:ab03:fa43:85f0 dev eth0 lladdr 5c:5e:ab:43:85:f0 router STALE fe80::216:3eff:fe95:8b21 dev eth0 lladdr 00:16:3e:95:8b:21 STALE 2602:fed2:730b::1 dev eth0 lladdr 5c:5e:ab:43:85:f0 router DELAY 2602:fed2:730b:106::10 dev eth0 FAILED root@mia2:~/noproxy# ip -6 nei show proxy 2602:fed2:730b:106:8888::12 dev eth0 proxy root@mia2:~/noproxy# ping6 2602:fed2:730b:106:8888::13 PING 2602:fed2:730b:106:8888::13(2602:fed2:730b:106:8888::13) 56 data bytes ping: sendmsg: Required key not available From 2602:fed2:730b:106:8888::1: icmp_seq=1 Destination unreachable: Address unreachable ping: sendmsg: Required key not available From 2602:fed2:730b:106:8888::1: icmp_seq=2 Destination unreachable: Address unreachable ping: sendmsg: Required key not available From 2602:fed2:730b:106:8888::1: icmp_seq=3 Destination unreachable: Address unreachable ^C --- 2602:fed2:730b:106:8888::13 ping statistics --- 3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 49ms root@mia2:~/noproxy# ip -6 r ::1 dev lo proto kernel metric 256 pref medium 2602:fed2:730b::1 dev eth0 metric 1024 pref medium 2602:fed2:730b:8f::/64 dev eth0 proto kernel metric 256 pref medium 2602:fed2:730b:106:8888::/112 dev wghub proto kernel metric 256 pref medium 2602:fed2:730b:106::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium default via 2602:fed2:730b::1 dev eth0 metric 1024 onlink pref medium root@mia2:~/noproxy# cat /etc/ndppd.conf route-ttl 30000 proxy eth0 { router yes timeout 500 ttl 30000 rule 2602:fed2:730b:106::/64 { static } }I did see something come in thru the ndppd logs indicating that something happened but I don't see this ::13 in the ip -6 neighbors of the VPS and it isn't pingable from the internet:
thanks for the help
Yes. Just
staticin ndppd, and aside from that forget about anything related to "neigh" or proxy, it's all regular routing from then on.