VPS IPv6 /64 for SLAAC at home via wireguard?

I'm looking to hand out public IPv6 addresses from my VPS /64 to my clients at home via SLAAC if possible. I have so far been able to get a single IPv6 public address to work via ndp_proxy (instructions here) BUT I have been unsuccessful at allowing multiple IPv6 thru the wireguard tunnel to become available to clients.

Here is a dirty diagram of how things would look like:

  1. VPS
    2602:fed2:8888:106:: /64 assigned
    eth0 = 2602:fed2:8888:106::1
    wg0 = 2602:fed2:8888:106:100::1
    -- wg tunnel --

  2. Home client
    wg0 = 2602:fed2:8888:106:100::10 (this will become a 'default gateway' at home - receiving traffic from multiple hosts)
    eth0 = 192.168.1.100

-- client 1 fowards packets to 192.168.1.100 asking for an IPv6 address. Hoping it automatically gets one from the available /64 space.

VPS provider won't give more IPv6 space than /64 unfortunately :( - I haven't tried asking for a /128 for a ptp thats routed to it - I was reading that may work but dont know.

I did try /etc/ndppd.conf with this config but did not see any requests comming from wg0 instance:

proxy eth0 {
  autowire yes
  rule 2602:fed2:8888:106::/64 {
      iface wghub
  }
}

Anyone with experience that could comment?

Tagged:

Comments

  • You have to use the "static" mode in ndppd. WireGuard is an level 3 interface, not level 2, so ndppd's dynamic tricks won't work with it. You just want it to bring the entire /64 onto your server. Then, from the server you can route it into the WG tunnel.

  • @rm_ said:
    You have to use the "static" mode in ndppd. WireGuard is an level 3 interface, not level 2, so ndppd's dynamic tricks won't work with it. You just want it to bring the entire /64 onto your server. Then, from the server you can route it into the WG tunnel.

    Ok, trying this config out but I may be missing something for it to work - do I need a static route setup in the VPS?

    Added an extra IPv6 address of 2602:fed2:730b:106:8888::13 to wgclient at home but it doesn't work.

    root@mia2:~/noproxy# ip -6 nei
    fe80::5e5e:ab03:fa43:85f0 dev eth0 lladdr 5c:5e:ab:43:85:f0 router STALE
    fe80::216:3eff:fe95:8b21 dev eth0 lladdr 00:16:3e:95:8b:21 STALE
    2602:fed2:730b::1 dev eth0 lladdr 5c:5e:ab:43:85:f0 router DELAY
    2602:fed2:730b:106::10 dev eth0  FAILED
    root@mia2:~/noproxy# ip -6 nei show proxy
    2602:fed2:730b:106:8888::12 dev eth0  proxy
    root@mia2:~/noproxy# ping6 2602:fed2:730b:106:8888::13
    PING 2602:fed2:730b:106:8888::13(2602:fed2:730b:106:8888::13) 56 data bytes
    ping: sendmsg: Required key not available
    From 2602:fed2:730b:106:8888::1: icmp_seq=1 Destination unreachable: Address unreachable
    ping: sendmsg: Required key not available
    From 2602:fed2:730b:106:8888::1: icmp_seq=2 Destination unreachable: Address unreachable
    ping: sendmsg: Required key not available
    From 2602:fed2:730b:106:8888::1: icmp_seq=3 Destination unreachable: Address unreachable
    ^C
    --- 2602:fed2:730b:106:8888::13 ping statistics ---
    3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 49ms
    
    root@mia2:~/noproxy# ip -6 r
    ::1 dev lo proto kernel metric 256 pref medium
    2602:fed2:730b::1 dev eth0 metric 1024 pref medium
    2602:fed2:730b:8f::/64 dev eth0 proto kernel metric 256 pref medium
    2602:fed2:730b:106:8888::/112 dev wghub proto kernel metric 256 pref medium
    2602:fed2:730b:106::/64 dev eth0 proto kernel metric 256 pref medium
    fe80::/64 dev eth0 proto kernel metric 256 pref medium
    default via 2602:fed2:730b::1 dev eth0 metric 1024 onlink pref medium
    root@mia2:~/noproxy# cat /etc/ndppd.conf
    route-ttl 30000
    proxy eth0 {
    router yes
    timeout 500
    ttl 30000
    rule 2602:fed2:730b:106::/64 {
    static
    }
    }
    
    

    I did see something come in thru the ndppd logs indicating that something happened but I don't see this ::13 in the ip -6 neighbors of the VPS and it isn't pingable from the internet:

    (debug) iface::read() len=86
    (debug) iface::read_solicit() saddr=fe80::5e5e:ab03:fa43:85f0, daddr=ff02::1:ff00:13, len=86
    (debug) proxy::handle_solicit() saddr=fe80::5e5e:ab03:fa43:85f0, taddr=2602:fed2:730b:106:8888::13
    (debug) checking 2602:fed2:730b:106::/64 against 2602:fed2:730b:106:8888::13
    (debug) session::create() pr=6ba7c8a0, saddr=fe80::5e5e:ab03:fa43:85f0, daddr=ff02::1:ff00:13, taddr=2602:fed2:730b:106:8888::13 =6ba7d830
    (debug) iface::write_advert() daddr=fe80::5e5e:ab03:fa43:85f0, taddr=2602:fed2:730b:106:8888::13
    (debug) iface::write() daddr=fe80::5e5e:ab03:fa43:85f0, len=32
    (debug) session::~session() this=6ba7d830
    (debug) iface::read() len=24
    (debug) iface::read_advert() saddr=fe80::88ca:d481:fd7f:0, taddr=fe80::5e5e:ab03:fa43:85f0, len=24
    
    

    thanks for the help :)

  • do I need a static route setup in the VPS?

    Yes. Just static in ndppd, and aside from that forget about anything related to "neigh" or proxy, it's all regular routing from then on.

Sign In or Register to comment.

This Site is currently in maintenance mode.
Please check back here later.

→ Site Settings