Need help understanding wg and ipv6

cypher_main

Hi all - I've only ever used a vps with ipv4 only. I usually setup wireguard using https://github.com/angristan/wireguard-install. My understanding is I have an ipv4 public address attached to eth0, and then the wg0 has a private ipv4 subnet that is used for the clients, hence every clients will have the same public ip.

From what I've seen, vps providers usually give a subnet of ipv6 (not just a single address like in ipv4). Is it possible for the wireguard to give a public ipv6 from the subnet to every clients? That way every client won't have the same public ip.

If it's possible, how? If it's impossible, then why do providers give a subnet and not just a single ipv6 address?

Xrmaddness

@yoursunny

totally_not_banned

Disclaimer: I've never done anything like this.

Anyways given each of your wireguard clients is likely to have a unique source IP for traffic appearing on your wg0 interface and you have the IPv6 subnet on your external interface it shouldn't be hard at all to configure iptables to use a specific v6 IP for NAT based on the client IP used inside the VPN instead of one NAT IP for everything appearing on the interface. It's basically just a generic NAT configuration with a little more fine grained twist.

My general recommendation would be to move away from script installers and actually get a grip on how different parts work together. Once you've archived this it should be pretty easy to make the customization you are looking for.

jnraptor

To get IPV6 working with WireGuard clients, the host router will need to know how to route IPv6 packets to the correct VM where the wireguard clients are connected to. Question is how does the host router know that the IPv6 address is being used for a client on that VM? Remember that the VM does not have those IPv6 addresses configured on its own interfaces.

3 options that I am aware of (from easiest to hardest?):
1. Routed IPv6 - your host provides an IPV6 address range, and configures all the addresses in that range to route to a single IPv6 address that you assign to your VM. You will then assign IPv6 addresses from that range to your wireguard clients. @yoursunny has posted comments with a list of such hosts (quite rare, but no extra config/steps required)
2. Your host provides an IPv6 address range, but only routes to IPv6 address that are directly configured on the VM. You will have to run an IPv6 neighbor discovery responder that will accept any IPv6 address within a specified range. You will then assign wireguard clients with IPv6 addresses that are in that range. I use this code that @yoursunny wrote: https://github.com/yoursunny/ndpresponder, running it on docker and have used it successfully on Greencloud and vps.hosting.
3. Get your host to manually do the routing for you or to reconfigure the ebtables for your VM. maxkvm did this for me before.

xms

@cypher_main said: usually give a subnet of ipv6 (not just a single address like in ipv4)

keyword, usually. you can pay for IPv4 subnet, if you prefer that.

@cypher_main said: If it's possible, how? If it's impossible, then why do providers give a subnet and not just a single ipv6 address?

Because with IPv6 address are abundant.

This whole problem with IPv4 vs IPv6, is because ppl got cosy with NAT and single IPv4s. They don't know that IPv4 was also given like cake just like IPv6 is provided now in the old days.

cypher_main

@jnraptor said:
1. Routed IPv6 @yoursunny has posted comments with a list of such hosts (quite rare, but no extra config/steps required)

Great! I'll try to find those comments

2. Your host provides an IPv6 address range, but only routes to IPv6 address that are directly configured on the VM. You will have to run an IPv6 neighbor discovery responder that will accept any IPv6 address within a specified range. You will then assign wireguard clients with IPv6 addresses that are in that range. I use this code that @yoursunny wrote: https://github.com/yoursunny/ndpresponder, running it on docker and have used it successfully on Greencloud and vps.hosting.

So is it like this? (If anyone is able to show their config I will really appreciate it)
1. Use ndpresponder to advertise the entire ipv6 subnet that is given
2. In wg config, assign a fraction of the ipv6 addr to clients (I can't assign the entire ipv6 addr because the vm uses one of the addr right?)

What if I want to setup a dual stack vpn? Does it mean all clients will have the same public ipv4 but different ipv6?

jnraptor

@cypher_main said:
…
So is it like this? (If anyone is able to show their config I will really appreciate it)

Here is my setup on Greencloud. Greencloud provides me a /112, so I use a /120 from that range for wireguard. Here is my docker compose config for ndpresponder:

ndpresponder:
    #image: yoursunny/ndpresponder
    build: ./ndpresponder
    container_name: ndpresponder
    command: -i eth0 -n 2402:xxxx:xxxx:xxxx::121:0101/120
    restart: always
    network_mode: "host"
    #labels:
    #  - "com.centurylinklabs.watchtower.enable=false"
    environment:
      NDPRESPONDER_LOG: WARN 

What if I want to setup a dual stack vpn? Does it mean all clients will have the same public ipv4 but different ipv6?

For dual stack wireguard clients, each client will get a nated ipv4 address e.g. 10.10.0.2, and an IPv6 address from the /120 range e.g. 2402:xxxx::121:0102. You will need to configure the usual masquerade iptables rules for IPv4 to handle the nat, and clients will share the same IPv4 address.

cypher_main

Alright, I've understood it now. Time to try it out. Thanks all!