-
-
Save MartinBrugnara/cb0cd5b53a55861d92ecba77c80ba729 to your computer and use it in GitHub Desktop.
# /etc/sysctl.d/wireguard.conf | |
net.ipv4.ip_forward=1 | |
net.ipv6.conf.all.forwarding=1 | |
net.ipv6.conf.default.forwarding=1 | |
net.ipv6.conf.eth0.proxy_ndp=1 | |
#/etc/wireguard/wg0.conf (DO virtual machine) | |
[Interface] | |
# The server interface does not actually need an ipv6. | |
# The 2 following must be repeated for each used addres [0, 1] | |
PostUp=ip -6 neigh add proxy 2a03:b0c0:2:f0::2c:2002 dev eth0 | |
PostDown=ip -6 neigh del proxy 2a03:b0c0:2:f0::2c:2002 dev eth0 | |
[Peer] | |
# This must be one of the ips assigned by DO, | |
# usually they assign a /124 thus only | |
# the last 4 bits can vary for a total of 16 addresses. | |
# Example for a vm with ip -> 2a03:b0c0:2:f0::2c:2001 | |
AllowedIps = 10.200.200.2/32, 2a03:b0c0:2:f0::2c:2002/128 | |
#/etc/wireguard/wg0.conf (client) | |
[Interface] | |
Address = 10.200.200.2/32, 2a03:b0c0:2:f0::2c:2002/64 | |
[Peer] | |
# ... | |
AllowedIPs = 0.0.0.0/0, ::/0 | |
# Refs and Resources | |
[0] https://www.linuxquestions.org/questions/linux-networking-3/how-do-i-enable-proxy-ndp-proxy-arp-works-933174/ | |
[1] https://manpages.debian.org/unstable/wireguard-tools/wg-quick.8.en.html | |
[*] https://www.reddit.com/r/WireGuard/comments/egik62/give_hosts_in_a_wg_interface_a_public_ipv6_address |
Doesn't make any sense... Never tested though, cannot confirm.
Figured it out from the iOS app. The syntax for static IPv6 is [ipv6]:port. Solved.
This statement does not seams to be correct. Please read the comments and additional resources, one of the first on gsearch https://pmcc.net/posts/automated-wireguard-endpoint-updates-reachability-checks .
Yeah I've read it before. You can test it yourself on a client with native IPv6 if you get the chance. The client app will refuse to resolve AAAA records. Solution? I used static IPv6 address.
Ok, you said you were assigning /64 . You sure that's the correct mask?
I cannot help further here, but I can suggest you to check the resulting routing table.
Mask? You mean prefix size? Yes, /64 is the correct prefix size. Anyway I solved the IPv6 issue.
- Give wg0 interface a /64 ULA in the wg0.conf file along with a /[whatever] for the classic IPv4 NAT/subnet
- Do what your original document has suggested with NDP proxying/giving static IPs to clients manually (we need an automated solution for this really)
- Use destination NAT to map any incoming traffic to host on Public IPv6:[port] to wg0 IPv6:port like
ip6tables -A PREROUTING -d 2400:6280:100:d0::7e0:4001 -p udp --dport 51820 -j DNAT --to-destination [fddd:2c4:2c4:2c4::1]:51820
- Now client that has the static IPv6 end-point configured can connect via IPv6 if they have IPv6 connectivity. And benefit is you will get 4to6 functionality so it's all neatly dual-stacked without any bugs (with my MTU solution above).
The only issue is Xbox's Networking/Teredo implementation refuses to work with NATted IPv4 (no port forwarding/it's like a CGNAT) and does not take advantage of IPv6.
That's nice to know ;)
May I ask on which DO region are exiting? I was talking about AMS.
DO, Bangalore, India
Thanks for sharing what you found =)
Just use the auto-install script wireguard created by @Nyr , make sure your virtual server has ipv6 configured... that solves the problem.
@luciaDary46 all that does is NAT66 IPv6. It does not configure NDP-Proxying nor ensure each client gets a proper IPv6 address instead of NAT66.
@daryll-swer it is not possible to automate provision a "proper" IPv6 address for each client when almost all of the cloud and dedi providers do not provide a routed IPv6 subnet, and most IPv6 implementations are broken somehow. That is why I do NAT for IPv6 (which was already the case for IPv4 anyway).
(which was already the case for IPv4 anyway).
Agreed. But I don't see why you are promoting NAT for IPv6! @Nyr
Anyways, you can automate it via your scripting with dynamic variables, ask the user to input the non routed subnet/prefix range available and you can automatically inject those for NDP Proxy and mapping of each client in a serial/chronological order. That's basically what I do manually on DigitalOcean with their broken /124.
@daryll-swer I am not promoting anything, just doing what I can to provide working IPv6 connectivity.
There are a lot of providers giving a single /128 address per server, your proposal would not work in many places and is less user-friendly. There are also many providers which require to route each /128 manually from their control panel, this is actually how SolusVM works (SolusVM is the industry standard for VPS providers).
Oh boy, I would strongly recommend avoiding such crappy providers! Defeats the purpose of IPv6!
Not ALL cloud providers are bad with IPv6, this an example that provides routed /64s to the customer's host: https://twitter.com/ungleich
Indeed
Doesn't make any sense... Never tested though, cannot confirm.
This statement does not seams to be correct. Please read the comments and additional resources, one of the first on gsearch https://pmcc.net/posts/automated-wireguard-endpoint-updates-reachability-checks .
Ok, you said you were assigning /64 . You sure that's the correct mask?
I cannot help further here, but I can suggest you to check the resulting routing table.
Just removing ipv4 should do it, make sure route discorivery protocol are working .
That's nice to know ;)
May I ask on which DO region are exiting? I was talking about AMS.
Thanks for sharing.