Last active
September 25, 2024 07:07
-
-
Save MartinBrugnara/cb0cd5b53a55861d92ecba77c80ba729 to your computer and use it in GitHub Desktop.
DigitalOcean, assign public ipv6 to wireguard clients
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/sysctl.d/wireguard.conf | |
net.ipv4.ip_forward=1 | |
net.ipv6.conf.all.forwarding=1 | |
net.ipv6.conf.default.forwarding=1 | |
net.ipv6.conf.eth0.proxy_ndp=1 | |
#/etc/wireguard/wg0.conf (DO virtual machine) | |
[Interface] | |
# The server interface does not actually need an ipv6. | |
# The 2 following must be repeated for each used addres [0, 1] | |
PostUp=ip -6 neigh add proxy 2a03:b0c0:2:f0::2c:2002 dev eth0 | |
PostDown=ip -6 neigh del proxy 2a03:b0c0:2:f0::2c:2002 dev eth0 | |
[Peer] | |
# This must be one of the ips assigned by DO, | |
# usually they assign a /124 thus only | |
# the last 4 bits can vary for a total of 16 addresses. | |
# Example for a vm with ip -> 2a03:b0c0:2:f0::2c:2001 | |
AllowedIps = 10.200.200.2/32, 2a03:b0c0:2:f0::2c:2002/128 | |
#/etc/wireguard/wg0.conf (client) | |
[Interface] | |
Address = 10.200.200.2/32, 2a03:b0c0:2:f0::2c:2002/64 | |
[Peer] | |
# ... | |
AllowedIPs = 0.0.0.0/0, ::/0 | |
# Refs and Resources | |
[0] https://www.linuxquestions.org/questions/linux-networking-3/how-do-i-enable-proxy-ndp-proxy-arp-works-933174/ | |
[1] https://manpages.debian.org/unstable/wireguard-tools/wg-quick.8.en.html | |
[*] https://www.reddit.com/r/WireGuard/comments/egik62/give_hosts_in_a_wg_interface_a_public_ipv6_address |
Oh boy, I would strongly recommend avoiding such crappy providers! Defeats the purpose of IPv6!
Not ALL cloud providers are bad with IPv6, this an example that provides routed /64s to the customer's host: https://twitter.com/ungleich
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@daryll-swer I am not promoting anything, just doing what I can to provide working IPv6 connectivity.
There are a lot of providers giving a single /128 address per server, your proposal would not work in many places and is less user-friendly. There are also many providers which require to route each /128 manually from their control panel, this is actually how SolusVM works (SolusVM is the industry standard for VPS providers).