Skip to content

Instantly share code, notes, and snippets.

@artizirk

artizirk/0README.md

Last active July 24, 2022 19:39
Show Gist options
  • Save artizirk/8aad35ee750a4ecc698091781445320d to your computer and use it in GitHub Desktop.
Save artizirk/8aad35ee750a4ecc698091781445320d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
0README.md

Wireguard autmatic configuration ideas

Collection of ideas for automatic wireguard interface configuration

Generating ipv6 aadresses

  • Interface gets a link local ip like so fe80::hash(interfacepubkey)/64
  • Each peer allowed ips get fe80::hash(peerpubkey)/128

Pushing ipv6 configuration

Because NDP runs over ICMPv6 we are able to just use standard protocols to push config

radvd can push configuration to unicast addresses automatically if client ip addresses are given to it.

Example config could look like this

# /etc/radvd.conf
interface wgnet0 {
    AdvSendAdvert on;
    IgnoreIfMissing on;
    #UnicastOnly on;
    prefix fd00::/64 {
        AdvOnLink on;
        AdvAutonomous on;
    };
    clients {
        fe80::ca8d:3088:f1b:9b24;
    };

};

TODO: need to figure out how to add radvd advertised ip addresses to allowed-ip list

IPv4 ??

ipv4 relies on ugly layer 2 hack to push config (dhcp) probably needs something custom

@artizirk
Copy link
Author

artizirk commented Sep 28, 2018
edited

relevant thread in mailing list https://lists.zx2c4.com/pipermail/wireguard/2018-April/002593.html
repo https://github.com/chmduquesne/wg-ip

Another implementation
https://gist.github.com/artizirk/c91e4f8c237dec07e3ad1b286f1855a7

and more mailinglist links
https://lists.zx2c4.com/pipermail/wireguard/2020-June/005608.html

@TheLinuxGuy
Copy link

Came across this from reddit. Curious if you were able to get SLAAC to work over wg in the end? I know these gits are a couple years old.

@artizirk
Copy link
Author

artizirk commented Mar 8, 2021
edited

Only situation where i got the client generating its own slaac address was when i hardcoded the client fe80 address in the radvd config file and client side was using linux kernel built in NDP client. In that case client received the unicast NDP packets and generated its own ipv6 addresses. If I wanted to use systemd-networkd then this hack with unicast NDP packets did not work.

Also because I dont know before hand what /64 address the client will generate for himself i would have to route a seperate /64 subnet for every individual client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment