Collection of ideas for automatic wireguard interface configuration
- Interface gets a link local ip like so
fe80::hash(interfacepubkey)/64
- Each peer allowed ips get
fe80::hash(peerpubkey)/128
Because NDP runs over ICMPv6 we are able to just use standard protocols to push config
radvd
can push configuration to unicast addresses automatically if
client ip addresses are given to it.
Example config could look like this
# /etc/radvd.conf
interface wgnet0 {
AdvSendAdvert on;
IgnoreIfMissing on;
#UnicastOnly on;
prefix fd00::/64 {
AdvOnLink on;
AdvAutonomous on;
};
clients {
fe80::ca8d:3088:f1b:9b24;
};
};
TODO: need to figure out how to add radvd advertised ip addresses to allowed-ip list
ipv4 relies on ugly layer 2 hack to push config (dhcp) probably needs something custom
Only situation where i got the client generating its own slaac address was when i hardcoded the client fe80 address in the radvd config file and client side was using linux kernel built in NDP client. In that case client received the unicast NDP packets and generated its own ipv6 addresses. If I wanted to use systemd-networkd then this hack with unicast NDP packets did not work.
Also because I dont know before hand what /64 address the client will generate for himself i would have to route a seperate /64 subnet for every individual client.