Get IPv6 connectivity with wireguard

2021-11-10T21:07:51Z

If your ISP or phone operator doesn't provide you an IPv6, you still can get IPv6 connectivity as long as you have somewhere a server with IPv6 -- let's say a VM at openbsd.amsterdam :).

Let's configure IPv6 over ipv4 with wireguard and OpenBSD.

Prerequisite:

• A server with IPv6 connectivity running OpenBSD
• A private IPv6 address range. In this example, it is fd9c:f774:0bfa:acfc. It could be fd42::1, fd42::2... but you might prefer doing this correctly.

=> Generate a private IPv6 range

On the server

# cat /etc/pf.conf

[...snip...]
pass in on egress proto udp from any to any port 4545 keep state
match out on egress from (wg0:network) to any nat-to (egress)
pass on egress from (wg0:network) to any
pass on wg0

# cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

# cat /etc/hostname.wg0
inet 10.0.0.1/24
inet6 fd9c:f774:0bfa:acfc::1/64
wgkey [...snip...]
wgport 4545
# peer 1
wgpeer [...snip...] wgaip 10.0.0.2/32 wgaip fd9c:f774:0bfa:acfc::2/128
# peer 2
wgpeer [...snip...] wgaip 10.0.0.3/32 wgaip fd9c:f774:0bfa:acfc::3/128
# peer 3
wgpeer [...snip...] wgaip 10.0.0.4/32 wgaip fd9c:f774:0bfa:acfc::4/128

up

I removed the key as you can see.

The port is 4545, but use whatever you want :)

It is really important to end ipv6 allowed ip by /128 !

On a client

# cat /etc/hostname.wg0
wgkey [...snip...]
wgpeer [...snip...] \
	wgendpoint  4545 \
	wgaip 0.0.0.0/0 \
	wgaip ::0/0 \
	wgpka 25

inet 10.0.0.3/24
inet6 fd9c:f774:0bfa:acfc::3/64
wgrtable 1
up
!route add -inet default 10.0.0.1
!route add -inet6 default fd9c:f774:0bfa:acfc::1

# cat /etc/hostname.iface
rdomain 1
up
inet autoconf

Of course, edit endpoint ipv4.

It is important to set wgaip to any IPv4 and IPv6 to encrypt for both.

As you can see, we set the default route to the VPN endpoint IP.

Links

=> https://openbsd.amsterdam/ | HE is another way to get IPv6 connectivity. | Full WireGuard setup with OpenBSD

Something to say ?

=> Send your comment by mail.