/*
 * Accueil; tout; à propos + @ + FAQ;
 * => Lire cette page via gemini (gemini?);
 */

Get IPv6 connectivity with wireguard

If your ISP or phone operator doesn't provide you an IPv6, you still can get IPv6 connectivity as long as you have somewhere a server with IPv6 -- let's say a VM at openbsd.amsterdam :).

Let's configure IPv6 over ipv4 with wireguard and OpenBSD.

Prerequisite:

Generate a private IPv6 range

On the server

# cat /etc/pf.conf
[...snip...]
pass in on egress proto udp from any to any port 4545 keep state
match out on egress from (wg0:network) to any nat-to (egress)
pass on egress from (wg0:network) to any
pass on wg0
# cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
# cat /etc/hostname.wg0
inet 10.0.0.1/24
inet6 fd9c:f774:0bfa:acfc::1/64
wgkey [...snip...]
wgport 4545
# peer 1
wgpeer [...snip...] wgaip 10.0.0.2/32 wgaip fd9c:f774:0bfa:acfc::2/128
# peer 2
wgpeer [...snip...] wgaip 10.0.0.3/32 wgaip fd9c:f774:0bfa:acfc::3/128
# peer 3
wgpeer [...snip...] wgaip 10.0.0.4/32 wgaip fd9c:f774:0bfa:acfc::4/128
up

I removed the key as you can see.

The port is 4545, but use whatever you want :)

It is really important to end ipv6 allowed ip by /128 !

On a client

# cat /etc/hostname.wg0
wgkey [...snip...]
wgpeer [...snip...] \
	wgendpoint <XX.XX.XX.XX> 4545 \
	wgaip 0.0.0.0/0 \
	wgaip ::0/0 \
	wgpka 25
inet 10.0.0.3/24
inet6 fd9c:f774:0bfa:acfc::3/64
wgrtable 1
up
!route add -inet default 10.0.0.1
!route add -inet6 default fd9c:f774:0bfa:acfc::1
# cat /etc/hostname.iface
rdomain 1
up
inet autoconf

Of course, edit endpoint ipv4.

It is important to set wgaip to any IPv4 and IPv6 to encrypt for both.

As you can see, we set the default route to the VPN endpoint IP.

Links

https://openbsd.amsterdam/
HE is another way to get IPv6 connectivity.
Full WireGuard setup with OpenBSD

Something to say ?

Send your comment by mail.