Wandering Thoughts archives

2023-11-15

WireGuard and the question of link-local IPv6 addresses

Suppose, not hypothetically, that you are setting up a WireGuard tunnel to extend IPv6 connectivity to a machine that is (still) on an IPv4-only subnet. One part of IPv6 in general is link-local addresses, which are required for the IPv6 Neighbor Discovery Protocol (NDP) and are used for other things. However, under Linux WireGuard interfaces disable automatic kernel link local generation, leaving either your higher level software or you to configure them. So the obvious question is whether you should set up IPv6 link local addresses by hand (if your software will do it for you, you might as well let it).

WireGuard interfaces are point to point links and don't do NDP, so they don't need a link-local address for that, and I don't know if you can run DHCPv6 over one even if you want to. Apparently OSPFv3 requires link-local addresses, and you might want to run that in some more complicated WireGuard IPv6 situations. A simple point to point WireGuard link to extend IPv6 to a host will work (as far as I can tell) if you only configure it with the global peer IPv6 addresses involved and don't have link local addresses, but this may be an IPv6 crime.

However, it may be that one or both ends doesn't have a fixed IPv6 address; for example, they may obtain them through IPv6 Stateless Address Autoconfiguration (SLAAC) and change them over time. In this case you can't configure a fixed global (peer) address on the WireGuard interface, because it's not fixed (if you tried, you'd have to coordinate updates with SLAAC address changes). The only fixed addresses you have are link local ones you generate yourself.

(Hopefully you at least know what IPv6 /64s (or greater) are on each end of the WireGuard link so that you can set up appropriate routing and allowed IP information.)

The other reason I see to set up link local addresses even if you don't strictly need them is that it gives you an address for the peer that's generally going to sidestep any routing configuration issues. You can use this peer IP (with a scope or interface specification) to ping or talk to the peer over the WireGuard link to test it, and be pretty sure that this is exactly and only what's happening. Now that I've realized this, I think I'm going to configure link local addresses on all future IPv6 point to point links just for this.

(I've spent enough time being puzzled by IPv4 routing issues involving clever WireGuard configurations that I don't want to repeat it with IPv6, although right now I'm not doing anything complicated.)

PS: Learn from my mistakes and remember to add your IPv6 link local address range to the WireGuard allowed IPs (on both sides, if applicable; in my case one side's allowed IPs is already all of IPv6, so I only needed to add fe80::/64 to the other).

tech/WireGuardAndLinkLocalIPv6 written at 22:25:55; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.