Wireguard and ipv6
2023-02-28 - An overview of ipv6 with wireguard: it just works
In the previous articles I voluntarily omitted to configure ipv6 in order to simplify the examples, let’s cover it now.
Connecting to wireguard over ipv6
This one is easy, just specify an ipv6 endpoint in your peer’s configuration:
[Interface] PrivateKey = <private-key> ListenPort = 342 Address = 10.1.2.10/32 [Peer] PublicKey = <public-key> Endpoint = [2a01:4f8:c2c:bcb1::1]:342 AllowedIPs = 10.1.2.0/24 PersistentKeepalive = 60
Running ipv6 traffic through wireguard
For simplicity I revert the endpoint to an ipv4 address in the next examples. It could be an ipv6 address but I want to show you that it is possible to combine settings any way you want.
fd00::/8 is reserved for private ipv6 addressing, I am therefore using it in several places and you can too:
[Interface] PrivateKey = <private-key> ListenPort = 342 Address = fd00::2/128 [Peer] PublicKey = <public-key> Endpoint = 18.104.22.168:342 AllowedIPs = fd00::1/128 PersistentKeepalive = 60
The routing table will be populated in the same fashion as with ipv4 traffic, the same rules we already saw apply in the very same way. Here I shared two
/128 subnets but any subnet size would do as long as you are careful with what you are doing.
To have both ipv4 or ipv6 traffic, separate the routes with a comma:
[Interface] PrivateKey = <private-key> ListenPort = 342 Address = 10.1.2.10/32, fd00::2/128 [Peer] PublicKey = <public-key> Endpoint = 22.214.171.124:342 AllowedIPs = 10.1.2.9/32, fd00::1/128 PersistentKeepalive = 60
We can also use public ipv6 addressing, for example to provide ipv6 connectivity to a host whose ISP does not offer it yet (yes, this still happens in 2023!). I will cover this in a next article about this special case of routing all internet traffic through wireguard.