Wireguard, LEDE and some IPv6 fun

Today I upgrading my router to LEDE 17.01 and played a bit with IPv6 and Wireguard VPN tunnels. My Internet connection at home (connected via Cable to the Comcast network) has decent IPv6 support, which I wanted to enjoy also when on the road, using non-IPv6 networks. The first step is to setup a Wireguard tunnel, which I already did some months ago (Dan Lüdtke, author of the LEDE/OpenWrt web interface plugin for Wireguard has a good post on that). In my setup the Wireguard IPv4 network uses a network from the private range ( to route IPv6 traffic. For IPv6 my goal was to assign a public subnet, so I can access the IPv6 network without any NAT directly through the tunnel. In IPv6 world, NAT is a technology which is not commonly used/considered deprecated anyway. Note that this how-to does not route the IPv4 traffic to the internet through the VPN tunnel, only IPv6 traffic.

First, a large enough IPv6 prefix needs to be available on the router in order to assign two independent IPv6 networks to my local LAN and the Wireguard VPN. One has to realize that in IPv6 world, subnets are by definition between /49 and /64. One cannot create a subnet /72 or similar since the last 64 bits are the host portion, reserved exclusively for host addresses. By default, LEDE requested a 64 bit IPv6-prefix from the provider, but this can be changed in the WAN6 network interface settings:

After reconnecting the interface, Comcast happily assigned my a /60 network prefix! I guess there could be provider which restrict that, in which case you are out of luck for this kind of setup… Also make sure that your LAN interface still only uses a /64 network so that additional subnets are available for the Wireguard interface (refer to the “IPv6 assignment length” in the LAN interface setting).

Also configure an /64 IPv6 assignment length in your Wireguard network interface (in my case WGNET, in Dan’s blog called “bar”).

With that LEDE assigned an IPv6 network to the Wireguard network (2601:601:8821:a4e1::/64 in this case).

On my VPN “client”, my Laptop running Arch Linux, I currently use a very static setup using a shell script to setup the interface. I assigned static IPv4 and IPv6 addresses to the client (in this example 2601:601:8821:a4e1::2/128). This likely won’t work for long since the assigned IPv6-prefix can change at any time.

ip link delete dev wg0
ip link add dev wg0 type wireguard
wg set wg0 private-key <kfile>
wg set peer <key> allowed-ips,::/0 endpoint

ip address add dev wg0
ip address add dev wg0 2601:601:8821:a4e1::2

ip link set up dev wg0

# Add routes, also route ALL IPv6 traffic through tunnel...
ip route add dev wg0
ip route add 2601:601:8821:a4e0::1/64 dev wg0
ip route add ::/0 dev wg0

Make sure to list the client’s IP (or network) in the “Allowed IPs” list on your LEDE Wireguard interface

Btw, this blog post has been written via the Wireguard tunnel to connect to my Webserver using IPv6. My Laptop is connected to a WiFi tethered 4G internet connection, which allows me to tunnel to my LEDE router. And the Wordpress UI is amazingly responsive!

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>