Hi,
I currently have a fully functional dual-stack Wireguard instance running on Debian. However given the recent release of OpenBSD 6.8 with Wireguard in base, I thought it would be a good opportunity to switch over from the dark side. ;-)
Anyway, so on Debian I have a no-NAT setup, with the host announcing the VPN subnets to upstream router. All works great.
I'm no stranger to OpenBSD and OpenBGPD, but I've only managed to get 2/3 of the way :
- The OpenBSD host is config fully functional dual-stack, IPv4 and IPv6 work perfectly
- wg(4) IPv4 config works perfectly, clients can connect and browse the internet
- wg(4) IPv6 config does not work, clients can connect but no routing, not even able to ping loopback IPs or the wg interface IP.
- I have verified upstream routers can ping test loopback IPv6 IPs, so dual-stack BGP is functional
- I have tried a IPv6 only wireguard client config (as shown below) and that has no effect ( i thought maybe a dual-stack client config was the problem with OpenBSD)
Config follows:
OPENBSD SERVER
$ cat /etc/sysctl.conf
ddb.panic=0
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
$ cat /etc/hostname.wg1
inet 192.0.2.1 0xffffffc0
inet6 2001:db8:ffff:ffff::ffff 64
wgkey secretsquirrel
wgport 12345
wgpeer secretsquirrel wgpsk secretsquirrel wgaip 192.0.2.2/32 wgaip 2001:db8:ffff:ffff:aaaa:aaaa:aaaa:aaaa/128
up
$ doas cat /etc/pf.conf
set skip on {lo,wg}
pass
CLIENT CONFIG
[Interface]
PrivateKey = secretsquirrel
Address = 2001:db8:ffff:ffff:aaaa:aaaa:aaaa:aaaa/128
DNS = 2620:fe::fe
[Peer]
PublicKey = secretsquirrel
PresharedKey = secretsquirrel
AllowedIPs = ::/0
Endpoint = [2001:db8:ffff:ffff::ffff]:12345
No comments:
Post a Comment