search

WireGuard / wireguard-vyatta-ubnt

WireGuard for Ubiquiti Devices
https://www.wireguard.com/
GNU General Public License v3.0
1.45k stars 68 forks source link

Wireguard Interface doesn't receive IPv6 link-local address #148

Open itz-Jana opened 1 year ago

itz-Jana commented 1 year ago

Package version

1.0.20220627

Firmware version

4.4.57

Device

UniFi Security Gateway - UGW3

Issue description

I have multiple Wireguard tunnels that I am in the process of switching to IPv6 connectivity. As they are only point-to-point tunnels I intend to use the IPv6 link-local address of the Wireguard Interfaces to route my traffic. This works fine on my VyOS routers, but trying to connect my 1 UGW3 I noticed that the Wireguard Interfaces don't receive a IPv6 link-local address, even though all of my other interfaces do.

I don't see any option to enable this in the config and it also doesn't receive one, when I explicitly assign the Interface an IPv6 ULA. I could use IPv6 ULAs to route the traffic to the UGW3, but I think not receiving a link-local address is a bug as Wireguard interfaces on all of my other systems receive a link-local address.

Configuration and log output

Config: 
wireguard wg0 {
     address 10.0.100.3/32
     address fd48:e380:751a:100::3/128
     firewall {
         in {
             name LAN_IN
         }
         local {
             name LAN_LOCAL
         }
         out {
             name LAN_OUT
         }
     }
     mtu 1412
     peer xxx {
         allowed-ips 10.0.100.0/24
         allowed-ips 10.0.101.0/24
         allowed-ips 10.0.0.0/24
         allowed-ips fd48:e380:751a:100::/64
         allowed-ips fd48:e380:751a:101::/64
         allowed-ips fd48:e380:751a:0::/64
         endpoint xxx:51820
         persistent-keepalive 45
     }
     private-key xxx
     route-allowed-ips true
 }

Result:
9: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1412 qdisc noqueue state UNKNOWN
    link/none
    inet 10.0.100.3/32 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fd48:e380:751a:100::3/128 scope global
       valid_lft forever preferred_lft forever

To compare, here is what VyOS on the other side of the tunnel does:
 wireguard wg0 {
     address 10.0.100.9/24
     address fd48:e380:751a:100::9/64
     description "Main VPN"
     mtu 1400
     peer xxx {
         allowed-ips 10.0.100.3/32
         allowed-ips 10.0.10.0/24
         allowed-ips fd48:e380:751a:100::3/128
         allowed-ips fd48:e380:751a:10::/64
         persistent-keepalive 45
         public-key xxx
     }

4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.0.100.9/24 brd 10.0.100.255 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fd48:e380:751a:100::9/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::fdb5:14ff:fecb:6c5c/64 scope link
       valid_lft forever preferred_lft forever
trygvis commented 3 weeks ago

I noticed this myself, and Wireguard configured with systemd doesn't create a link-local address by default either. However, you can just create a random link-local address yourself and set that on the interface directly.