wg-quick IPv6 same route on different interfaces

Brian Candler b.candler at pobox.com
Sat Aug 25 10:44:05 CEST 2018

> I'm setting up an WireGuard tunnel between my VPS and my home network. This
> tunnel should be IPv6 only.
> I assigned the IPv6 subnet fd00:1:a/64 to my home network and my wireguard
> client got the static IP fd00:1:a::1.
> On the VPS I assigned the IP fd00::1 to the wg0 interface.
> Here're the configs:
> *Client:*
>> [Interface]
>> PrivateKey = XXXX
>> Address = fd00:1:a::1/64
>> [Peer]
>> PublicKey = XXXX
>> AllowedIPs = fd00:0:0::/64
>> EndPoint = vpn.domain.tld:51820
>> PersistentKeepalive = 25
> Server:
>> [Interface]
>> PrivateKey = ...
>> ListenPort = 51820
>> Address = fd00:0:0::1
>> [Peer]
>> PublicKey = XXXX
>> AllowedIPs = fd00:1:a::/64
It *might* work if at the client side you use

Address = fd00:1:a::1

instead of

Address = fd00:1:a::1/64

However, the safest way to make it work is for the [Interface] Address 
at each end to be a separate point-to-point subnet.  These are the 
addresses allocated to the wg0 interface itself.  I don't know if 
"unnumbered" point-to-point links are supported by Wireguard (that is, 
when you re-use an address from a subnet that belongs to a different 
interface), but I know it definitely works with a separate link subnet.

So if you want to use the whole block fd00:0:0::/64 in your VPS, then I 
suggest you allocate a new subnet for the point-to-point, e.g.


Address = fd00:2::2/64


Address = fd00:2::1/64

AllowedIPs are then still the remote subnets at each side, as you have now.

If your VPS is just a single host with a single IPv6 address on the wg0 
interface, then you can keep it as you have now but use


Address = fd00:0:0::1/64


Address = fd00:0:0::2/64


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180825/2eb20344/attachment.html>

More information about the WireGuard mailing list