Standardized IPv6 ULA from PublicKey

Florian Klink flokli at
Wed Jun 24 17:37:06 CEST 2020


>> Has anyone thought about a standardized WireGuard IPv6 ULA generated
>> from the PublicKey ?
>This was indeed already discussed, albeit not for ULAs, but link-local
>addresses (fe80::/64). IIRC, Jason rejected it citing the KISS
>principle -- and I fully agree with that. Adding a hundred small
>features useful for certain corner cases is a sure way to transform
>wireguard into a behemoth of ipsec/openvpn dimensions. :)

Was this really a rejection?

I'd like to join the "poking and prodding about supporting IPv6 Link
Local addresses".

Deriving a IPv6 link-local address from the pubkey and adding it to the
interface should be a no-brainer and sane default, and already fix Babel
Routing (and most other issues) for "point-to-point tunnels"
(only one peer, both sides set AllowedIPs=::/0).

Quoting the proposal from the linked email:
> # wg set wg0 llv6 on
> This command fails and returns -ENOTUNIQ if two existing peers have
> the same value of hash(pubkey). When this command succeeds:, the wg0
> interface receives an automatically assigned IP address of
> fe80::hash(interfacepubkey)/64. Every peer has
> fe80::hash(peerpubkey)/128 implicitly added to their allowed-ips. When
> adding a new peer, if hash(pubkey) is the same value of an existing
> peer, the command fails and returns -ENOTUNIQ.

Of course, generating these addresses could be implemented into
downstream tooling, but I'd rather see this defined in wireguard itself.
Then we'd not have multiple implementations possibly using different

A standardized hashing, adding fe80::hash(interfacepubkey)/64 and
AllowedIPs=fe80::hash(peerpubkey)/128 for each peer would also allow
bring instant IPv6 connectivity between peers - which I find quite

I'd propose handling the multicast replication ideas as well as the
ULA address generation as a followup, or the business of higher-level


More information about the WireGuard mailing list