Hi, I currently have a fully functional dual-stack Wireguard instance running on Debian. However given the recent release of OpenBSD 6.8 with Wireguard in base, I thought it would be a good opportunity to switch over from the dark side. ;-)
Anyway, so on Debian I have a no-NAT setup, with the host announcing the VPN subnets to upstream router. All works great. I'm no stranger to OpenBSD and OpenBGPD, but I've only managed to get 2/3 of the way : - The OpenBSD host is config fully functional dual-stack, IPv4 and IPv6 work perfectly - wg(4) IPv4 config works perfectly, clients can connect and browse the internet - wg(4) IPv6 config does not work, clients can connect but no routing, not even able to ping loopback IPs or the wg interface IP. - I have verified upstream routers can ping test loopback IPv6 IPs, so dual-stack BGP is functional - I have tried a IPv6 only wireguard client config (as shown below) and that has no effect ( i thought maybe a dual-stack client config was the problem with OpenBSD) Config follows: OPENBSD SERVER $ cat /etc/sysctl.conf ddb.panic=0 net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 $ cat /etc/hostname.wg1 inet 192.0.2.1 0xffffffc0 inet6 2001:db8:ffff:ffff::ffff 64 wgkey secretsquirrel wgport 12345 wgpeer secretsquirrel wgpsk secretsquirrel wgaip 192.0.2.2/32 wgaip 2001:db8:ffff:ffff:aaaa:aaaa:aaaa:aaaa/128 up $ doas cat /etc/pf.conf set skip on {lo,wg} pass CLIENT CONFIG [Interface] PrivateKey = secretsquirrel Address = 2001:db8:ffff:ffff:aaaa:aaaa:aaaa:aaaa/128 DNS = 2620:fe::fe [Peer] PublicKey = secretsquirrel PresharedKey = secretsquirrel AllowedIPs = ::/0 Endpoint = [2001:db8:ffff:ffff::ffff]:12345