Collection of ideas for automatic wireguard interface configuration
- Interface gets a link local ip like so
fe80::hash(interfacepubkey)/64
- Each peer allowed ips get
fe80::hash(peerpubkey)/128
Because NDP runs over ICMPv6 we are able to just use standard protocols to push config
radvd
can push configuration to unicast addresses automatically if
client ip addresses are given to it.
Example config could look like this
# /etc/radvd.conf
interface wgnet0 {
AdvSendAdvert on;
IgnoreIfMissing on;
#UnicastOnly on;
prefix fd00::/64 {
AdvOnLink on;
AdvAutonomous on;
};
clients {
fe80::ca8d:3088:f1b:9b24;
};
};
TODO: need to figure out how to add radvd advertised ip addresses to allowed-ip list
ipv4 relies on ugly layer 2 hack to push config (dhcp) probably needs something custom
relevant thread in mailing list https://lists.zx2c4.com/pipermail/wireguard/2018-April/002593.html
repo https://github.com/chmduquesne/wg-ip
Another implementation
https://gist.github.com/artizirk/c91e4f8c237dec07e3ad1b286f1855a7
and more mailinglist links
https://lists.zx2c4.com/pipermail/wireguard/2020-June/005608.html