Tunnel the IPs to my Home

This article is about using our fresh IPv6 range to a home, homelab or anywhere.

We talk earlier about plenty of things as such as getting the range and the ASN, announcing the IPs, configuring rDNS, but with everything configured we need to use them.

Plan

In my two homelab site configuration, I need to deal with CGNAT, and dynamic IPv4. To handle this I will use WireGuard to create a tunnel from my edge router (VirtuaCloud) to one of my home router.

For multi-site, it is recommended to have many /48 as you have sites, but in my case, I don’t want to pay more and it will work any way.

Configure WireGuard

Install Wireguard

To install wireguard, you must to execute this command: apt install wireguard resolvconf

Generate WireGuard keys

wg genkey | tee privatekey | wg pubkey > publickey

Configure Wireguard

Create a file in /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = <content of privatekey>
Address = 10.8.0.1/24, <IPv6 range>:ffff::1/64
DNS = 1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
ListenPort = 51820
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -s <IPv6 range>:ffff::/64 -o eth0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -s <IPv6 range>:ffff::/64 ! -o wg0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -s <IPv6 range>:ffff::/64 -o eth0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -s <IPv6 range>:ffff::/64 ! -o wg0 -j MASQUERADE

[Peer]
PublicKey = <client public key>
AllowedIPs = 10.8.0.2/32, <IPv6 range>:ffff::2/128
PersistentKeepalive = 25

[Peer]
PublicKey = <router public key>
AllowedIPs = <IPv6 range>:ffff::3/128, <IPv6 range>:<subnet range>::/64, <IPv6 range>:<subnet range>::/64
PersistentKeepalive = 25

Start the service on boot

systemctl enable --now wg-quick@wg0

Test if the tunnel work

I used my own computer to see if the tunnel worked. As peer address, I used the VPS IPv4, so I can test it anywhere anytime.

Result

It must give something like this on bgp.he.net.




Configure the homelab router

Requirement

You must use PFSense 2.8.x or above. I tested with OPNSense, but I didn’t get it work.

Install the WireGuard package

You have to login to your PFSense administration interface, then in System and Package Manager, search for the wireguard package and install it.

Create the WireGuard tunnel

In VPN>WireGuard>Tunnel, click on + Add tunnel

Enter the description, generate the interface keys. Enter the interface address as <IPv6 range>:ffff::3/64.

Create PFSense interface

Go to Interfaces>Assignements, and then create an interface for your fresh wireguard tunnel.

In the interface configuration, you have to:

  • enable the interface

  • set the IPv6 of the interface (Static IPv6)

  • set the IP as <IPv6 range>:ffff::3/64

  • create a gateway for the interface

    • The GW IP must be the IPv6 of the VPS (wg0 interface): <IPv6 range>:ffff::1

    • In monitor IP, I set the CloudFlare DNS.

  • Save the interface and apply

Create the wireguard peer

You have to:

  • Set the tunnel interface as your tunnel created above

  • Unset the dynamic endpoint

  • Set the endpoint with your edge router IPv4

  • Set the keepalive to 25

  • Set the VPS public Key

  • Set in allow IPs: your range and internet range

    • <IPv6 range>/48

    • ::/0

  • Then save the configuration

Start the wireguard daemon and check the status

The result in the status must be like this:


Configure the routes

We need to create static route, so go to System>Routing>Static routes and set like this:


And do the same for 8000::/1.

Assign a part of our range to an interface

Go to your LAN interface, and on the IPv6 configuration, set Static IPv6.

In the IPv6 address, set the range you want: YOUR_RANGE:cafe::1/64, then press Save, and apply the configuration.

Configure DHCPv6

  • Click on Enable DHCPv6 server on <placeholder> interface

  • Set the address pool range as you want

  • We don’t enable prefix delegation yet

  • Enable Provide DNS servers to DHCPv6 clients

  • DNS server 1: 2606:4700:4700::1111

  • DNS server 2: 2606:4700:4700::1001

  • Save and apply

Configure router advertisement

  • Go in Service → Router advertisement

  • Select the interfacte you want to configure

  • In router mode, select Managed

  • In router priority, select High

  • Then, save and apply

Conclusion

In the next page we will speak about rDNS.