sixnix
My ISP provides me a single '/64' and it's dynamically assigned. I cannot have multiple networks with functional autoconfiguration. One solution to this is use one of 4to6 tunnel brokers like the one offered by Hurricane Electric. Since my ISP uses CGNAT this setup is tricky if not impossible.
Fortunately Linode provides free /56 to customers and the cheapest VPS costs just $5/month. You get 256 /64 subnets. The following table provides an example where you can have 15 delegations of /60 and use the 16th /60 for the wireguard peer addressing.
| Client subnet | WireGuard subnet | |
|---|---|---|
| 2001:0db8::/60 | 2001:0db8:0:f0::/64 | 1 |
| 2001:db8:0:10::/60 | 2001:db8:0:f1::/64 | 2 |
| 2001:db8:0:20::/60 | 2001:db8:0:f2::/64 | 3 |
| 2001:db8:0:30::/60 | 2001:db8:0:f3::/64 | 4 |
| 2001:db8:0:40::/60 | 2001:db8:0:f4::/64 | 5 |
| 2001:db8:0:50::/60 | 2001:db8:0:f5::/64 | 6 |
| 2001:db8:0:60::/60 | 2001:db8:0:f6::/64 | 7 |
| 2001:db8:0:70::/60 | 2001:db8:0:f7::/64 | 8 |
| 2001:db8:0:80::/60 | 2001:db8:0:f8::/64 | 9 |
| 2001:db8:0:90::/60 | 2001:db8:0:f9::/64 | 10 |
| 2001:db8:0:a0::/60 | 2001:db8:0:fa::/64 | 11 |
| 2001:db8:0:b0::/60 | 2001:db8:0:fb::/64 | 12 |
| 2001:db8:0:c0::/60 | 2001:db8:0:fc::/64 | 13 |
| 2001:db8:0:d0::/60 | 2001:db8:0:fd::/64 | 14 |
| 2001:db8:0:e0::/60 | 2001:db8:0:fe::/64 | 15 |
| Host | Subnet |
|---|---|
| wireguard.example.com | 2001:0db8:0:ff::/64 |
You can follow the linode's nixos installation guide and/or then use this repo as a reference to set up your wireguard tunnels.
- sops and add secrets in
secrets/secrets.yaml - ssh and user account settings in
modules/access.nix - egress and wireguard configs in
modules/network.nix