I'm using wireguard with ipv6, the only thing that I never got to work is for wireguard to do ipv6 prefix delegation allowing devices to pick (and change) their own address like they do on a normal ethernet subnet.

I like the randomisation that normally happens to make it invisible which phone/device in the subnet made each request.

There's a chicken-egg-like problem involved with that based on the cryptokey routing that wireguard does.

The, a bit unfortunately named, 'allowed-ips' parameter determines to which peer wg routes a packet.

If you imagine three peers connected to your one central vpn server then for this to work you have to have an allowed-ips parameter set to the same /64 network for each of them from the point of view of the server, which creates a conflict.

There is a project to configure allowed-ips dynamically but it's not active any more unfortunately https://github.com/WireGuard/wg-dynamic/blob/master/docs/ide...

I don't know about PD, but I found that native clients will accept RAs over WireGuard just fine. I only have a /64 at the moment unfortunately, so I can't really use this mechanism at the moment, but I did set up a ULA by giving radvd the following config:

    interface wg-server
    {
        AdvDefaultLifetime 0;
        AdvSendAdvert on;
        prefix fdf4:a694:0e43:c0de::/64 {
            AdvOnLink on;
            AdvAutonomous on;
        };
    };
    

I don't see why you wouldn't be able to set up a normal IPv6 SLAAC config, assuming you have the address space to advertise a full /64 on the interface.

I don’t know if the spec supports that on its own. Although, it’s a good feature request.

You’d have to update the WG configuration each time a new IPv6 address connected. So, you would probably need to connect through something like a client that could push a config update and restart the service.

Not impossible, but that’s another layer of complexity to maintain.