firewall: set IPv6 address for wireguard interface

And advertise it.

roles/firewall/templates/frr.conf.j2

@@ -96,7 +96,12 @@ ipv6 prefix-list office permit {{ prefix.prefix }} ge 64
 {% endfor %}
 {% endfor %}
 
+{% if wg_net is defined %}
 ip prefix-list vpn permit {{ wg_net | ipaddr('subnet') }}
+{% endif %}
+{% if wg_net6 is defined %}
+ipv6 prefix-list vpn permit {{ wg_net6 | ipaddr('subnet') }}
+{% endif %}
 
 {% for network in nat %}
 ip prefix-list nat permit {{ network }}
@@ -106,8 +111,10 @@ ip prefix-list nat permit {{ wg_ip }}
 
 route-map loopback permit 1
   match interface lo
+route-map loopback permit 2
+  match interface wg
 
-# Get routes to offices and VPN users on other firewalls from inside peers.
+# Get routes to offices from inside peers.
 route-map inside->default permit 10
   match ip address prefix-list fabric
 route-map inside->default permit 20
@@ -122,8 +129,11 @@ route-map default->inside permit 20
   match ip address prefix-list default
 route-map default->inside permit 21
   match ipv6 address prefix-list default
-route-map default->inside permit 30
-  match ip address prefix-list vpn
+# I don’t think these /need/ to be announced separately since we are sending the default route anyway.
+#route-map default->inside permit 30
+#  match ip address prefix-list vpn
+#route-map default->inside permit 31
+#  match ipv6 address prefix-list vpn
 
 # Get default route from outside peers.
 route-map outside->default permit 10
@@ -139,3 +149,5 @@ route-map default->outside permit 11
   match ipv6 address prefix-list office
 route-map default->outside permit 20
   match ip address prefix-list nat
+route-map default->outside permit 31
+  match ipv6 address prefix-list vpn

roles/firewall/templates/wg.intf.j2

@@ -1,4 +1,9 @@
 auto wg
 iface wg inet static
     use wireguard
+{% if wg_net is defined %}
     address {{ wg_net }}
+{% endif %}
+{% if wg_net6 is defined %}
+    address {{ wg_net6 }}
+{% endif %}