Re: [Babel-users] ipv6 tunnels and babel's source specific routing

Re: [Babel-users] ipv6 tunnels and babel's source specific routing

[Dave Taht]

I figured out the first two bits of using source specific routing for
ipv6 with wireguard...

The first trick was to watch what wg-quick wanted to do and change it.
So I setup my vpn client (deep within
my network) thusly:

[Interface]
#Address = 2600:8211:e001:9300::2/60
ListenPort = 51820
PrivateKey = neveryoumind

[Peer]
PublicKey = notdoingthat
AllowedIPs = 2600:8211:e001:9300::/60, ::/0
Endpoint = tun.taht.net:51820

This tells wireguard to let any ipv6 address through and treat it like
a default route. We don't really want this but I fix this later.

The server is setup similarly, but no ::/0 and an address of ::1/60

Then I changed the default startup to look like this:

#!/bin/sh
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
# preferred_lft 0 makes sure you don't use this address for anything
you don't explicitly bind to
# Otherwise *because* it is static, with a preferred_lft of forever,
it gets chosen as
# a default ipv6 addr over the dynamic ipv6 addresses. I only want the vpn for
# specific tools...
ip address add 2600:8211:e001:9300::2/60 dev wg0 preferred_lft 0
ip link set mtu 1420 dev wg0
ip link set wg0 up
ip route add 2600:8211:e001:9300::/60 dev wg0
# the default line generated by wg-quick inserts a default route for everything
# which disables my native ipv6 addrs and routing
# The trick - note the from and the proto
ip -6 route add ::/0 from 2600:8211:e001:9300::/60 dev wg0 proto 48

then I setup babeld.conf to have

redistribute proto 48 allow

which exports that "from default" to the rest of my network without
doing a default default route that RA picks up

I can then do stuff anywhere else on my net (running babel rfc61236bis) , like

ip address add 2600:8211:e001:9301::1/64 dev whichever preferred_lft 0

which gives me a valid_lft of forever... and

this lets me use my native, dynamic, ipv6 ips from comcast in the general case,
and the vpn tunnel'd ipv6 address ranges only when I explicitly specify it.

I have no idea if dhcpv6-pd can be configured (with a valid_lft of a
lot, constantly renewed, and a prefeered of 0) this way or hnetd, or
if there was some better way
to deprioritize a given set of ipv6 addrs, but...

Now that I have a whole /56 I can finally fiddle more with hnetd
again. This also gives me cheap failover if one of my gws goes down...

On Thu, Nov 8, 2018 at 3:57 PM Dave Taht <dave@taht.net> wrote:
>
>
> Now that I can use the rfc6126bis version of babel's source specific
> routing...
>
> and wireguard is looking stabler and stabler...
>
> I'd like to come up with some reliable subset of the following
> idea.
>
> I've had this linode ipv6/56 for ages. I used to use hurricane for
> static ipv6's until netflix started blocking that. comcast dynamic ipv6
> is a real pita. My hope was, with a whole /56 that I could actually run
> a mail server on my side of it (at least), and dole out portions of the
> /56 to other boxes both on my campus lan, boat, laptop, etc - any place
> I need it....
>
> somewhere along the way I wanted to get a wireguard tunnel with a babel
> "from" route up.
>
> My thinking is weird, in that I'd like to run the tunnel/56 to
> tun.taht.net from ceres.taht.net (dynamic ipv6 ip)
>
> I'd like to break out individual /60s, so, for example, my boat (running
> wireguard over a cell phone, over ipv6!!) would have it's own /60 to
> address every router in it... and in that case I do NOT want to touch it
> down in the cloud (because my phone is guarunteed to have ipv6), I want
> it to go to my dynamic dns ipv6 address for ceres.
>
> I tried to do this quite some time ago in wireguard's evolution.
>
> Most of the examples out there are for sending *all* your traffic via
> wireguard through a default gw, where what I want is just the ipv6/56
> addrs I've exported to automagically go through the vpn. e.g. I'd bind
> the house mail server to the vpn address of whatever::3/64, campus
> server at whatever:20::3/64, boat ssh server at whatever:30::neveryoumind/64
>
> When doing that normally you'd do something like
>
> ip -6 route default from vpn:add:ress::/56 via dev wireguardvpn
>
>
> If I can possibly make anything more complicated!!! it would be great to
> be able always go directly to the ipv6 ceres and fall back to the (ipv4)
> cloud... announcing to the rest of my boxes (via babel) where I am...
>
> tun.taht.net has the /56
>
> campus 1 needs at least a 60, maybe even a 58.
>
> lab needs a 60
>
> boat warriors (half dozen boxes, a /62?) (yes, this is excessive but I
> can't get dhcpv6-pd out of the phone, and I have multiple routers on
> board because that's the work I do)
>
> road warriors
> laptop - needs a mobile 128? But I don't want it to try to connect over
> the vpn over the vpn....
>
> so that's the crazy question. I don't think I've described it well enough.
>
> so quick and slightly less question - how's android working and does wireguard on
> android work over ipv6? Can a android tether at least, export RA?
>
> alternatively anyone know of a good usb stick for cell?
>
> PS I used to do this sort of crazy stuff with tinc, but...
>
> PPS yes, my boat runs babel. It would be awesome if more boats ran adhoc
> wifi, babel, and hnetd. VHF sucks compared to wifi. A picostation on the
> mast has about 20 mile range.
>
>
> _______________________________________________
> Babel-users mailing list
> Babel-users@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users



-- 

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

WireGuard and IPv6 Source Address Selection (was: ipv6 tunnels and babel's source specific routing)

[Samuel Holland]

Hi,

This isn't quite the same situation you're in (I'm not using a routing daemon),
but I have also had issues with WireGuard and IPv6 source address selection, and
I thought I'd share my solution for the benefit of the list. This might be the
"some better way to deprioritize a given set of ipv6 addrs" you're looking for.

My VPN topology consists of two fixed sites with native IPv6, plus some road
warriors without IPv6. Site A has a DHCPv6 IA-PD subnet we'll call
2605:aaaa:aaaa:aa::/56, and Site B has a DHCPv6 IA-PD subnet we'll call
2600:bbbb:bbbb:bbb::/60. Because Site A was the original site, and it has the
larger prefix, I use a /64 from that subnet ("2605:aaaa:aaaa:aacc::/64") to
connect all of the WireGuard peers in a mesh. So my configuration looks
something like this (ignoring IPv4), where the first IP address given for each
peer is the one assigned (with prefix length 64) to wg0:

    [Peer]
    PublicKey = <Site_A_Router_Key>
    AllowedIPs = 2605:aaaa:aaaa:aacc::10/128, 2605:aaaa:aaaa:aa::/56

    [Peer]
    PublicKey = <Site_B_Router_Key>
    AllowedIPs = 2605:aaaa:aaaa:aacc::20/128, 2600:bbbb:bbbb:bbb::/60

    [Peer]
    PublicKey = <Road_Warrior_1_Key>
    AllowedIPs = 2605:aaaa:aaaa:aacc::81/128

    [Peer]
    PublicKey = <Road_Warrior_2_Key>
    AllowedIPs = 2605:aaaa:aaaa:aacc::82/128

This works great for every machine *except* the router at Site B, which also
happens to be my main workstation. Linux always chooses 2605:aaaa:aaaa:aacc::20
as the source address when sending packets to the Internet, and of course that
gets dropped by my ISP, because they only delegated me 2600:bbbb:bbbb:bbb::/60.

I tried to set `preferred_lft 0` on 2605:aaaa:aaaa:aacc::20, but that caused
other issues (it's been a couple of months so I don't remember the details). The
solution actually turned out to be really simple:

    ip addrlabel add prefix 2605:aaaa:aaaa:aa::/56 label 100

One of the rules for IPv6 source address selection is to prefer source addresses
with the same label as the destination. Normally, the whole publicly routable
IPv6 space is one label (while link-local, loopback, IPv4-mapped, etc. are
unique), but you can create arbitrary labels. Just pick any ID that's not
already in use (`ip addrlabel` shows the list of existing labels).

Having Site A's subnet on its own label does exactly what I want. Traffic to
Site A from the router at Site B always uses its address from wg0, and traffic
*outside* Site A's subnet *never* uses the address from wg0.

Hope this helps,
Samuel

On 11/08/18 20:57, Dave Taht wrote:
> I figured out the first two bits of using source specific routing for
> ipv6 with wireguard...
> 
> The first trick was to watch what wg-quick wanted to do and change it.
> So I setup my vpn client (deep within
> my network) thusly:
> 
> [Interface]
> #Address = 2600:8211:e001:9300::2/60
> ListenPort = 51820
> PrivateKey = neveryoumind
> 
> [Peer]
> PublicKey = notdoingthat
> AllowedIPs = 2600:8211:e001:9300::/60, ::/0
> Endpoint = tun.taht.net:51820
> 
> This tells wireguard to let any ipv6 address through and treat it like
> a default route. We don't really want this but I fix this later.
> 
> The server is setup similarly, but no ::/0 and an address of ::1/60
> 
> Then I changed the default startup to look like this:
> 
> #!/bin/sh
> ip link add wg0 type wireguard
> wg setconf wg0 /etc/wireguard/wg0.conf
> # preferred_lft 0 makes sure you don't use this address for anything
> you don't explicitly bind to
> # Otherwise *because* it is static, with a preferred_lft of forever,
> it gets chosen as
> # a default ipv6 addr over the dynamic ipv6 addresses. I only want the vpn for
> # specific tools...
> ip address add 2600:8211:e001:9300::2/60 dev wg0 preferred_lft 0
> ip link set mtu 1420 dev wg0
> ip link set wg0 up
> ip route add 2600:8211:e001:9300::/60 dev wg0
> # the default line generated by wg-quick inserts a default route for everything
> # which disables my native ipv6 addrs and routing
> # The trick - note the from and the proto
> ip -6 route add ::/0 from 2600:8211:e001:9300::/60 dev wg0 proto 48
> 
> then I setup babeld.conf to have
> 
> redistribute proto 48 allow
> 
> which exports that "from default" to the rest of my network without
> doing a default default route that RA picks up
> 
> I can then do stuff anywhere else on my net (running babel rfc61236bis) , like
> 
> ip address add 2600:8211:e001:9301::1/64 dev whichever preferred_lft 0
> 
> which gives me a valid_lft of forever... and
> 
> this lets me use my native, dynamic, ipv6 ips from comcast in the general case,
> and the vpn tunnel'd ipv6 address ranges only when I explicitly specify it.
> 
> I have no idea if dhcpv6-pd can be configured (with a valid_lft of a
> lot, constantly renewed, and a prefeered of 0) this way or hnetd, or
> if there was some better way
> to deprioritize a given set of ipv6 addrs, but...
> 
> Now that I have a whole /56 I can finally fiddle more with hnetd
> again. This also gives me cheap failover if one of my gws goes down...
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard