Configure WireGuard for Roaming Between IPv4, IPv6

Configure WireGuard for Roaming Between IPv4, IPv6

[Lane Russell]

[-- Attachment #1: Type: text/plain, Size: 510 bytes --]

What is the best practice for configuring Wireguard to work over diverse networks, including IPv4-only, IPv6-only, and dual-stack?

For example, my current configuration only deals with IPv4. When I roam from an IPv4-only network to a dual-stack, my device routes IPv4 traffic over the WireGuard interface, but IPv6 traffic goes out unencrypted.

My VPN server is IPv6-capable, so I could enable it. However, will the client tunnel fail to come up on an IPv4-only network if the config contains IPv6 addresses?

[-- Attachment #2: Type: text/html, Size: 838 bytes --]

Re: Configure WireGuard for Roaming Between IPv4, IPv6

[David Cowden]

[-- Attachment #1: Type: text/plain, Size: 2181 bytes --]

I haven't actually tried that specific scenario but I don't see why the
tunnel wouldn't "come up". I mean really it's up when the interface is up
and the tunnel "connection" (it's UDP) isn't actually "established" (in a
NAT/firewall sense) unless data is sent. You can have an interface
configured for IPv6 on an "IPv4 only" network, it just won't get responses
to its router solicitations so the kernel (Linux, at least--BSDs do this in
userspace) won't configure routes for IPv6 traffic. If you look at your
physical interfaces, you'll probably notice they all have IPv6 link-local
addresses unless you've actually turned off IPv6 support in the kernel

The reason your IPv6 traffic goes out unencrypted on dual stack networks is
because the default route for IPv6 traffic is not the Wireguard interface,
but rather one of the physical ones. All you need to do to send your IPv6
traffic through the tunnel is configure the interface to be part of the
IPv6 network you're trying to reach, and of course allow an IPv6 address
from the client in the server config. In fact, if you configure your
interface with IPv6 address(s) and a route pointing at the wg interface,
you can even send IPv6 traffic on an IPv4 only tunnel provided your server
can route IPv6 traffic. If you're using wg-quick, simply adding an IPv6
address to the interface and allowing all IPv6 traffic from the server peer
would suffice.

On Sat, Sep 15, 2018 at 11:01 AM Lane Russell <lanerussell@protonmail.com>
wrote:

> What is the best practice for configuring Wireguard to work over diverse
> networks, including IPv4-only, IPv6-only, and dual-stack?
>
> For example, my current configuration only deals with IPv4. When I roam
> from an IPv4-only network to a dual-stack, my device routes IPv4 traffic
> over the WireGuard interface, but IPv6 traffic goes out unencrypted.
>
>
>
> My VPN server is IPv6-capable, so I could enable it. However, will the
> client tunnel fail to come up on an IPv4-only network if the config
> contains IPv6 addresses?
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #2: Type: text/html, Size: 3344 bytes --]

Re: Configure WireGuard for Roaming Between IPv4, IPv6

[Lane Russell]

[-- Attachment #1: Type: text/plain, Size: 4032 bytes --]

Thanks so much for setting me straight. I've gotten IPv6 working over my IPv4 tunnels to ensure that IPv6 traffic can't leak out while I'm using Wireguard. Since my ISP uses SLAAC to hand out /56s, I have a /64 pointed at the local subnet where my VPN server is. From there, the VPN clients use my ULA prefix to talk to the server. The server masquerades these ULA addresses to its global address.

For anyone interested in the config I'm using, please look below. I had to enable IPv6 forwarding on the wireguard server. In Ubuntu (and probably other distros), this disables Stateless Address Autoconfiguration based on Router Advertisements on the server, which would have prevented the server from getting a global IPv6 address from my ISP. To enable IPv6 forwarding and SLAAC, I also had to add the following to my /etc/network/interfaces file to accept router advertisements even with IPv6 forwarding turned on:

iface ens3 inet6 auto
        accept_ra 2

SERVER:
-----------------------------------------------------------------------------------
[Interface]
Address = X.X.X.X/24, fdXX:XXXX:XXXX:XXXX::1/64
ListenPort = PORT
PrivateKey = KEY

[Peer]
# PEER NAME
PublicKey = KEY
AllowedIPs = X.X.X.X/32, fdXX:XXXX:XXXX:XXXX::2/128
-----------------------------------------------------------------------------------

CLIENT:
-----------------------------------------------------------------------------------
[Interface]
Address = X.X.X.2/32, fdXX:XXXX:XXXX:XXXX::2/128
PrivateKey = KEY
DNS = X.X.X.X, X.X.X.X

[Peer]
PublicKey = KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = SERVER:PORT
PersistentKeepalive = 21
-----------------------------------------------------------------------------------

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, September 15, 2018 5:41 PM, David Cowden <david.w.cowden@gmail.com> wrote:

> I haven't actually tried that specific scenario but I don't see why the tunnel wouldn't "come up". I mean really it's up when the interface is up and the tunnel "connection" (it's UDP) isn't actually "established" (in a NAT/firewall sense) unless data is sent. You can have an interface configured for IPv6 on an "IPv4 only" network, it just won't get responses to its router solicitations so the kernel (Linux, at least--BSDs do this in userspace) won't configure routes for IPv6 traffic. If you look at your physical interfaces, you'll probably notice they all have IPv6 link-local addresses unless you've actually turned off IPv6 support in the kernel
>
> The reason your IPv6 traffic goes out unencrypted on dual stack networks is because the default route for IPv6 traffic is not the Wireguard interface, but rather one of the physical ones. All you need to do to send your IPv6 traffic through the tunnel is configure the interface to be part of the IPv6 network you're trying to reach, and of course allow an IPv6 address from the client in the server config. In fact, if you configure your interface with IPv6 address(s) and a route pointing at the wg interface, you can even send IPv6 traffic on an IPv4 only tunnel provided your server can route IPv6 traffic. If you're using wg-quick, simply adding an IPv6 address to the interface and allowing all IPv6 traffic from the server peer would suffice.
>
> On Sat, Sep 15, 2018 at 11:01 AM Lane Russell <lanerussell@protonmail.com> wrote:
>
>> What is the best practice for configuring Wireguard to work over diverse networks, including IPv4-only, IPv6-only, and dual-stack?
>>
>> For example, my current configuration only deals with IPv4. When I roam from an IPv4-only network to a dual-stack, my device routes IPv4 traffic over the WireGuard interface, but IPv6 traffic goes out unencrypted.
>>
>> My VPN server is IPv6-capable, so I could enable it. However, will the client tunnel fail to come up on an IPv4-only network if the config contains IPv6 addresses?
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard

[-- Attachment #2: Type: text/html, Size: 6111 bytes --]

Re: Configure WireGuard for Roaming Between IPv4, IPv6

[Toke Høiland-Jørgensen]

Lane Russell <lanerussell@protonmail.com> writes:

> Thanks so much for setting me straight. I've gotten IPv6 working over
> my IPv4 tunnels to ensure that IPv6 traffic can't leak out while I'm
> using Wireguard. Since my ISP uses SLAAC to hand out /56s, I have a
> /64 pointed at the local subnet where my VPN server is. From there,
> the VPN clients use my ULA prefix to talk to the server. The server
> masquerades these ULA addresses to its global address.

Why are you using masquerading? Kinda defeats the whole point of IPv6,
doesn't it? :)

You can just pick a public /64 from your subnet and assign that for use
inside the tunnel, then give your clients addresses from that and use
normal routing on the wireguard server. You'll have to get the prefix
routed to your wireguard server, of course; either set that up manually,
or use something like DHCP prefix delegation, or a routing daemon...

If you don't want to use a whole /64 (but really, there's no reason you
shouldn't be able to), you can also use /128's inside the tunnel and
just route those from your gateway to your wireguard server.

-Toke

Re: Configure WireGuard for Roaming Between IPv4, IPv6

[Lane Russell]

[-- Attachment #1: Type: text/plain, Size: 1467 bytes --]

Since this is a home setup and my /56 might (will) change at some point, I don't want to have to reconfigure my router, server, and clients. Unless there's a way to dynamically reconfigure these devices in such a situation?

-------- Original Message --------
On Sep 16, 2018, 12:47 PM, Toke Høiland-Jørgensen wrote:

> Lane Russell <lanerussell@protonmail.com> writes:
>
>> Thanks so much for setting me straight. I've gotten IPv6 working over
>> my IPv4 tunnels to ensure that IPv6 traffic can't leak out while I'm
>> using Wireguard. Since my ISP uses SLAAC to hand out /56s, I have a
>> /64 pointed at the local subnet where my VPN server is. From there,
>> the VPN clients use my ULA prefix to talk to the server. The server
>> masquerades these ULA addresses to its global address.
>
> Why are you using masquerading? Kinda defeats the whole point of IPv6,
> doesn't it? :)
>
> You can just pick a public /64 from your subnet and assign that for use
> inside the tunnel, then give your clients addresses from that and use
> normal routing on the wireguard server. You'll have to get the prefix
> routed to your wireguard server, of course; either set that up manually,
> or use something like DHCP prefix delegation, or a routing daemon...
>
> If you don't want to use a whole /64 (but really, there's no reason you
> shouldn't be able to), you can also use /128's inside the tunnel and
> just route those from your gateway to your wireguard server.
>
> -Toke

[-- Attachment #2: Type: text/html, Size: 1764 bytes --]

Re: Configure WireGuard for Roaming Between IPv4, IPv6

[Toke Høiland-Jørgensen]

Lane Russell <lanerussell@protonmail.com> writes:

> Since this is a home setup and my /56 might (will) change at some
> point, I don't want to have to reconfigure my router, server, and
> clients. Unless there's a way to dynamically reconfigure these devices
> in such a situation?

Ah, right; renumbering is a PITA. Hmm, you could tell your ISP to get a
clue and stop doing that? ;)

Otherwise I suppose it *may* be possible to run a DHCPv6 server on the
wireguard server. Assuming the clients have the server configured with
AllowedIPs=::/0, the DHCP request should get through to the server. So
as long as the DHCP daemon replies via unicast, it could work. You'd
need to manually configure a static link-local (fe80::/64) address for
each client, which can be used as a source address for a DHCP request.
And then have a trigger script on the wireguard server add the IP to
AllowedIPs for the peer when it assigns an IP. I think odhcpd (that is
used on OpenWrt) allows this at least.

Note I haven't tested this; but I *think* it could be made to work, with
a bit of tweaking :)

-Toke