WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* wg-quick IPv6 same route on different interfaces
@ 2018-08-19 17:13 Waishon
  0 siblings, 0 replies; 2+ messages in thread
From: Waishon @ 2018-08-19 17:13 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 2038 bytes --]

Hey there,

I'm setting up an WireGuard tunnel between my VPS and my home network. This
tunnel should be IPv6 only.
I assigned the IPv6 subnet fd00:1:a/64 to my home network and my wireguard
client got the static IP fd00:1:a::1.
On the VPS I assigned the IP fd00::1 to the wg0 interface.

Here're the configs:
*Client:*

> [Interface]
> PrivateKey = XXXX
> Address = fd00:1:a::1/64
> [Peer]
> PublicKey = XXXX
> AllowedIPs = fd00:0:0::/64
> EndPoint = vpn.domain.tld:51820
> PersistentKeepalive = 25


Server:

> [Interface]
> PrivateKey = ...
> ListenPort = 51820
> Address = fd00:0:0::1
>
> [Peer]
> PublicKey = XXXX
> AllowedIPs = fd00:1:a::/64


After running "wg-quick up wg0" I'm able to ping the Server and the Server
is able to ping the client.
However I'd like to reach all my clients in my home network. To do this I
added a static route that forwards all traffic addressed to fd00::/64 to my
wireguard client machine (fd00:1:a::1) and enabled IP-Forwarding on the
client. When I now do a ping6 from my VPS to another client in my network I
only get an unreachable error.

Some further debugging shows that wireguard adds another route for my homes
fd00:1:a::/64 network. Without wireguard I only have the "fd00:1:a::/64 dev
wlan0" route.

*IP -6 route show:*
fd00::/64 dev wg0 metric 1024  pref medium
fd00:1:a::/64 dev wlan0 proto kernel metric 256  expires 6993sec pref medium
fd00:1:a::/64 dev wg0 proto kernel metric 256  pref medium

Because it prioritizes the route where the packet comes from the packet is
routed back to WireGuard which obviously don't know what to do with,
because it's not configured as AllowedIPs.

After manually removing the duplicate route entry everything works as
expected and I'm able to ping all my clients in my network from the VPS.

A friend of my has setup WireGuard to use IPv4 only. IP route doesn't show
anly duplicate routes there.

I were able to reproduce this error on two wireguard client machines.

Do I miss something in the configuration or is this a bug?

Kind regards
Soeren

[-- Attachment #2: Type: text/html, Size: 2912 bytes --]

<div dir="ltr">Hey there,<div><br></div><div>I&#39;m setting up an WireGuard tunnel between my VPS and my home network. This tunnel should be IPv6 only.</div><div>I assigned the IPv6 subnet fd00:1:a/64 to my home network and my wireguard client got the static IP fd00:1:a::1.</div><div>On the VPS I assigned the IP fd00::1 to the wg0 interface. </div><div><br></div><div>Here&#39;re the configs:<br><b>Client:</b></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">[Interface]<br>PrivateKey = XXXX<br>Address = fd00:1:a::1/64<br>[Peer]<br>PublicKey = XXXX<br>AllowedIPs = fd00:0:0::/64<br>EndPoint = vpn.domain.tld:51820<br>PersistentKeepalive = 25</blockquote><div style="font-weight:bold"><br></div></div><div style="font-weight:bold">Server:</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">[Interface]<br>PrivateKey = ...<br>ListenPort = 51820<br>Address = fd00:0:0::1<br><br>[Peer]<br>PublicKey = XXXX<br>AllowedIPs = fd00:1:a::/64</blockquote><div><br></div><div>After running &quot;wg-quick up wg0&quot; I&#39;m able to ping the Server and the Server is able to ping the client. </div></div><div>However I&#39;d like to reach all my clients in my home network. To do this I added a static route that forwards all traffic addressed to fd00::/64 to my wireguard client machine (fd00:1:a::1) and enabled IP-Forwarding on the client. When I now do a ping6 from my VPS to another client in my network I only get an unreachable error. </div><div><br></div><div>Some further debugging shows that wireguard adds another route for my homes fd00:1:a::/64 network. Without wireguard I only have the &quot;fd00:1:a::/64 dev wlan0&quot; route.</div><div><br></div><div><b>IP -6 route show:</b></div><div><div>fd00::/64 dev wg0 metric 1024  pref medium</div><div>fd00:1:a::/64 dev wlan0 proto kernel metric 256  expires 6993sec pref medium</div><div>fd00:1:a::/64 dev wg0 proto kernel metric 256  pref medium</div><div style="font-weight:bold"><br></div></div><div style="">Because it prioritizes the route where the packet comes from the packet is routed back to WireGuard which obviously don&#39;t know what to do with, because it&#39;s not configured as AllowedIPs.</div><div style=""><br></div><div style="">After manually removing the duplicate route entry everything works as expected and I&#39;m able to ping all my clients in my network from the VPS.</div><div style=""><br></div><div style="">A friend of my has setup WireGuard to use IPv4 only. IP route doesn&#39;t show anly duplicate routes there.<br><br>I were able to reproduce this error on two wireguard client machines.</div><div style=""><br></div><div style="">Do I miss something in the configuration or is this a bug?<br><br>Kind regards</div><div style="">Soeren</div></div>

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: wg-quick IPv6 same route on different interfaces
       [not found] <mailman.1444.1535173537.2201.wireguard@lists.zx2c4.com>
@ 2018-08-25  8:44 ` Brian Candler
  0 siblings, 0 replies; 2+ messages in thread
From: Brian Candler @ 2018-08-25  8:44 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 1811 bytes --]

> I'm setting up an WireGuard tunnel between my VPS and my home network. This
> tunnel should be IPv6 only.
> I assigned the IPv6 subnet fd00:1:a/64 to my home network and my wireguard
> client got the static IP fd00:1:a::1.
> On the VPS I assigned the IP fd00::1 to the wg0 interface.
>
> Here're the configs:
> *Client:*
>
>> [Interface]
>> PrivateKey = XXXX
>> Address = fd00:1:a::1/64
>> [Peer]
>> PublicKey = XXXX
>> AllowedIPs = fd00:0:0::/64
>> EndPoint = vpn.domain.tld:51820
>> PersistentKeepalive = 25
> Server:
>
>> [Interface]
>> PrivateKey = ...
>> ListenPort = 51820
>> Address = fd00:0:0::1
>>
>> [Peer]
>> PublicKey = XXXX
>> AllowedIPs = fd00:1:a::/64
It *might* work if at the client side you use

Address = fd00:1:a::1

instead of

Address = fd00:1:a::1/64

However, the safest way to make it work is for the [Interface] Address 
at each end to be a separate point-to-point subnet.  These are the 
addresses allocated to the wg0 interface itself.  I don't know if 
"unnumbered" point-to-point links are supported by Wireguard (that is, 
when you re-use an address from a subnet that belongs to a different 
interface), but I know it definitely works with a separate link subnet.

So if you want to use the whole block fd00:0:0::/64 in your VPS, then I 
suggest you allocate a new subnet for the point-to-point, e.g.

client

[Interface]
Address = fd00:2::2/64

server

[Interface]
Address = fd00:2::1/64

AllowedIPs are then still the remote subnets at each side, as you have now.

If your VPS is just a single host with a single IPv6 address on the wg0 
interface, then you can keep it as you have now but use

server

[Interface]
Address = fd00:0:0::1/64

client

[Interface]
Address = fd00:0:0::2/64

HTH,

Brian.

[-- Attachment #2: Type: text/html, Size: 2640 bytes --]

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <blockquote type="cite"
      cite="mid:mailman.1444.1535173537.2201.wireguard@lists.zx2c4.com">
      <pre wrap="">
I'm setting up an WireGuard tunnel between my VPS and my home network. This
tunnel should be IPv6 only.
I assigned the IPv6 subnet fd00:1:a/64 to my home network and my wireguard
client got the static IP fd00:1:a::1.
On the VPS I assigned the IP fd00::1 to the wg0 interface.

Here're the configs:
*Client:*

</pre>
      <blockquote type="cite" style="color: #000000;">
        <pre wrap="">[Interface]
PrivateKey = XXXX
Address = fd00:1:a::1/64
[Peer]
PublicKey = XXXX
AllowedIPs = fd00:0:0::/64
EndPoint = vpn.domain.tld:51820
PersistentKeepalive = 25
</pre>
      </blockquote>
      <pre wrap="">
Server:

</pre>
      <blockquote type="cite" style="color: #000000;">
        <pre wrap="">[Interface]
PrivateKey = ...
ListenPort = 51820
Address = fd00:0:0::1

[Peer]
PublicKey = XXXX
AllowedIPs = fd00:1:a::/64
</pre>
      </blockquote>
    </blockquote>
    It *might* work if at the client side you use<br>
    <pre wrap="">Address = fd00:1:a::1</pre>
    instead of<br>
    <pre wrap="">Address = fd00:1:a::1/64</pre>
    However, the safest way to make it work is for the [Interface]
    Address at each end to be a separate point-to-point subnet.  These
    are the addresses allocated to the wg0 interface itself.  I don't
    know if "unnumbered" point-to-point links are supported by Wireguard
    (that is, when you re-use an address from a subnet that belongs to a
    different interface), but I know it definitely works with a separate
    link subnet.<br>
    <br>
    So if you want to use the whole block fd00:0:0::/64 in your VPS,
    then I suggest you allocate a new subnet for the point-to-point,
    e.g.<br>
    <br>
    client<br>
    <br>
    [Interface]<br>
    Address = fd00:2::2/64<br>
    <br>
    server<br>
    <br>
    [Interface]<br>
    Address = fd00:2::1/64<br>
    <br>
    AllowedIPs are then still the remote subnets at each side, as you
    have now.<br>
    <br>
    If your VPS is just a single host with a single IPv6 address on the
    wg0 interface, then you can keep it as you have now but use<br>
    <br>
    server<br>
    <br>
    [Interface]<br>
    Address = fd00:0:0::1/64<br>
    <br>
    client<br>
    <br>
    [Interface]<br>
    Address = fd00:0:0::2/64<br>
    <br>
    HTH,<br>
    <br>
    Brian.<br>
  </body>
</html>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-19 17:13 wg-quick IPv6 same route on different interfaces Waishon
     [not found] <mailman.1444.1535173537.2201.wireguard@lists.zx2c4.com>
2018-08-25  8:44 ` Brian Candler

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox