WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Support of multiple endpoints to support IPv6/IPv4 protocol change
@ 2019-08-17 13:50 Nico Schottelius
  2019-08-25 19:23 ` Derrick Lyndon Pallas
  0 siblings, 1 reply; 3+ messages in thread
From: Nico Schottelius @ 2019-08-17 13:50 UTC (permalink / raw)
  To: WireGuard mailing list


Hello,

TL;DR
How difficult is it to add support for multiple endpoints in wireguard?

My problem is that sometimes we need to connect to the VPN server
via IPv4, sometimes via IPv6 and the other protocol won't work anymore.


Long story:
We are a cloud provider offering free IPv6 VPNs with VMs, to enable
customers to have IPv6 anywhere. In some situations customers are
confused, because their network doesn't work anymore while wireguard is
active or the tunnel doesn't work in some networks. I will describe some
situations that we experienced and how we work around it at the moment.


Story 1: using VPN in VPN
Some of our customers have an IPv6 tunnel to provide a /48 to their
network. They usually use a couple of /64s to separate their internal
networks. Some of these customers also have a VPN to their end device
(like a notebook) with another /48 routed to it. In this situation, they
are unable to reach the VPN server or local clients if they don't
explicitly change their configuration to reach the VPN server via IPv4
instead of IPv6:

With a standard config, the DNS name of the tunnel endpoint in
in wg0.conf, not fixed to IPv4/IPv6, we had the following report:

In this case if the notebook connects via IPv6 to the VPN server,
it effectively connects to the VPN server through the VPN. We had
reports that in this situation the notebook can either not establish the
VPN tunnel or is unable to reach local devices

Workaround from some customers: hard code the IPv4 address as an endpoint

Story 2: Change from IPv4 only to IPv6 only networks

We have reports from clients that the VPN is not established again, if
they switch from an IPv4 only network to an IPv6 only network and vice
versa. I assume this is due to wireguard resolving the address at
startup and never re-resolving and/or not storing all DNS results (A and
AAAA answers).

Workaround from some customers: restart wireguard when changing
underlying protocol network


Story 3: Combination of above
Some of our clients hard coded the IPv4 address of the tunnel endpoint
in their wg0.conf to avoid the problem from story 1. However this breaks
their Internet when switching to IPv6 only networks. In this case the
endpoint is fixed to IPv4, but they don't have any IPv4 connectivity.

Workaround from some customers: reconfigure wireguard to use hardcoded
IPv6 or IPv4 only endpoint.


--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Support of multiple endpoints to support IPv6/IPv4 protocol change
  2019-08-17 13:50 Support of multiple endpoints to support IPv6/IPv4 protocol change Nico Schottelius
@ 2019-08-25 19:23 ` Derrick Lyndon Pallas
  2019-08-27 17:17   ` Derrick Lyndon Pallas
  0 siblings, 1 reply; 3+ messages in thread
From: Derrick Lyndon Pallas @ 2019-08-25 19:23 UTC (permalink / raw)
  To: Nico Schottelius; +Cc: WireGuard mailing list

I recently ran into this issue. My solution was to sort a list of endpoint addresses (not domains) by priority and first check whether the client had a route to an address before picking it. It would be nice if Wireguard kept a list of fallback addresses in case the currently active address stopped working, but this can be achieved by tooling today.

~Derrick • iPhone

> On Aug 17, 2019, at 6:50 AM, Nico Schottelius <nico.schottelius@ungleich.ch> wrote:
> 
> 
> Hello,
> 
> TL;DR
> How difficult is it to add support for multiple endpoints in wireguard?
> 
> My problem is that sometimes we need to connect to the VPN server
> via IPv4, sometimes via IPv6 and the other protocol won't work anymore.
> 
> 
> Long story:
> We are a cloud provider offering free IPv6 VPNs with VMs, to enable
> customers to have IPv6 anywhere. In some situations customers are
> confused, because their network doesn't work anymore while wireguard is
> active or the tunnel doesn't work in some networks. I will describe some
> situations that we experienced and how we work around it at the moment.
> 
> 
> Story 1: using VPN in VPN
> Some of our customers have an IPv6 tunnel to provide a /48 to their
> network. They usually use a couple of /64s to separate their internal
> networks. Some of these customers also have a VPN to their end device
> (like a notebook) with another /48 routed to it. In this situation, they
> are unable to reach the VPN server or local clients if they don't
> explicitly change their configuration to reach the VPN server via IPv4
> instead of IPv6:
> 
> With a standard config, the DNS name of the tunnel endpoint in
> in wg0.conf, not fixed to IPv4/IPv6, we had the following report:
> 
> In this case if the notebook connects via IPv6 to the VPN server,
> it effectively connects to the VPN server through the VPN. We had
> reports that in this situation the notebook can either not establish the
> VPN tunnel or is unable to reach local devices
> 
> Workaround from some customers: hard code the IPv4 address as an endpoint
> 
> Story 2: Change from IPv4 only to IPv6 only networks
> 
> We have reports from clients that the VPN is not established again, if
> they switch from an IPv4 only network to an IPv6 only network and vice
> versa. I assume this is due to wireguard resolving the address at
> startup and never re-resolving and/or not storing all DNS results (A and
> AAAA answers).
> 
> Workaround from some customers: restart wireguard when changing
> underlying protocol network
> 
> 
> Story 3: Combination of above
> Some of our clients hard coded the IPv4 address of the tunnel endpoint
> in their wg0.conf to avoid the problem from story 1. However this breaks
> their Internet when switching to IPv6 only networks. In this case the
> endpoint is fixed to IPv4, but they don't have any IPv4 connectivity.
> 
> Workaround from some customers: reconfigure wireguard to use hardcoded
> IPv6 or IPv4 only endpoint.
> 
> 
> --
> Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Support of multiple endpoints to support IPv6/IPv4 protocol change
  2019-08-25 19:23 ` Derrick Lyndon Pallas
@ 2019-08-27 17:17   ` Derrick Lyndon Pallas
  0 siblings, 0 replies; 3+ messages in thread
From: Derrick Lyndon Pallas @ 2019-08-27 17:17 UTC (permalink / raw)
  To: wireguard

Would it make sense to do something like Happy Eyeballs (RFC 8305) 
extended for UDP? If WireGuard were to implement the equivalent of 
section 5 (but keep the list of addresses around after a handshake for 
probing or failover) then userland could easily handle sections 3 and 4. 
~Derrick


On 8/25/19 12:23 PM, Derrick Lyndon Pallas wrote:
> I recently ran into this issue. My solution was to sort a list of endpoint addresses (not domains) by priority and first check whether the client had a route to an address before picking it. It would be nice if Wireguard kept a list of fallback addresses in case the currently active address stopped working, but this can be achieved by tooling today.
>
> ~Derrick • iPhone
>
>> On Aug 17, 2019, at 6:50 AM, Nico Schottelius <nico.schottelius@ungleich.ch> wrote:
>>
>>
>> Hello,
>>
>> TL;DR
>> How difficult is it to add support for multiple endpoints in wireguard?
>>
>> My problem is that sometimes we need to connect to the VPN server
>> via IPv4, sometimes via IPv6 and the other protocol won't work anymore.
>>
>>
>> Long story:
>> We are a cloud provider offering free IPv6 VPNs with VMs, to enable
>> customers to have IPv6 anywhere. In some situations customers are
>> confused, because their network doesn't work anymore while wireguard is
>> active or the tunnel doesn't work in some networks. I will describe some
>> situations that we experienced and how we work around it at the moment.
>>
>>
>> Story 1: using VPN in VPN
>> Some of our customers have an IPv6 tunnel to provide a /48 to their
>> network. They usually use a couple of /64s to separate their internal
>> networks. Some of these customers also have a VPN to their end device
>> (like a notebook) with another /48 routed to it. In this situation, they
>> are unable to reach the VPN server or local clients if they don't
>> explicitly change their configuration to reach the VPN server via IPv4
>> instead of IPv6:
>>
>> With a standard config, the DNS name of the tunnel endpoint in
>> in wg0.conf, not fixed to IPv4/IPv6, we had the following report:
>>
>> In this case if the notebook connects via IPv6 to the VPN server,
>> it effectively connects to the VPN server through the VPN. We had
>> reports that in this situation the notebook can either not establish the
>> VPN tunnel or is unable to reach local devices
>>
>> Workaround from some customers: hard code the IPv4 address as an endpoint
>>
>> Story 2: Change from IPv4 only to IPv6 only networks
>>
>> We have reports from clients that the VPN is not established again, if
>> they switch from an IPv4 only network to an IPv6 only network and vice
>> versa. I assume this is due to wireguard resolving the address at
>> startup and never re-resolving and/or not storing all DNS results (A and
>> AAAA answers).
>>
>> Workaround from some customers: restart wireguard when changing
>> underlying protocol network
>>
>>
>> Story 3: Combination of above
>> Some of our clients hard coded the IPv4 address of the tunnel endpoint
>> in their wg0.conf to avoid the problem from story 1. However this breaks
>> their Internet when switching to IPv6 only networks. In this case the
>> endpoint is fixed to IPv4, but they don't have any IPv4 connectivity.
>>
>> Workaround from some customers: reconfigure wireguard to use hardcoded
>> IPv6 or IPv4 only endpoint.
>>
>>
>> --
>> Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-17 13:50 Support of multiple endpoints to support IPv6/IPv4 protocol change Nico Schottelius
2019-08-25 19:23 ` Derrick Lyndon Pallas
2019-08-27 17:17   ` Derrick Lyndon Pallas

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git