naggie / dsnet

FAST command to manage a centralised wireguard VPN. Think wg-quick but quicker: key generation + address allocation.

Home Page:https://calbryant.uk/blog/how-to-set-up-a-wireguard-vpn-in-minutes-with-dsnet/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

MOAR IPv6

frillip opened this issue · comments

As wireguard supports IPv6 out the box, so should dsnet... And it does! Sort of...

Currently, a single /128 IPv6 can be added in as a 'Network', and then any IPv6 networks available via that host can be added after that:

{
    "ExternalIP": "DOOOOOOOOOOOOM",
    "ListenPort": 51820,
    "Domain": "root2.news",
    "InterfaceName": "sqrt2news",
    "Network": "172.18.16.0/24",
    "IP": "172.18.16.1",
    "DNS": "172.18.0.1",
    "Networks": [
        "172.18.0.0/16",
        "fdca:9217:f2de:00b1::/64",
    ],
    "ReportFile": "/var/lib/dsnetreport.json",
    "PrivateKey": "WhydoyoualwaysgettoreadthetopstoryMorbo?",
    "Peers": [
        {
        "Hostname": "MORBOS-TELEPROMPTER",
        "Owner": "MORBO",
        "Description": "I WILL DESTROY YOU",
        "IP": "172.18.16.9",
        "Added": "2020-03-12T20:15:42.798800741Z",
        "Networks": [
            "172.18.1.0/24",
            "fdca:9217:f2de:00b1::9/128",
            "fdca:9217:f2de:cf86::/64"
        ],
        "PublicKey": "WORTHLESSHUMANSARENOTPERMITTEDTOVIEWMORBOSMIGHTYPUBLICKEY",
        "PresharedKey": "ALLHUMANSAREVERMININTHEEYESOFMORBO"
        }
    ]
}

To make it more 'official', I propose the adoption of a IP6 attribute, this should be a single /128 IPv6 address, and a Network6 attribute to define the network range.

{
    "ExternalIP": "DOOOOOOOOOOOOM",
    "ListenPort": 51820,
    "Domain": "root2.news",
    "InterfaceName": "sqrt2news",
    "Network": "172.18.16.0/24",
    "Network6": "fdca:9217:f2de:00b1::/64",
    "IP": "172.18.16.1",
    "IP6": "fdca:9217:f2de:00b1::1",
    "DNS": "172.18.0.1",
    "Networks": [
        "172.18.0.0/16",
        "fdca:9217:f2de::/48"
    ],
    "ReportFile": "/var/lib/dsnetreport.json",
    "PrivateKey": "WhydoyoualwaysgettoreadthetopstoryMorbo?",
    "Peers": [
        {
        "Hostname": "MORBOS-TELEPROMPTER",
        "Owner": "MORBO",
        "Description": "I WILL DESTROY YOU",
        "IP": "172.18.16.9",
        "IP6": "fdca:9217:f2de:00b1::9",
        "Added": "2020-03-12T20:15:42.798800741Z",
        "Networks": [
            "172.18.1.0/24",
            "fdca:9217:f2de:cf86::/64"
        ],
        "PublicKey": "WORTHLESSHUMANSARENOTPERMITTEDTOVIEWMORBOSMIGHTYPUBLICKEY",
        "PresharedKey": "ALLHUMANSAREVERMININTHEEYESOFMORBO"
        }
    ]
}

Resulting client config should be:

[Interface]
Address = 172.18.16.9,fdca:9217:f2de:00b1::9
PrivateKey=Becauseviewerstrustadeepmalevoiceandhugethrobbingforeheadveins!
DNS = 127.0.0.1

[Peer]
PublicKey=WORTHLESSHUMANSARENOTPERMITTEDTOVIEWMORBOSMIGHTYPUBLICKEY
PresharedKey=ALLHUMANSAREVERMININTHEEYESOFMORBO
Endpoint=DOOOOOOOOOOOOM:51280
AllowedIPs=172.18.0.0/16,fdca:9217:f2de::/48
PersistentKeepalive=25

Implementation will allocate unique local addresses by default https://en.wikipedia.org/wiki/Unique_local_address (implying NAT, if internet access is desired if the subnet is unchanged). Sites looking to route IPv6 internet without NAT should set a internet allocated subnet.

@frillip does my plan make sense?

https://www.ultratools.com/tools/rangeGenerator will be used for reference

Sounds good to me!

NAT is not an issue here as it is beyond the scope of dsnet anyway, and dsnet does not route all traffic by default.

Working allocation, pending tests and validation.

Also need to update the rest of the code to marshal the IPv6 addresses to config + find external IP addr + docs

Implemented in v0.2

commented

Sorry to bump this closed issue, but how to actualy get working IPv6 on client with IPv4 only ? So for example I connect via IPv4 to IPv4 of Wireguard server but can reach IPv6. Something need's to be done sysctl ? Something with pre-up with IPtables ?

What version are you using? Have you have a v0.2 config? See the FAQ for how it works. The client connects with IPv4 but has an internal IPv6 and IPv4 address if it's configured.

commented

I have 0.2 and I get internal IPV6 and IPV4. I have this in my client:

AllowedIPs = 10.27.52.0/22, ::/0, 0.0.0.0/0

and my tought was I will be able to reach ipv6 addresses/sites. However IPV6 does not work. For example this fails http://test-ipv6.com/ , also ping6 ipv6.google.com does not return anything.

Maybe I am missunderstanding how this should work or I am missing something in steps..

Have you added a route or NAT for IPv6?

commented

I did not add anything special other than above.. IPV6 works from host itself.. To be honest not sure where/what to look to get that working

commented

Also wireguard interface does not have IPV6 address (not sure if that is needed..)

wireguard: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.27.52.1 netmask 255.255.252.0 destination 10.27.52.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 296041 bytes 46865356 (46.8 MB)
RX errors 4 dropped 972 overruns 0 frame 4
TX packets 440386 bytes 519208920 (519.2 MB)
TX errors 0 dropped 1737 overruns 0 carrier 0 collisions 0

My dsnet.json looks something like:

{
"ExternalIP": "37.xxx.xx.158",
"ExternalIP6": "2001:1af8:xxxx:xxxx:441:4aff:fe00:cd3",
"ListenPort": 51820,
"Domain": "WG",
"InterfaceName": "wireguard",
"Network": "10.27.52.0/22",
"Network6": "fd00:7917:33xx:xxxx::/64",
"IP": "10.27.52.1",
"IP6": "fd00:7917:33xx:xxxx:7a02:c701:52b6:f899",
"DNS": "1.1.1.1",
"Networks": [
    "0.0.0.0/0"
],
"ReportFile": "/var/lib/dsnetreport.json",

It seems I was missing a commit, and released too early. Indeed the server interface is not given an IPv6 -- though it is allocated one. I've added a commit and will test and release - thanks for bringing it to my attention.

See https://github.com/naggie/dsnet/releases/tag/v0.2.1 -- tested working by pinging the server with its IPv6 address.

commented

Thanks, now wireguard interface have fd IPv6 and I can ping it from client. I still can not ping global IPv6 / reach IPv6 internet. I understand this is out of scope of dsnet, but maybe give couple details in README/Howto : )

All you need to do is enable IP forwarding + masquerading on the server, just like IPv4. I've been meaning to cover internet routing. Please add an issue -- I'll get round to it.

Actually @frillip could you add that and a bit about routing to the internet to the readme pls? Would be good to mention NAT and routing IPv6 without NAT.

Sure, will do. I'll include a basic V6 firewall too.

Thanks!

commented

@frillip thanks, but when I do that I completely lose connectivity both v4 and v6 other than to wireguard host itself.

I also tried to do:

/usr/sbin/iptables -A FORWARD -i wireguard -j ACCEPT; /usr/sbin/iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; /usr/sbin/ip6tables -A FORWARD -i wireguard -j ACCEPT; /usr/sbin/ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

which works for IPv4 but when I add v6 part it's same result = no connectivity

Strange! How is your IPv6 configured? Is it a static allocation, or is it via stateless autoconfig, or DHCPv6? Enabling IPv6 forwarding disables stateless address configuration.

I can't say I've ever tried IPv6 NAT, it's not really something that was supposed to exist until hosting providers started getting cheap! There's a decent writeup here: https://blog.apnic.net/2018/02/02/nat66-good-bad-ugly/

commented

Probably later then.. I have no idea how provider confiures this, my best guess is via DHCP as it was up and running from start. Provider is Leaseweb NL and it says it's 64 prefix