The ungleich VPN infrastructure¶
- Table of contents
- The ungleich VPN infrastructure
- Security of IPv6 vs. NAT
- Wireguard VPN on vpn-2a0ae5c1.ungleich.ch
- OpenVPN on openvpn.ungleich.ch
This document is IN PRODUCTION.
Security of IPv6 vs. NAT¶
A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.
Wireguard VPN on vpn-2a0ae5c1.ungleich.ch¶
- Server: vpn-2a0ae5c1.ungleich.ch
- Port: 51820
- Requires a public key
- Client network: 2a0a:e5c1:100::/40
- Client network size: /48
How to add a new customer connection¶
- Get the public key of the customer
- Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file
- Let the customer know their network
Sample clustomer client configuration¶
- Install wireguard
- Create your private key:
umask 077; wg genkey > privkey
- Get your public key:
wg pubkey < privkey
- You need to send this pubkey to ungleich
- You will get your network definition after we have received your public key
- Create /etc/wireguard/wg0.conf
[Interface] PrivateKey = YOURKEYHERE Address = YOURIPv6IPADDRESSHERE/48 ListenPort = 51280 [Peer] PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ= Endpoint = vpn-2a0ae5c1.ungleich.ch:51820 AllowedIPs = ::/0
- ONLY change the PrivateKey and the Address entries.
- ALL other entries (especially PublicKey, Endpoint and AllowedIPs) need to stay as is
How to setup the VPN (the easy way)¶
Once you have created the configuration, you can simply call
wg-quick up wg0
And to stop the VPN, you can use
wg-quick down wg0
How to setup the VPN (the manual way)¶
Commands for setting it up
MY_NET=2a0a:e5c1:XXXX::1/48 ip link add dev wg0 type wireguard # Replace with your range ip addr add $MY_NET dev wg0 # Add routing ip route add 2a0a:e5c1::/32 dev wg0 ip route add ::/0 via 2a0a:e5c1:100::1 # Configure the interface wg setconf wg0 /etc/wireguard/wg0.conf # Bring it up ip link set wg0 up
About usable IPv6 addresses¶
We route a /48 to everyone. Even though technically possible, you should not use the zero address of your network, as it is reserved for reaching all routers.
I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network
are supposed to answer on this address.
In other words, in your wg0.conf use:
[Interface] ... Address = 2a0a:e5c1:101::42/48
Do NOT use:
[Interface] ... # Don't use this Address = 2a0a:e5c1:101::/48
How to debug¶
- wg show # Show configuration
- ping 2a0a:e5c1:100::1 # Try to ping the gateway
If you want to send us your configuration, you should remove your private key from wg0.conf.
Under Linux/BSD/MacOS you can do that as follows:
cat /etc/wireguard/wg0.conf | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
The result could look as follows:
root@line:~# cat /etc/wireguard/wg0.conf | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/' [Interface] PrivateKey = MYPRIVATEKEY ListenPort = 51280 Address = 2a0a:e5c1:101::42/48 #DNS = 2a0a:e5c0::3, 2a0a:e5c0::4 [Peer] PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ= Endpoint = vpn-2a0ae5c1.ungleich.ch:51820 AllowedIPs = ::/0
Sample server configuration¶
This is just for reference - as a client you don't need this configuration
[Interface] ListenPort = 51820 PrivateKey = SERVERKEYHERE # Nico, 2019-01-23 [Peer] PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8= AllowedIPs = 2a0a:e5c1:101::/48 # Customer networks below # ...
Sample server rc.local:
ip link add dev wg0 type wireguard ip addr add 2a0a:e5c1:100::1/40 dev wg0 wg setconf wg0 /etc/wireguard/wg0.conf ip link set wg0 up
How to config wireguard on mobile phone(android / ios)¶
You should fill out DNS field. ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4 and you should assgin phone own IP. ex) laptop Address = 2a0a:e5c1:101::42/48 phone Address = 2a0a:e5c1:101::43/48 another things are same as client's configutaion.
OpenVPN on openvpn.ungleich.ch¶
- Server: openvpn.ungleich.ch
- Port: 1195
- Requires a certificate
- Address range: 2a0a:e5c0:3::/48
- Client networks are /64
END OF LIFE by 2019-06-30