Project

General

Profile

The ungleich VPN infrastructure » History » Version 26

Jin-Guk Kwon, 09/25/2019 10:41 AM

1 1 Nico Schottelius
h1. The ungleich VPN infrastructure
2
3 5 Nico Schottelius
{{toc}}
4
5 11 Nico Schottelius
h2. Status
6
7 24 Sanghee Kim
This document is *IN PRODUCTION*.
8 11 Nico Schottelius
9 13 Nico Schottelius
h2. Security of IPv6 vs. NAT
10
11
A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.
12
13 14 Nico Schottelius
h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch
14 1 Nico Schottelius
15
* Server: vpn-2a0ae5c1.ungleich.ch
16
* Port: 51820
17
* Requires a public key
18 7 Nico Schottelius
* Client network: 2a0a:e5c1:100::/40
19 1 Nico Schottelius
* Client network size: /48
20
21 9 Nico Schottelius
h3. How to add a new customer connection
22 1 Nico Schottelius
23 9 Nico Schottelius
* Get the public key of the customer
24
* Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file
25
* Let the customer know their network
26 1 Nico Schottelius
27 9 Nico Schottelius
h3. Sample clustomer client configuration
28
29
* "Install wireguard":https://www.wireguard.com/install/
30
* Create your private key: @umask 077; wg genkey > privkey@
31
* Get your public key: @wg pubkey < privkey@
32
** You need to send this pubkey to ungleich
33
* You will get your network definition after we have received your public key
34
* Create /etc/wireguard/wg0.conf
35
36 1 Nico Schottelius
<pre>
37
[Interface]
38
PrivateKey = YOURKEYHERE
39 12 Nico Schottelius
Address = YOURIPv6IPADDRESSHERE/48
40 1 Nico Schottelius
ListenPort = 51280
41
42
[Peer]
43 9 Nico Schottelius
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
44 1 Nico Schottelius
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
45
AllowedIPs = ::/0
46
</pre>
47
48 19 Nico Schottelius
* *ONLY change* the PrivateKey and the Address entries.
49
* *ALL other entries* (especially PublicKey, Endpoint and AllowedIPs) need to *stay as is*
50
51 14 Nico Schottelius
h3. How to setup the VPN (the easy way)
52
53
Once you have created the configuration, you can simply call
54
55
<pre>
56
wg-quick up wg0
57
</pre>
58
59
And to stop the VPN, you can use
60
61
<pre>
62
wg-quick down wg0
63
</pre>
64
65
66
h3. How to setup the VPN (the manual way)
67
68
69 1 Nico Schottelius
Commands for setting it up
70
71
<pre>
72
MY_NET=2a0a:e5c1:XXXX::1/48
73
74
ip link add dev wg0 type wireguard
75
76
# Replace with your range
77
ip addr add $MY_NET dev wg0
78
79 12 Nico Schottelius
# Add routing
80 14 Nico Schottelius
ip route add 2a0a:e5c1::/32 dev wg0
81 1 Nico Schottelius
ip route add ::/0 via 2a0a:e5c1:100::1
82
83 12 Nico Schottelius
# Configure the interface
84
wg setconf wg0 /etc/wireguard/wg0.conf
85 1 Nico Schottelius
86 12 Nico Schottelius
# Bring it up
87
ip link set wg0 up
88
</pre>
89
90 15 Nico Schottelius
h3. About usable IPv6 addresses
91 1 Nico Schottelius
92 15 Nico Schottelius
We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers.
93
I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network
94
are supposed to answer on this address.
95
96
In other words, in your wg0.conf use:
97
98
<pre>
99
[Interface]
100
...
101
Address = 2a0a:e5c1:101::42/48
102
</pre>
103
104
Do *NOT* use:
105
106
<pre>
107
[Interface]
108
...
109
# Don't use this
110
Address = 2a0a:e5c1:101::/48
111
</pre>
112
113
114 14 Nico Schottelius
h3. How to debug
115 1 Nico Schottelius
116 14 Nico Schottelius
* wg show # Show configuration
117
* ping 2a0a:e5c1:100::1 # Try to ping the gateway
118 15 Nico Schottelius
119 16 Nico Schottelius
If you want to send us your configuration, you should remove your private key from wg0.conf.
120
Under Linux/BSD/MacOS you can do that as follows:
121
122
<pre>
123
cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
124
</pre>
125
126
The result could look as follows:
127
128
<pre>
129
root@line:~# cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
130
[Interface]
131
PrivateKey = MYPRIVATEKEY
132
ListenPort = 51280
133
Address = 2a0a:e5c1:101::42/48
134
#DNS = 2a0a:e5c0::3, 2a0a:e5c0::4
135
136
[Peer]
137
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
138
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
139
AllowedIPs = ::/0
140
</pre>
141
142 15 Nico Schottelius
143 6 Nico Schottelius
144
h3. Sample server configuration
145 1 Nico Schottelius
146 10 Nico Schottelius
This is just for reference - as a client you don't need this configuration
147
148 6 Nico Schottelius
/etc/wireguard/wg0.conf:
149
150
<pre>
151
[Interface]
152
ListenPort = 51820
153 7 Nico Schottelius
PrivateKey = SERVERKEYHERE
154 6 Nico Schottelius
155
# Nico, 2019-01-23
156
[Peer]
157
PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8=
158
AllowedIPs = 2a0a:e5c1:101::/48
159
160
# Customer networks below
161
# ...
162
</pre>
163
164
Sample server rc.local:
165
166
<pre>
167
ip link add dev wg0 type wireguard
168
ip addr add 2a0a:e5c1:100::1/40 dev wg0
169
wg setconf wg0 /etc/wireguard/wg0.conf
170
ip link set wg0 up
171
172 1 Nico Schottelius
</pre>
173
174 20 Jin-Guk Kwon
h3. How to config wireguard on mobile phone(android / ios)
175
176
<pre>
177
You should fill out DNS field.
178 22 Jin-Guk Kwon
ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4
179 20 Jin-Guk Kwon
and you should assgin phone own IP.
180
ex) laptop Address = 2a0a:e5c1:101::42/48
181 21 Jin-Guk Kwon
    phone Address = 2a0a:e5c1:101::43/48
182
another things are same as client's configutaion.
183 20 Jin-Guk Kwon
</pre>
184
185 26 Jin-Guk Kwon
h3. How to config IPv6 DNS on wireguard(if it can't find DNS)
186 25 Jin-Guk Kwon
187
<pre>
188
You should fill out DNS field.
189 1 Nico Schottelius
ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4
190 26 Jin-Guk Kwon
DNS = 2a0a:e5c0::3
191 25 Jin-Guk Kwon
</pre>
192
193 1 Nico Schottelius
h2. OpenVPN on openvpn.ungleich.ch
194
195
* Server: openvpn.ungleich.ch
196
* Port: 1195
197
* Requires a certificate
198
* Address range: 2a0a:e5c0:3::/48
199
** Client networks are /64
200 17 Nico Schottelius
201 18 Nico Schottelius
*END OF LIFE by 2019-06-30*