Project

General

Profile

Ungleich IPv6 wireguard VPN » History » Version 10

Nico Schottelius, 07/19/2021 02:32 PM

1 1 Timothée Floure
h1. Ungleich IPv6 wireguard VPN
2
3
{{toc}}
4
5 5 Timothée Floure
*%{color:green}This document only concerns VPN clients and is intended for end-users/customers. See [[The ungleich VPN infrastructure]] page for server-side documentation.%*
6 1 Timothée Floure
7
h2. Status
8
9
This document is *IN PRODUCTION*.
10
11
h2. How to get VPN
12
13
* If you are a VM users of DataCenterLight, you get it for free
14
* Otherwise you can book it at https://IPv6VPN.ch
15
* In both cases, send a request to support at ungleich.ch
16
17
Technically, the following steps are necessary:
18
19
<pre>
20
1. Install Wireguard
21
 https://www.wireguard.com/install/
22
23
2. Create your private key:
24
 umask 077; wg genkey > privkey
25
26
3. Get your public key
27
  wg pubkey < privkey
28
29
4. Send us the pubkey
30
</pre>
31
32
If you want to be fast, you can already take these steps before contacting support.
33
34
35
h2. Security of IPv6 vs. NAT
36
37
A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.
38
39 3 Timothée Floure
h2. Proxy all traffic (IPv6 + NAT64 for IPv4) via the VPN
40 2 Timothée Floure
41
It is possible to forward (almost) all traffic to the ungleich VPN by using our DNS64 resolvers. You can do so by configuring 2a0a:e5c0:2:12:0:f0ff:fea9:c451 (unbound1.place6.ungleich.ch) and 2a0a:e5c0:2:12:0:f0ff:fea9:c45d (unbound2.place6.ungleich.ch) as DNS servers when connected to the VPN.
42
43
It will:
44
45
* Use those two servers (via the VPN) for "DNS":https://en.wikipedia.org/wiki/Domain_Name_System traffic.
46
* Route all traffic to domain names (resolved by any of the two DNS servers) via the VPN.
47
48
It won't:
49
50
* Route traffic to specific IP addresses (= bypassing DNS) via the VPN.
51 6 Nico Schottelius
* Route traffic from application using their own DNS resolving system (e.g. Firefox with DNS-over-HTTPS enabled)
52
* Route IPv4 traffic
53 2 Timothée Floure
54 4 Timothée Floure
*Complete isolation* can be achieved using network namespaces, as "described on wireguard's documentation":https://www.wireguard.com/netns/#the-new-namespace-solution.
55
56 2 Timothée Floure
h3. Setup instruction
57 1 Timothée Floure
58 3 Timothée Floure
It's dead-simple! You only have to add the following lines to the @[Interface]@ section (just below (@ListenPort = 51280@) of your wireguard configuration:
59
60
<pre>
61
DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c451
62
DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c45d
63
</pre>
64 2 Timothée Floure
65 1 Timothée Floure
h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch
66
67
* Server: vpn-2a0ae5c1.ungleich.ch
68
* Port: 51820
69
* Requires a public key
70
* Client network: 2a0a:e5c1:100::/40
71
* Client network size: /48
72
73
h3. Sample clustomer client configuration
74
75
* "Install wireguard":https://www.wireguard.com/install/
76
* Create your private key: @umask 077; wg genkey > privkey@
77
* Get your public key: @wg pubkey < privkey@
78
** You need to send this pubkey to ungleich
79
* You will get your network definition after we have received your public key
80
* Create /etc/wireguard/wg0.conf
81
82
<pre>
83
[Interface]
84
PrivateKey = YOURKEYHERE
85
Address = YOURIPv6IPADDRESSHERE/48
86 10 Nico Schottelius
ListenPort = 51820
87 1 Timothée Floure
88
[Peer]
89
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
90
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
91
AllowedIPs = ::/0
92
</pre>
93
94
* *ONLY change* the PrivateKey and the Address entries.
95
* *ALL other entries* (especially PublicKey, Endpoint and AllowedIPs) need to *stay as is*
96
97
h3. How to setup the VPN (the easy way)
98
99
Once you have created the configuration, you can simply call
100
101
<pre>
102
wg-quick up wg0
103
</pre>
104
105
And to stop the VPN, you can use
106
107
<pre>
108
wg-quick down wg0
109
</pre>
110
111
112
h3. How to setup the VPN (the manual way)
113
114
115
Commands for setting it up
116
117
<pre>
118
MY_NET=2a0a:e5c1:XXXX::1/48
119
120
ip link add dev wg0 type wireguard
121
122
# Replace with your range
123
ip addr add $MY_NET dev wg0
124
125
# Add routing
126
ip route add 2a0a:e5c1::/32 dev wg0
127
ip route add ::/0 via 2a0a:e5c1:100::1
128
129
# Configure the interface
130
wg setconf wg0 /etc/wireguard/wg0.conf
131
132
# Bring it up
133
ip link set wg0 up
134
</pre>
135
136
h3. About usable IPv6 addresses
137
138
We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers.
139
I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network
140
are supposed to answer on this address.
141
142
In other words, in your wg0.conf use:
143
144
<pre>
145
[Interface]
146
...
147
Address = 2a0a:e5c1:101::42/48
148
</pre>
149
150
Do *NOT* use:
151
152
<pre>
153
[Interface]
154
...
155
# Don't use this
156
Address = 2a0a:e5c1:101::/48
157
</pre>
158
159
160
h3. How to debug
161
162
* wg show # Show configuration
163
* ping 2a0a:e5c1:100::1 # Try to ping the gateway
164
165
If you want to send us your configuration, you should remove your private key from wg0.conf.
166
Under Linux/BSD/MacOS you can do that as follows:
167
168
<pre>
169
cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
170
</pre>
171
172
The result could look as follows:
173
174
<pre>
175
root@line:~# cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
176
[Interface]
177
PrivateKey = MYPRIVATEKEY
178
ListenPort = 51280
179
Address = 2a0a:e5c1:101::42/48
180
#DNS = 2a0a:e5c0::3, 2a0a:e5c0::4
181
182
[Peer]
183
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
184
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
185
AllowedIPs = ::/0
186
</pre>
187
188
h3. How to config wireguard on mobile phone(android / ios)
189
190
<pre>
191
You should fill out DNS field.
192
ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4
193
and you should assgin phone own IP.
194
ex) laptop Address = 2a0a:e5c1:101::42/48
195
    phone Address = 2a0a:e5c1:101::43/48
196
another things are same as client's configutaion.
197
</pre>
198
199
h3. How to config IPv6 DNS on wireguard(if it can't find DNS)
200
201
<pre>
202
You should fill out DNS field.
203 7 Jin-Guk Kwon
ex) for ipv6 DNS ==> 2a0a:e5c0:2:12:0:f0ff:fea9:c451 or 2a0a:e5c0:2:12:0:f0ff:fea9:c45d
204
DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c451
205 1 Timothée Floure
</pre>
206
207
h3. How to config wireguard manually on Mac OS without APP(for using IPv4 and IPv6 at the same time) 
208
209
<pre>
210
1) install wireguard on macOS
211
- brew install wireguard-tools
212
213
2)find wireguard install location
214
- cd /usr/local/etc/wireguard
215
216
3) create wg0.conf in wireguard location(refer to above)
217
218
4) run wireguard
219
- wg-quick up  wg0
220
</pre>
221
222 8 Nico Schottelius
h2. ungleich VPN types and configuration
223
224
This guide is for internal handling, but also publicly available to allow knowledge sharing.
225
226
h3. Type 1, classic IPv6-VPN
227
228
* We route a /48 into the tunnel, the pool is usually a /40 or bigger
229
* Most VPN servers at ungleich operate like this
230
231
Pro/Con:
232
233
* Very easy setup
234
* Not much knowledge required
235
* Single stack
236
237
h3. Type 2, IPv6-VPN with mapped IPv4
238
239
* We route a /48 into the tunnel, the pool is usually a /40 or bigger
240
* Additionally IPv4 connectivity is provided via NAT64
241
** One or more IPv6 addresses are mapped to IPv4 addresses
242
** The client devices see IPv6 traffic
243
* Outgoing IPv4 mapping can be achieved, if the correct NAT64 network is targetted
244
** Can be configured using DNS64
245
246
Pro/Con:
247
248
* More tailored to clean IPv6 environments
249
* Target networks stay IPv6 only
250
* Needs more knowledge from operator
251
* Needs additional configuration on ungleich side
252
* Port forwarding setups on the router are non-trivial
253
** Needs NAT64 on the router if IPv4 devices should be targetted
254
255
256
h3. Type 3, IPv4 only VPN
257
258
* We route 1 (or more) IPv4 addresses into the tunnel
259
260
Pro/Con:
261
262
* The client can configure port forwarding
263
* No support for new technology/IPv6
264 9 Nico Schottelius
* Solves IPv4 only use cases trivially
265
266
h3. Type 4, IPv6-VPN with native IPv4
267
268
* We route a /48 into the tunnel, the pool is usually a /40 or bigger
269
* We route 1 (or more) IPv4 addresses into the tunnel
270
271
Pro/Con:
272
273
* The client can configure port forwarding
274
* Support for new technology/IPv6 automatically
275
* Solves IPv4 only use cases trivially
276
277 8 Nico Schottelius
278
279 1 Timothée Floure
h2. OpenVPN on openvpn.ungleich.ch
280
281
* Server: openvpn.ungleich.ch
282
* Port: 1195
283
* Requires a certificate
284
* Address range: 2a0a:e5c0:3::/48
285
** Client networks are /64
286
287
*END OF LIFE by 2019-06-30*