Project

General

Profile

Ungleich IPv6 wireguard VPN » History » Revision 10

Revision 9 (Nico Schottelius, 06/23/2021 08:43 PM) → Revision 10/11 (Nico Schottelius, 07/19/2021 02:32 PM)

h1. Ungleich IPv6 wireguard VPN 

 {{toc}} 

 *%{color:green}This document only concerns VPN clients and is intended for end-users/customers. See [[The ungleich VPN infrastructure]] page for server-side documentation.%* 

 h2. Status 

 This document is *IN PRODUCTION*. 

 h2. How to get VPN 

 * If you are a VM users of DataCenterLight, you get it for free 
 * Otherwise you can book it at https://IPv6VPN.ch 
 * In both cases, send a request to support at ungleich.ch 

 Technically, the following steps are necessary: 

 <pre> 
 1. Install Wireguard 
  https://www.wireguard.com/install/ 

 2. Create your private key: 
  umask 077; wg genkey > privkey 

 3. Get your public key 
   wg pubkey < privkey 

 4. Send us the pubkey 
 </pre> 

 If you want to be fast, you can already take these steps before contacting support. 


 h2. Security of IPv6 vs. NAT 

 A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall. 

 h2. Proxy all traffic (IPv6 + NAT64 for IPv4) via the VPN 

 It is possible to forward (almost) all traffic to the ungleich VPN by using our DNS64 resolvers. You can do so by configuring 2a0a:e5c0:2:12:0:f0ff:fea9:c451 (unbound1.place6.ungleich.ch) and 2a0a:e5c0:2:12:0:f0ff:fea9:c45d (unbound2.place6.ungleich.ch) as DNS servers when connected to the VPN. 

 It will: 

 * Use those two servers (via the VPN) for "DNS":https://en.wikipedia.org/wiki/Domain_Name_System traffic. 
 * Route all traffic to domain names (resolved by any of the two DNS servers) via the VPN. 

 It won't: 

 * Route traffic to specific IP addresses (= bypassing DNS) via the VPN. 
 * Route traffic from application using their own DNS resolving system (e.g. Firefox with DNS-over-HTTPS enabled) 
 * Route IPv4 traffic 

 *Complete isolation* can be achieved using network namespaces, as "described on wireguard's documentation":https://www.wireguard.com/netns/#the-new-namespace-solution. 

 h3. Setup instruction 

 It's dead-simple! You only have to add the following lines to the @[Interface]@ section (just below (@ListenPort = 51280@) of your wireguard configuration: 

 <pre> 
 DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c451 
 DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c45d 
 </pre> 

 h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch 

 * Server: vpn-2a0ae5c1.ungleich.ch 
 * Port: 51820 
 * Requires a public key 
 * Client network: 2a0a:e5c1:100::/40 
 * Client network size: /48 

 

 h3. Sample clustomer client configuration 

 * "Install wireguard":https://www.wireguard.com/install/ 
 * Create your private key: @umask 077; wg genkey > privkey@ 
 * Get your public key: @wg pubkey < privkey@ 
 ** You need to send this pubkey to ungleich 
 * You will get your network definition after we have received your public key 
 * Create /etc/wireguard/wg0.conf 

 <pre> 
 [Interface] 
 PrivateKey = YOURKEYHERE 
 Address = YOURIPv6IPADDRESSHERE/48 
 ListenPort = 51820 51280 

 [Peer] 
 PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ= 
 Endpoint = vpn-2a0ae5c1.ungleich.ch:51820 
 AllowedIPs = ::/0 
 </pre> 

 * *ONLY change* the PrivateKey and the Address entries. 
 * *ALL other entries* (especially PublicKey, Endpoint and AllowedIPs) need to *stay as is* 

 

 h3. How to setup the VPN (the easy way) 

 Once you have created the configuration, you can simply call 

 <pre> 
 wg-quick up wg0 
 </pre> 

 And to stop the VPN, you can use 

 <pre> 
 wg-quick down wg0 
 </pre> 


 h3. How to setup the VPN (the manual way) 


 Commands for setting it up 

 <pre> 
 MY_NET=2a0a:e5c1:XXXX::1/48 

 ip link add dev wg0 type wireguard 

 # Replace with your range 
 ip addr add $MY_NET dev wg0 

 # Add routing 
 ip route add 2a0a:e5c1::/32 dev wg0 
 ip route add ::/0 via 2a0a:e5c1:100::1 

 # Configure the interface 
 wg setconf wg0 /etc/wireguard/wg0.conf 

 # Bring it up 
 ip link set wg0 up 
 </pre> 

 h3. About usable IPv6 addresses 

 We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers. 
 I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network 
 are supposed to answer on this address. 

 In other words, in your wg0.conf use: 

 <pre> 
 [Interface] 
 ... 
 Address = 2a0a:e5c1:101::42/48 
 </pre> 

 Do *NOT* use: 

 <pre> 
 [Interface] 
 ... 
 # Don't use this 
 Address = 2a0a:e5c1:101::/48 
 </pre> 


 h3. How to debug 

 * wg show # Show configuration 
 * ping 2a0a:e5c1:100::1 # Try to ping the gateway 

 If you want to send us your configuration, you should remove your private key from wg0.conf. 
 Under Linux/BSD/MacOS you can do that as follows: 

 <pre> 
 cat /etc/wireguard/wg0.conf    | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/' 
 </pre> 

 The result could look as follows: 

 <pre> 
 root@line:~# cat /etc/wireguard/wg0.conf    | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/' 
 [Interface] 
 PrivateKey = MYPRIVATEKEY 
 ListenPort = 51280 
 Address = 2a0a:e5c1:101::42/48 
 #DNS = 2a0a:e5c0::3, 2a0a:e5c0::4 

 [Peer] 
 PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ= 
 Endpoint = vpn-2a0ae5c1.ungleich.ch:51820 
 AllowedIPs = ::/0 
 </pre> 

 h3. How to config wireguard on mobile phone(android / ios) 

 <pre> 
 You should fill out DNS field. 
 ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4 
 and you should assgin phone own IP. 
 ex) laptop Address = 2a0a:e5c1:101::42/48 
     phone Address = 2a0a:e5c1:101::43/48 
 another things are same as client's configutaion. 
 </pre> 

 h3. How to config IPv6 DNS on wireguard(if it can't find DNS) 

 <pre> 
 You should fill out DNS field. 
 ex) for ipv6 DNS ==> 2a0a:e5c0:2:12:0:f0ff:fea9:c451 or 2a0a:e5c0:2:12:0:f0ff:fea9:c45d 
 DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c451 
 </pre> 

 h3. How to config wireguard manually on Mac OS without APP(for using IPv4 and IPv6 at the same time)  

 <pre> 
 1) install wireguard on macOS 
 - brew install wireguard-tools 

 2)find wireguard install location 
 - cd /usr/local/etc/wireguard 

 3) create wg0.conf in wireguard location(refer to above) 

 4) run wireguard 
 - wg-quick up    wg0 
 </pre> 

 h2. ungleich VPN types and configuration 

 This guide is for internal handling, but also publicly available to allow knowledge sharing. 

 h3. Type 1, classic IPv6-VPN 

 * We route a /48 into the tunnel, the pool is usually a /40 or bigger 
 * Most VPN servers at ungleich operate like this 

 Pro/Con: 

 * Very easy setup 
 * Not much knowledge required 
 * Single stack 

 h3. Type 2, IPv6-VPN with mapped IPv4 

 * We route a /48 into the tunnel, the pool is usually a /40 or bigger 
 * Additionally IPv4 connectivity is provided via NAT64 
 ** One or more IPv6 addresses are mapped to IPv4 addresses 
 ** The client devices see IPv6 traffic 
 * Outgoing IPv4 mapping can be achieved, if the correct NAT64 network is targetted 
 ** Can be configured using DNS64 

 Pro/Con: 

 * More tailored to clean IPv6 environments 
 * Target networks stay IPv6 only 
 * Needs more knowledge from operator 
 * Needs additional configuration on ungleich side 
 * Port forwarding setups on the router are non-trivial 
 ** Needs NAT64 on the router if IPv4 devices should be targetted 


 h3. Type 3, IPv4 only VPN 

 * We route 1 (or more) IPv4 addresses into the tunnel 

 Pro/Con: 

 * The client can configure port forwarding 
 * No support for new technology/IPv6 
 * Solves IPv4 only use cases trivially 

 h3. Type 4, IPv6-VPN with native IPv4 

 * We route a /48 into the tunnel, the pool is usually a /40 or bigger 
 * We route 1 (or more) IPv4 addresses into the tunnel 

 Pro/Con: 

 * The client can configure port forwarding 
 * Support for new technology/IPv6 automatically 
 * Solves IPv4 only use cases trivially 



 h2. OpenVPN on openvpn.ungleich.ch 

 * Server: openvpn.ungleich.ch 
 * Port: 1195 
 * Requires a certificate 
 * Address range: 2a0a:e5c0:3::/48 
 ** Client networks are /64 

 *END OF LIFE by 2019-06-30*