Open Infrastructure

h1. Ungleich IPv6 wireguard VPN

{{toc}}

*%{color:green}This document only concerns VPN clients and is intended for end-users/customers. See [[The ungleich VPN infrastructure]] page for server-side documentation.%*

h2. Status

This document is *IN PRODUCTION*.

h2. How to get VPN

* If you are a VM users of DataCenterLight, you get it for free

* Otherwise you can book it at https://IPv6VPN.ch

* In both cases, send a request to support at ungleich.ch

Technically, the following steps are necessary:

<pre>

1. Install Wireguard

 https://www.wireguard.com/install/

2. Create your private key:

 umask 077; wg genkey > privkey

3. Get your public key

  wg pubkey < privkey

4. Send us the pubkey

</pre>

If you want to be fast, you can already take these steps before contacting support.

h2. Security of IPv6 vs. NAT

A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.

h2. Proxy all traffic (IPv6 + NAT64 for IPv4) via the VPN

It is possible to forward (almost) all traffic to the ungleich VPN by using our DNS64 resolvers. You can do so by configuring 2a0a:e5c0:2:12:0:f0ff:fea9:c451 (unbound1.place6.ungleich.ch) and 2a0a:e5c0:2:12:0:f0ff:fea9:c45d (unbound2.place6.ungleich.ch) as DNS servers when connected to the VPN.

It will:

* Use those two servers (via the VPN) for "DNS":https://en.wikipedia.org/wiki/Domain_Name_System traffic.

* Route all traffic to domain names (resolved by any of the two DNS servers) via the VPN.

It won't:

* Route traffic to specific IP addresses (= bypassing DNS) via the VPN.

* Route traffic from application using their own DNS resolving system (e.g. Firefox with DNS-over-HTTPS enabled)

* Route IPv4 traffic

*Complete isolation* can be achieved using network namespaces, as "described on wireguard's documentation":https://www.wireguard.com/netns/#the-new-namespace-solution.

h3. Setup instruction

It's dead-simple! You only have to add the following lines to the @[Interface]@ section (just below (@ListenPort = 51280@) of your wireguard configuration:

old

<pre>

DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c451

DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c45d

</pre>

new

<pre>

DNS = 2a0a:e5c0:2:a::a 

DNS = 2a0a:e5c0:2:a::b

</pre>

h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch

* Server: vpn-2a0ae5c1.ungleich.ch

* Port: 51820

* Requires a public key

* Client network: 2a0a:e5c1:100::/40

* Client network size: /48

h3. Sample clustomer client configuration

* "Install wireguard":https://www.wireguard.com/install/

* Create your private key: @umask 077; wg genkey > privkey@

* Get your public key: @wg pubkey < privkey@

** You need to send this pubkey to ungleich

* You will get your network definition after we have received your public key

* Create /etc/wireguard/wg0.conf

<pre>

[Interface]

PrivateKey = YOURKEYHERE

Address = YOURIPv6IPADDRESSHERE/48

ListenPort = 51820

[Peer]

PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=

Endpoint = vpn-2a0ae5c1.ungleich.ch:51820

AllowedIPs = ::/0

</pre>

* *ONLY change* the PrivateKey and the Address entries.

* *ALL other entries* (especially PublicKey, Endpoint and AllowedIPs) need to *stay as is*

h3. How to setup the VPN (the easy way)

Once you have created the configuration, you can simply call

<pre>

wg-quick up wg0

</pre>

And to stop the VPN, you can use

<pre>

wg-quick down wg0

</pre>

h3. How to setup the VPN (the manual way)

Commands for setting it up

<pre>

MY_NET=2a0a:e5c1:XXXX::1/48

ip link add dev wg0 type wireguard

# Replace with your range

ip addr add $MY_NET dev wg0

# Add routing

ip route add 2a0a:e5c1::/32 dev wg0

ip route add ::/0 via 2a0a:e5c1:100::1

# Configure the interface

wg setconf wg0 /etc/wireguard/wg0.conf

# Bring it up

ip link set wg0 up

</pre>

h3. About usable IPv6 addresses

We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers.

I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network

are supposed to answer on this address.

In other words, in your wg0.conf use:

<pre>

[Interface]

...

Address = 2a0a:e5c1:101::42/48

</pre>

Do *NOT* use:

<pre>

[Interface]

...

# Don't use this

Address = 2a0a:e5c1:101::/48

</pre>

h3. How to debug

* wg show # Show configuration

* ping 2a0a:e5c1:100::1 # Try to ping the gateway

If you want to send us your configuration, you should remove your private key from wg0.conf.

Under Linux/BSD/MacOS you can do that as follows:

<pre>

cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'

</pre>

The result could look as follows:

<pre>

root@line:~# cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'

[Interface]

PrivateKey = MYPRIVATEKEY

ListenPort = 51280

Address = 2a0a:e5c1:101::42/48

#DNS = 2a0a:e5c0::3, 2a0a:e5c0::4

[Peer]

PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=

Endpoint = vpn-2a0ae5c1.ungleich.ch:51820

AllowedIPs = ::/0

</pre>

h3. How to config wireguard on mobile phone(android / ios)

<pre>

You should fill out DNS field.

ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4

and you should assgin phone own IP.

ex) laptop Address = 2a0a:e5c1:101::42/48

    phone Address = 2a0a:e5c1:101::43/48

another things are same as client's configutaion.

</pre>

h3. How to config IPv6 DNS on wireguard(if it can't find DNS)

<pre>

You should fill out DNS field.

ex) for ipv6 DNS ==> 2a0a:e5c0:2:12:0:f0ff:fea9:c451 or 2a0a:e5c0:2:12:0:f0ff:fea9:c45d

DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c451

</pre>

h3. How to config wireguard manually on Mac OS without APP(for using IPv4 and IPv6 at the same time) 

<pre>

1) install wireguard on macOS

- brew install wireguard-tools

2)find wireguard install location

- cd /usr/local/etc/wireguard

3) create wg0.conf in wireguard location(refer to above)

4) run wireguard

- wg-quick up  wg0

</pre>

h2. ungleich VPN types and configuration

This guide is for internal handling, but also publicly available to allow knowledge sharing.

h3. Type 1, classic IPv6-VPN

* We route a /48 into the tunnel, the pool is usually a /40 or bigger

* Most VPN servers at ungleich operate like this

Pro/Con:

* Very easy setup

* Not much knowledge required

* Single stack

h3. Type 2, IPv6-VPN with mapped IPv4

* We route a /48 into the tunnel, the pool is usually a /40 or bigger

* Additionally IPv4 connectivity is provided via NAT64

** One or more IPv6 addresses are mapped to IPv4 addresses

** The client devices see IPv6 traffic

* Outgoing IPv4 mapping can be achieved, if the correct NAT64 network is targetted

** Can be configured using DNS64

Pro/Con:

* More tailored to clean IPv6 environments

* Target networks stay IPv6 only

* Needs more knowledge from operator

* Needs additional configuration on ungleich side

* Port forwarding setups on the router are non-trivial

** Needs NAT64 on the router if IPv4 devices should be targetted

h3. Type 3, IPv4 only VPN

* We route 1 (or more) IPv4 addresses into the tunnel

Pro/Con:

* The client can configure port forwarding

* No support for new technology/IPv6

* Solves IPv4 only use cases trivially

h3. Type 4, IPv6-VPN with native IPv4

* We route a /48 into the tunnel, the pool is usually a /40 or bigger

* We route 1 (or more) IPv4 addresses into the tunnel

Pro/Con:

* The client can configure port forwarding

* Support for new technology/IPv6 automatically

* Solves IPv4 only use cases trivially

h2. OpenVPN on openvpn.ungleich.ch

* Server: openvpn.ungleich.ch

* Port: 1195

* Requires a certificate

* Address range: 2a0a:e5c0:3::/48

** Client networks are /64

*END OF LIFE by 2019-06-30*