Ungleich IPv6 wireguard VPN » History » Version 5
Timothée Floure, 02/20/2020 02:34 PM
1 | 1 | Timothée Floure | h1. Ungleich IPv6 wireguard VPN |
---|---|---|---|
2 | |||
3 | {{toc}} |
||
4 | |||
5 | 5 | Timothée Floure | *%{color:green}This document only concerns VPN clients and is intended for end-users/customers. See [[The ungleich VPN infrastructure]] page for server-side documentation.%* |
6 | 1 | Timothée Floure | |
7 | h2. Status |
||
8 | |||
9 | This document is *IN PRODUCTION*. |
||
10 | |||
11 | h2. How to get VPN |
||
12 | |||
13 | * If you are a VM users of DataCenterLight, you get it for free |
||
14 | * Otherwise you can book it at https://IPv6VPN.ch |
||
15 | * In both cases, send a request to support at ungleich.ch |
||
16 | |||
17 | Technically, the following steps are necessary: |
||
18 | |||
19 | <pre> |
||
20 | 1. Install Wireguard |
||
21 | https://www.wireguard.com/install/ |
||
22 | |||
23 | 2. Create your private key: |
||
24 | umask 077; wg genkey > privkey |
||
25 | |||
26 | 3. Get your public key |
||
27 | wg pubkey < privkey |
||
28 | |||
29 | 4. Send us the pubkey |
||
30 | </pre> |
||
31 | |||
32 | If you want to be fast, you can already take these steps before contacting support. |
||
33 | |||
34 | |||
35 | h2. Security of IPv6 vs. NAT |
||
36 | |||
37 | A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall. |
||
38 | |||
39 | 3 | Timothée Floure | h2. Proxy all traffic (IPv6 + NAT64 for IPv4) via the VPN |
40 | 2 | Timothée Floure | |
41 | It is possible to forward (almost) all traffic to the ungleich VPN by using our DNS64 resolvers. You can do so by configuring 2a0a:e5c0:2:12:0:f0ff:fea9:c451 (unbound1.place6.ungleich.ch) and 2a0a:e5c0:2:12:0:f0ff:fea9:c45d (unbound2.place6.ungleich.ch) as DNS servers when connected to the VPN. |
||
42 | |||
43 | It will: |
||
44 | |||
45 | * Use those two servers (via the VPN) for "DNS":https://en.wikipedia.org/wiki/Domain_Name_System traffic. |
||
46 | * Route all traffic to domain names (resolved by any of the two DNS servers) via the VPN. |
||
47 | |||
48 | It won't: |
||
49 | |||
50 | * Route traffic to specific IP addresses (= bypassing DNS) via the VPN. |
||
51 | * Route traffic from application using their own DNS resolving system (e.g. Firefox with DNS-over-HTTPS enabled). |
||
52 | |||
53 | 4 | Timothée Floure | *Complete isolation* can be achieved using network namespaces, as "described on wireguard's documentation":https://www.wireguard.com/netns/#the-new-namespace-solution. |
54 | |||
55 | 2 | Timothée Floure | h3. Setup instruction |
56 | 1 | Timothée Floure | |
57 | 3 | Timothée Floure | It's dead-simple! You only have to add the following lines to the @[Interface]@ section (just below (@ListenPort = 51280@) of your wireguard configuration: |
58 | |||
59 | <pre> |
||
60 | DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c451 |
||
61 | DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c45d |
||
62 | </pre> |
||
63 | 2 | Timothée Floure | |
64 | 1 | Timothée Floure | h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch |
65 | |||
66 | * Server: vpn-2a0ae5c1.ungleich.ch |
||
67 | * Port: 51820 |
||
68 | * Requires a public key |
||
69 | * Client network: 2a0a:e5c1:100::/40 |
||
70 | * Client network size: /48 |
||
71 | |||
72 | h3. Sample clustomer client configuration |
||
73 | |||
74 | * "Install wireguard":https://www.wireguard.com/install/ |
||
75 | * Create your private key: @umask 077; wg genkey > privkey@ |
||
76 | * Get your public key: @wg pubkey < privkey@ |
||
77 | ** You need to send this pubkey to ungleich |
||
78 | * You will get your network definition after we have received your public key |
||
79 | * Create /etc/wireguard/wg0.conf |
||
80 | |||
81 | <pre> |
||
82 | [Interface] |
||
83 | PrivateKey = YOURKEYHERE |
||
84 | Address = YOURIPv6IPADDRESSHERE/48 |
||
85 | ListenPort = 51280 |
||
86 | |||
87 | [Peer] |
||
88 | PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ= |
||
89 | Endpoint = vpn-2a0ae5c1.ungleich.ch:51820 |
||
90 | AllowedIPs = ::/0 |
||
91 | </pre> |
||
92 | |||
93 | * *ONLY change* the PrivateKey and the Address entries. |
||
94 | * *ALL other entries* (especially PublicKey, Endpoint and AllowedIPs) need to *stay as is* |
||
95 | |||
96 | h3. How to setup the VPN (the easy way) |
||
97 | |||
98 | Once you have created the configuration, you can simply call |
||
99 | |||
100 | <pre> |
||
101 | wg-quick up wg0 |
||
102 | </pre> |
||
103 | |||
104 | And to stop the VPN, you can use |
||
105 | |||
106 | <pre> |
||
107 | wg-quick down wg0 |
||
108 | </pre> |
||
109 | |||
110 | |||
111 | h3. How to setup the VPN (the manual way) |
||
112 | |||
113 | |||
114 | Commands for setting it up |
||
115 | |||
116 | <pre> |
||
117 | MY_NET=2a0a:e5c1:XXXX::1/48 |
||
118 | |||
119 | ip link add dev wg0 type wireguard |
||
120 | |||
121 | # Replace with your range |
||
122 | ip addr add $MY_NET dev wg0 |
||
123 | |||
124 | # Add routing |
||
125 | ip route add 2a0a:e5c1::/32 dev wg0 |
||
126 | ip route add ::/0 via 2a0a:e5c1:100::1 |
||
127 | |||
128 | # Configure the interface |
||
129 | wg setconf wg0 /etc/wireguard/wg0.conf |
||
130 | |||
131 | # Bring it up |
||
132 | ip link set wg0 up |
||
133 | </pre> |
||
134 | |||
135 | h3. About usable IPv6 addresses |
||
136 | |||
137 | We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers. |
||
138 | I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network |
||
139 | are supposed to answer on this address. |
||
140 | |||
141 | In other words, in your wg0.conf use: |
||
142 | |||
143 | <pre> |
||
144 | [Interface] |
||
145 | ... |
||
146 | Address = 2a0a:e5c1:101::42/48 |
||
147 | </pre> |
||
148 | |||
149 | Do *NOT* use: |
||
150 | |||
151 | <pre> |
||
152 | [Interface] |
||
153 | ... |
||
154 | # Don't use this |
||
155 | Address = 2a0a:e5c1:101::/48 |
||
156 | </pre> |
||
157 | |||
158 | |||
159 | h3. How to debug |
||
160 | |||
161 | * wg show # Show configuration |
||
162 | * ping 2a0a:e5c1:100::1 # Try to ping the gateway |
||
163 | |||
164 | If you want to send us your configuration, you should remove your private key from wg0.conf. |
||
165 | Under Linux/BSD/MacOS you can do that as follows: |
||
166 | |||
167 | <pre> |
||
168 | cat /etc/wireguard/wg0.conf | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/' |
||
169 | </pre> |
||
170 | |||
171 | The result could look as follows: |
||
172 | |||
173 | <pre> |
||
174 | root@line:~# cat /etc/wireguard/wg0.conf | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/' |
||
175 | [Interface] |
||
176 | PrivateKey = MYPRIVATEKEY |
||
177 | ListenPort = 51280 |
||
178 | Address = 2a0a:e5c1:101::42/48 |
||
179 | #DNS = 2a0a:e5c0::3, 2a0a:e5c0::4 |
||
180 | |||
181 | [Peer] |
||
182 | PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ= |
||
183 | Endpoint = vpn-2a0ae5c1.ungleich.ch:51820 |
||
184 | AllowedIPs = ::/0 |
||
185 | </pre> |
||
186 | |||
187 | h3. How to config wireguard on mobile phone(android / ios) |
||
188 | |||
189 | <pre> |
||
190 | You should fill out DNS field. |
||
191 | ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4 |
||
192 | and you should assgin phone own IP. |
||
193 | ex) laptop Address = 2a0a:e5c1:101::42/48 |
||
194 | phone Address = 2a0a:e5c1:101::43/48 |
||
195 | another things are same as client's configutaion. |
||
196 | </pre> |
||
197 | |||
198 | h3. How to config IPv6 DNS on wireguard(if it can't find DNS) |
||
199 | |||
200 | <pre> |
||
201 | You should fill out DNS field. |
||
202 | ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4 |
||
203 | DNS = 2a0a:e5c0::3 |
||
204 | </pre> |
||
205 | |||
206 | h3. How to config wireguard manually on Mac OS without APP(for using IPv4 and IPv6 at the same time) |
||
207 | |||
208 | <pre> |
||
209 | 1) install wireguard on macOS |
||
210 | - brew install wireguard-tools |
||
211 | |||
212 | 2)find wireguard install location |
||
213 | - cd /usr/local/etc/wireguard |
||
214 | |||
215 | 3) create wg0.conf in wireguard location(refer to above) |
||
216 | |||
217 | 4) run wireguard |
||
218 | - wg-quick up wg0 |
||
219 | </pre> |
||
220 | |||
221 | h2. OpenVPN on openvpn.ungleich.ch |
||
222 | |||
223 | * Server: openvpn.ungleich.ch |
||
224 | * Port: 1195 |
||
225 | * Requires a certificate |
||
226 | * Address range: 2a0a:e5c0:3::/48 |
||
227 | ** Client networks are /64 |
||
228 | |||
229 | *END OF LIFE by 2019-06-30* |