Open Infrastructure

h1. Ungleich IPv6 wireguard VPN

{{toc}}

*%{color:green}This document only concerns VPN clients and is intended for end-users/customers. See [[The ungleich VPN infrastructure]] page for server-side documentation.%*

h2. Status

This document is *IN PRODUCTION*.

h2. How to get VPN

* If you are a VM users of DataCenterLight, you get it for free

* Otherwise you can book it at https://IPv6VPN.ch

* In both cases, send a request to support at ungleich.ch

Technically, the following steps are necessary:

<pre>

1. Install Wireguard

 https://www.wireguard.com/install/

2. Create your private key:

 umask 077; wg genkey > privkey

3. Get your public key

  wg pubkey < privkey

4. Send us the pubkey

</pre>

If you want to be fast, you can already take these steps before contacting support.

h2. Security of IPv6 vs. NAT

A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.

h2. Proxy all traffic (IPv6 + NAT64 for IPv4) via the VPN

It is possible to forward (almost) all traffic to the ungleich VPN by using our DNS64 resolvers. You can do so by configuring 2a0a:e5c0:2:12:0:f0ff:fea9:c451 (unbound1.place6.ungleich.ch) and 2a0a:e5c0:2:12:0:f0ff:fea9:c45d (unbound2.place6.ungleich.ch) as DNS servers when connected to the VPN.

It will:

* Use those two servers (via the VPN) for "DNS":https://en.wikipedia.org/wiki/Domain_Name_System traffic.

* Route all traffic to domain names (resolved by any of the two DNS servers) via the VPN.

It won't:

* Route traffic to specific IP addresses (= bypassing DNS) via the VPN.

* Route traffic from application using their own DNS resolving system (e.g. Firefox with DNS-over-HTTPS enabled).

*Complete isolation* can be achieved using network namespaces, as "described on wireguard's documentation":https://www.wireguard.com/netns/#the-new-namespace-solution.

h3. Setup instruction

It's dead-simple! You only have to add the following lines to the @[Interface]@ section (just below (@ListenPort = 51280@) of your wireguard configuration:

<pre>

DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c451

DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c45d

</pre>

h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch

* Server: vpn-2a0ae5c1.ungleich.ch

* Port: 51820

* Requires a public key

* Client network: 2a0a:e5c1:100::/40

* Client network size: /48

h3. Sample clustomer client configuration

* "Install wireguard":https://www.wireguard.com/install/

* Create your private key: @umask 077; wg genkey > privkey@

* Get your public key: @wg pubkey < privkey@

** You need to send this pubkey to ungleich

* You will get your network definition after we have received your public key

* Create /etc/wireguard/wg0.conf

<pre>

[Interface]

PrivateKey = YOURKEYHERE

Address = YOURIPv6IPADDRESSHERE/48

ListenPort = 51280

[Peer]

PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=

Endpoint = vpn-2a0ae5c1.ungleich.ch:51820

AllowedIPs = ::/0

</pre>

* *ONLY change* the PrivateKey and the Address entries.

* *ALL other entries* (especially PublicKey, Endpoint and AllowedIPs) need to *stay as is*

h3. How to setup the VPN (the easy way)

Once you have created the configuration, you can simply call

<pre>

wg-quick up wg0

</pre>

And to stop the VPN, you can use

<pre>

wg-quick down wg0

</pre>

h3. How to setup the VPN (the manual way)

Commands for setting it up

<pre>

MY_NET=2a0a:e5c1:XXXX::1/48

ip link add dev wg0 type wireguard

# Replace with your range

ip addr add $MY_NET dev wg0

# Add routing

ip route add 2a0a:e5c1::/32 dev wg0

ip route add ::/0 via 2a0a:e5c1:100::1

# Configure the interface

wg setconf wg0 /etc/wireguard/wg0.conf

# Bring it up

ip link set wg0 up

</pre>

h3. About usable IPv6 addresses

We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers.

I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network

are supposed to answer on this address.

In other words, in your wg0.conf use:

<pre>

[Interface]

...

Address = 2a0a:e5c1:101::42/48

</pre>

Do *NOT* use:

<pre>

[Interface]

...

# Don't use this

Address = 2a0a:e5c1:101::/48

</pre>

h3. How to debug

* wg show # Show configuration

* ping 2a0a:e5c1:100::1 # Try to ping the gateway

If you want to send us your configuration, you should remove your private key from wg0.conf.

Under Linux/BSD/MacOS you can do that as follows:

<pre>

cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'

</pre>

The result could look as follows:

<pre>

root@line:~# cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'

[Interface]

PrivateKey = MYPRIVATEKEY

ListenPort = 51280

Address = 2a0a:e5c1:101::42/48

#DNS = 2a0a:e5c0::3, 2a0a:e5c0::4

[Peer]

PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=

Endpoint = vpn-2a0ae5c1.ungleich.ch:51820

AllowedIPs = ::/0

</pre>

h3. How to config wireguard on mobile phone(android / ios)

<pre>

You should fill out DNS field.

ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4

and you should assgin phone own IP.

ex) laptop Address = 2a0a:e5c1:101::42/48

    phone Address = 2a0a:e5c1:101::43/48

another things are same as client's configutaion.

</pre>

h3. How to config IPv6 DNS on wireguard(if it can't find DNS)

<pre>

You should fill out DNS field.

ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4

DNS = 2a0a:e5c0::3

</pre>

h3. How to config wireguard manually on Mac OS without APP(for using IPv4 and IPv6 at the same time) 

<pre>

1) install wireguard on macOS

- brew install wireguard-tools

2)find wireguard install location

- cd /usr/local/etc/wireguard

3) create wg0.conf in wireguard location(refer to above)

4) run wireguard

- wg-quick up  wg0

</pre>

h2. OpenVPN on openvpn.ungleich.ch

* Server: openvpn.ungleich.ch

* Port: 1195

* Requires a certificate

* Address range: 2a0a:e5c0:3::/48

** Client networks are /64

*END OF LIFE by 2019-06-30*