Project

General

Profile

Ungleich IPv6 wireguard VPN » History » Version 5

Timothée Floure, 02/20/2020 02:34 PM

1 1 Timothée Floure
h1. Ungleich IPv6 wireguard VPN
2
3
{{toc}}
4
5 5 Timothée Floure
*%{color:green}This document only concerns VPN clients and is intended for end-users/customers. See [[The ungleich VPN infrastructure]] page for server-side documentation.%*
6 1 Timothée Floure
7
h2. Status
8
9
This document is *IN PRODUCTION*.
10
11
h2. How to get VPN
12
13
* If you are a VM users of DataCenterLight, you get it for free
14
* Otherwise you can book it at https://IPv6VPN.ch
15
* In both cases, send a request to support at ungleich.ch
16
17
Technically, the following steps are necessary:
18
19
<pre>
20
1. Install Wireguard
21
 https://www.wireguard.com/install/
22
23
2. Create your private key:
24
 umask 077; wg genkey > privkey
25
26
3. Get your public key
27
  wg pubkey < privkey
28
29
4. Send us the pubkey
30
</pre>
31
32
If you want to be fast, you can already take these steps before contacting support.
33
34
35
h2. Security of IPv6 vs. NAT
36
37
A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.
38
39 3 Timothée Floure
h2. Proxy all traffic (IPv6 + NAT64 for IPv4) via the VPN
40 2 Timothée Floure
41
It is possible to forward (almost) all traffic to the ungleich VPN by using our DNS64 resolvers. You can do so by configuring 2a0a:e5c0:2:12:0:f0ff:fea9:c451 (unbound1.place6.ungleich.ch) and 2a0a:e5c0:2:12:0:f0ff:fea9:c45d (unbound2.place6.ungleich.ch) as DNS servers when connected to the VPN.
42
43
It will:
44
45
* Use those two servers (via the VPN) for "DNS":https://en.wikipedia.org/wiki/Domain_Name_System traffic.
46
* Route all traffic to domain names (resolved by any of the two DNS servers) via the VPN.
47
48
It won't:
49
50
* Route traffic to specific IP addresses (= bypassing DNS) via the VPN.
51
* Route traffic from application using their own DNS resolving system (e.g. Firefox with DNS-over-HTTPS enabled).
52
53 4 Timothée Floure
*Complete isolation* can be achieved using network namespaces, as "described on wireguard's documentation":https://www.wireguard.com/netns/#the-new-namespace-solution.
54
55 2 Timothée Floure
h3. Setup instruction
56 1 Timothée Floure
57 3 Timothée Floure
It's dead-simple! You only have to add the following lines to the @[Interface]@ section (just below (@ListenPort = 51280@) of your wireguard configuration:
58
59
<pre>
60
DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c451
61
DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c45d
62
</pre>
63 2 Timothée Floure
64 1 Timothée Floure
h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch
65
66
* Server: vpn-2a0ae5c1.ungleich.ch
67
* Port: 51820
68
* Requires a public key
69
* Client network: 2a0a:e5c1:100::/40
70
* Client network size: /48
71
72
h3. Sample clustomer client configuration
73
74
* "Install wireguard":https://www.wireguard.com/install/
75
* Create your private key: @umask 077; wg genkey > privkey@
76
* Get your public key: @wg pubkey < privkey@
77
** You need to send this pubkey to ungleich
78
* You will get your network definition after we have received your public key
79
* Create /etc/wireguard/wg0.conf
80
81
<pre>
82
[Interface]
83
PrivateKey = YOURKEYHERE
84
Address = YOURIPv6IPADDRESSHERE/48
85
ListenPort = 51280
86
87
[Peer]
88
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
89
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
90
AllowedIPs = ::/0
91
</pre>
92
93
* *ONLY change* the PrivateKey and the Address entries.
94
* *ALL other entries* (especially PublicKey, Endpoint and AllowedIPs) need to *stay as is*
95
96
h3. How to setup the VPN (the easy way)
97
98
Once you have created the configuration, you can simply call
99
100
<pre>
101
wg-quick up wg0
102
</pre>
103
104
And to stop the VPN, you can use
105
106
<pre>
107
wg-quick down wg0
108
</pre>
109
110
111
h3. How to setup the VPN (the manual way)
112
113
114
Commands for setting it up
115
116
<pre>
117
MY_NET=2a0a:e5c1:XXXX::1/48
118
119
ip link add dev wg0 type wireguard
120
121
# Replace with your range
122
ip addr add $MY_NET dev wg0
123
124
# Add routing
125
ip route add 2a0a:e5c1::/32 dev wg0
126
ip route add ::/0 via 2a0a:e5c1:100::1
127
128
# Configure the interface
129
wg setconf wg0 /etc/wireguard/wg0.conf
130
131
# Bring it up
132
ip link set wg0 up
133
</pre>
134
135
h3. About usable IPv6 addresses
136
137
We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers.
138
I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network
139
are supposed to answer on this address.
140
141
In other words, in your wg0.conf use:
142
143
<pre>
144
[Interface]
145
...
146
Address = 2a0a:e5c1:101::42/48
147
</pre>
148
149
Do *NOT* use:
150
151
<pre>
152
[Interface]
153
...
154
# Don't use this
155
Address = 2a0a:e5c1:101::/48
156
</pre>
157
158
159
h3. How to debug
160
161
* wg show # Show configuration
162
* ping 2a0a:e5c1:100::1 # Try to ping the gateway
163
164
If you want to send us your configuration, you should remove your private key from wg0.conf.
165
Under Linux/BSD/MacOS you can do that as follows:
166
167
<pre>
168
cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
169
</pre>
170
171
The result could look as follows:
172
173
<pre>
174
root@line:~# cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
175
[Interface]
176
PrivateKey = MYPRIVATEKEY
177
ListenPort = 51280
178
Address = 2a0a:e5c1:101::42/48
179
#DNS = 2a0a:e5c0::3, 2a0a:e5c0::4
180
181
[Peer]
182
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
183
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
184
AllowedIPs = ::/0
185
</pre>
186
187
h3. How to config wireguard on mobile phone(android / ios)
188
189
<pre>
190
You should fill out DNS field.
191
ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4
192
and you should assgin phone own IP.
193
ex) laptop Address = 2a0a:e5c1:101::42/48
194
    phone Address = 2a0a:e5c1:101::43/48
195
another things are same as client's configutaion.
196
</pre>
197
198
h3. How to config IPv6 DNS on wireguard(if it can't find DNS)
199
200
<pre>
201
You should fill out DNS field.
202
ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4
203
DNS = 2a0a:e5c0::3
204
</pre>
205
206
h3. How to config wireguard manually on Mac OS without APP(for using IPv4 and IPv6 at the same time) 
207
208
<pre>
209
1) install wireguard on macOS
210
- brew install wireguard-tools
211
212
2)find wireguard install location
213
- cd /usr/local/etc/wireguard
214
215
3) create wg0.conf in wireguard location(refer to above)
216
217
4) run wireguard
218
- wg-quick up  wg0
219
</pre>
220
221
h2. OpenVPN on openvpn.ungleich.ch
222
223
* Server: openvpn.ungleich.ch
224
* Port: 1195
225
* Requires a certificate
226
* Address range: 2a0a:e5c0:3::/48
227
** Client networks are /64
228
229
*END OF LIFE by 2019-06-30*