Project

General

Profile

Ungleich IPv6 wireguard VPN » History » Version 6

Nico Schottelius, 04/17/2020 09:02 PM

1 1 Timothée Floure
h1. Ungleich IPv6 wireguard VPN
2
3
{{toc}}
4
5 5 Timothée Floure
*%{color:green}This document only concerns VPN clients and is intended for end-users/customers. See [[The ungleich VPN infrastructure]] page for server-side documentation.%*
6 1 Timothée Floure
7
h2. Status
8
9
This document is *IN PRODUCTION*.
10
11
h2. How to get VPN
12
13
* If you are a VM users of DataCenterLight, you get it for free
14
* Otherwise you can book it at https://IPv6VPN.ch
15
* In both cases, send a request to support at ungleich.ch
16
17
Technically, the following steps are necessary:
18
19
<pre>
20
1. Install Wireguard
21
 https://www.wireguard.com/install/
22
23
2. Create your private key:
24
 umask 077; wg genkey > privkey
25
26
3. Get your public key
27
  wg pubkey < privkey
28
29
4. Send us the pubkey
30
</pre>
31
32
If you want to be fast, you can already take these steps before contacting support.
33
34
35
h2. Security of IPv6 vs. NAT
36
37
A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.
38
39 3 Timothée Floure
h2. Proxy all traffic (IPv6 + NAT64 for IPv4) via the VPN
40 2 Timothée Floure
41
It is possible to forward (almost) all traffic to the ungleich VPN by using our DNS64 resolvers. You can do so by configuring 2a0a:e5c0:2:12:0:f0ff:fea9:c451 (unbound1.place6.ungleich.ch) and 2a0a:e5c0:2:12:0:f0ff:fea9:c45d (unbound2.place6.ungleich.ch) as DNS servers when connected to the VPN.
42
43
It will:
44
45
* Use those two servers (via the VPN) for "DNS":https://en.wikipedia.org/wiki/Domain_Name_System traffic.
46
* Route all traffic to domain names (resolved by any of the two DNS servers) via the VPN.
47
48
It won't:
49
50
* Route traffic to specific IP addresses (= bypassing DNS) via the VPN.
51 6 Nico Schottelius
* Route traffic from application using their own DNS resolving system (e.g. Firefox with DNS-over-HTTPS enabled)
52
* Route IPv4 traffic
53 2 Timothée Floure
54 4 Timothée Floure
*Complete isolation* can be achieved using network namespaces, as "described on wireguard's documentation":https://www.wireguard.com/netns/#the-new-namespace-solution.
55
56 2 Timothée Floure
h3. Setup instruction
57 1 Timothée Floure
58 3 Timothée Floure
It's dead-simple! You only have to add the following lines to the @[Interface]@ section (just below (@ListenPort = 51280@) of your wireguard configuration:
59
60
<pre>
61
DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c451
62
DNS = 2a0a:e5c0:2:12:0:f0ff:fea9:c45d
63
</pre>
64 2 Timothée Floure
65 1 Timothée Floure
h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch
66
67
* Server: vpn-2a0ae5c1.ungleich.ch
68
* Port: 51820
69
* Requires a public key
70
* Client network: 2a0a:e5c1:100::/40
71
* Client network size: /48
72
73
h3. Sample clustomer client configuration
74
75
* "Install wireguard":https://www.wireguard.com/install/
76
* Create your private key: @umask 077; wg genkey > privkey@
77
* Get your public key: @wg pubkey < privkey@
78
** You need to send this pubkey to ungleich
79
* You will get your network definition after we have received your public key
80
* Create /etc/wireguard/wg0.conf
81
82
<pre>
83
[Interface]
84
PrivateKey = YOURKEYHERE
85
Address = YOURIPv6IPADDRESSHERE/48
86
ListenPort = 51280
87
88
[Peer]
89
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
90
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
91
AllowedIPs = ::/0
92
</pre>
93
94
* *ONLY change* the PrivateKey and the Address entries.
95
* *ALL other entries* (especially PublicKey, Endpoint and AllowedIPs) need to *stay as is*
96
97
h3. How to setup the VPN (the easy way)
98
99
Once you have created the configuration, you can simply call
100
101
<pre>
102
wg-quick up wg0
103
</pre>
104
105
And to stop the VPN, you can use
106
107
<pre>
108
wg-quick down wg0
109
</pre>
110
111
112
h3. How to setup the VPN (the manual way)
113
114
115
Commands for setting it up
116
117
<pre>
118
MY_NET=2a0a:e5c1:XXXX::1/48
119
120
ip link add dev wg0 type wireguard
121
122
# Replace with your range
123
ip addr add $MY_NET dev wg0
124
125
# Add routing
126
ip route add 2a0a:e5c1::/32 dev wg0
127
ip route add ::/0 via 2a0a:e5c1:100::1
128
129
# Configure the interface
130
wg setconf wg0 /etc/wireguard/wg0.conf
131
132
# Bring it up
133
ip link set wg0 up
134
</pre>
135
136
h3. About usable IPv6 addresses
137
138
We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers.
139
I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network
140
are supposed to answer on this address.
141
142
In other words, in your wg0.conf use:
143
144
<pre>
145
[Interface]
146
...
147
Address = 2a0a:e5c1:101::42/48
148
</pre>
149
150
Do *NOT* use:
151
152
<pre>
153
[Interface]
154
...
155
# Don't use this
156
Address = 2a0a:e5c1:101::/48
157
</pre>
158
159
160
h3. How to debug
161
162
* wg show # Show configuration
163
* ping 2a0a:e5c1:100::1 # Try to ping the gateway
164
165
If you want to send us your configuration, you should remove your private key from wg0.conf.
166
Under Linux/BSD/MacOS you can do that as follows:
167
168
<pre>
169
cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
170
</pre>
171
172
The result could look as follows:
173
174
<pre>
175
root@line:~# cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
176
[Interface]
177
PrivateKey = MYPRIVATEKEY
178
ListenPort = 51280
179
Address = 2a0a:e5c1:101::42/48
180
#DNS = 2a0a:e5c0::3, 2a0a:e5c0::4
181
182
[Peer]
183
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
184
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
185
AllowedIPs = ::/0
186
</pre>
187
188
h3. How to config wireguard on mobile phone(android / ios)
189
190
<pre>
191
You should fill out DNS field.
192
ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4
193
and you should assgin phone own IP.
194
ex) laptop Address = 2a0a:e5c1:101::42/48
195
    phone Address = 2a0a:e5c1:101::43/48
196
another things are same as client's configutaion.
197
</pre>
198
199
h3. How to config IPv6 DNS on wireguard(if it can't find DNS)
200
201
<pre>
202
You should fill out DNS field.
203
ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4
204
DNS = 2a0a:e5c0::3
205
</pre>
206
207
h3. How to config wireguard manually on Mac OS without APP(for using IPv4 and IPv6 at the same time) 
208
209
<pre>
210
1) install wireguard on macOS
211
- brew install wireguard-tools
212
213
2)find wireguard install location
214
- cd /usr/local/etc/wireguard
215
216
3) create wg0.conf in wireguard location(refer to above)
217
218
4) run wireguard
219
- wg-quick up  wg0
220
</pre>
221
222
h2. OpenVPN on openvpn.ungleich.ch
223
224
* Server: openvpn.ungleich.ch
225
* Port: 1195
226
* Requires a certificate
227
* Address range: 2a0a:e5c0:3::/48
228
** Client networks are /64
229
230
*END OF LIFE by 2019-06-30*