So, a couple of observations and questions...
I was looking at my iPhone which has AT&T. As reported by Lonnie my device
is getting allocated a 10 dot private IPv4 address. If I go to a website
to discover my public IP address I see the NAT host address....
107.77.x.y. However what is interesting is that AT&T have allocated me two
global IPv6 addresses... 2600:380:4477:d922:xxx::/64, it will be interested
to see whether I can use this to reach through to the router... I'm not
confident though as if I go to test-ipv6.com from my iPhone it shows a
different address... 2600:387:6:803::x so it looks like AT&T is even NATing
IPv6. Yuk.
Next a question... I don't have a external host let alone one with a
static IP address. I was wondering... I can configure wireguard to attach
to DNS name, does not need to be a IP address. But how often does
wireguard check for a remote host? So, for example, if I had a VM image
that was not running most of the time, but which I fire up when needed
(could be on AWS, or somewhere else). That VM images would register it's
IP address with a dynamic DNS service on boot up then start wireguard and
wait for the connection. How long before the wireguard client (talking
through the WAN failover) will notice that the DNS now resolves to a valid
IP and connects? And what happens when I take down that remote host... I
might just leave the DNS records pointing to a IP address that is no longer
listening (and might get reassigned to someone else's VM). Or I might
delete the DNS record from the dynamic DNS server (probably a better
idea). Is wireguard going to start trying to resolve the DNS name again,
or will it just assume the same IP address as last time?
David.
On Mon, May 21, 2018 at 6:59 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com>
wrote:
> Hi Michael,
>
> > I noticed you also pass the VPN traffic to the site LAN
>
> Yes, I tried to implement the general case, easy to remove stuff.
>
> > the VPN would normally just be used for voice traffic and management
> only.
>
> In that case "External Failover Destination Routes: IPv4 Routes:" could
> define all the destination routes you need without "Failover" enabled ...
> and let Asterisk dynamically choose the SIP route. Handling inbound calls
> over the 4G/LTE VPN would also be possible.
>
>
> All seems to work well, the only fundamental issue may be the latency of
> 4G/LTE for SIP traffic ... though clearly much better than no traffic.
>
> Lonnie
>
>
>
>
> > On May 21, 2018, at 5:36 PM, Michael Knill <michael.knill@ipcsolutions.
> com.au> wrote:
> >
> > Thanks Lonnie you beat me to it.
> > Interestingly one of my partners is using Asterisk as their Softswitch
> and they were thinking of setting up a single VPN Tunnel to the SoftSwitch
> for voice traffic and so everything still works on both the primary and
> failover links. There should be no failover scripts required!
> >
> > I noticed you also pass the VPN traffic to the site LAN but this would
> not actually be required in practice as the VPN would normally just be used
> for voice traffic and management only. On all VPN connections that run
> voice traffic I set directmedia=no in sip.conf. PS I actually now use a
> directmedia ACL on the VPN subnet so I don't need to configure anything.
> E.g.
> >
> > directmedia=yes
> > directmediapermit=0.0.0.0/0
> > directmediadeny=<VPN Subnet>
> >
> > Thanks again Lonnie for testing. Im looking forward to implementing it.
> >
> > Regards
> > Michael Knill
> >
> > On 22/5/18, 6:59 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com>
> wrote:
> >
> > Followup, Enabling Failover using a Netgear LB1121-100NAS (review
> below):
> >
> > The basic failover configuration is documented here:
> >
> > WAN Failover
> > https://doc.astlinux-project.org/userdoc:tt_wan_failover
> >
> > Since most 4G/LTE providers only support outbound-only (NAT'ed),
> IPv4-only, dynamic IPv4 address networks, any basic failover configuration
> over 4G/LTE must deal with those constraints.
> >
> > But, there is another way ...
> >
> > Enhanced WAN Failover using WireGuard:
> >
> > If you are able to run a second AstLinux instance (or most any distro
> with WireGuard) on a static IPv4 address you can establish an always-up
> WireGuard VPN over the 4G/LTE connection. When idle the VPN consumes less
> than 0.5 MB/day of data.
> >
> > With this setup, both IPv4 and IPv6 can be supported as well as
> allowing inbound traffic to the failover. When failover occurs, all the
> IPv4/IPv6 traffic is sent over the WireGuard VPN to the "Static" WireGuard
> endpoint.
> >
> > To be clear, while the WireGuard VPN is established over IPv4-only,
> the tunnel can simultaneously transport IPv4 and IPv6.
> >
> > Example:
> >
> > AstLinux "4G/LTE": Cable/DSL Modem on external interface and 4G/LTE
> Modem on failover interface.
> > --
> > Internal 1st LAN IPv4: 192.168.101.1/255.255.255.0
> > Internal 1st LAN IPv6: fda6:a6:a6:d2::1/64
> > WireGuard IPv4: 10.4.1.10/255.255.255.0
> > WireGuard IPv6: fda6:a6:a6:ff::10/64
> > IPv6 ULA/NPTv6: fda6:a6:a6::/56
> >
> > AstLinux "Static": Static IPv4 (or IPv4/IPv6) on external interface.
> > --
> > Routable Public IPv4: 1.2.3.4
> > WireGuard IPv4: 10.4.1.1/255.255.255.0
> > WireGuard IPv6: fda6:a6:a6:ff::1/64
> > IPv6 ULA/NPTv6: fda6:a6:a6::/56
> >
> >
> > == AstLinux "4G/LTE" Endpoint Configuration
> >
> > Network tab -> WireGuard Configuration:
> > Tunnel Options:
> > IPv4 Address: 10.4.1.10
> > IPv4 NetMask: 255.255.255.0
> > IPv6/nn Address: fda6:a6:a6:ff::10/64
> >
> > -- /mnt/kd/wireguard/peer/wg0.peer snippet --
> > [Peer]
> > ## 4G/LTE Endpoint
> > PublicKey = <For Static Endpoint>
> > Endpoint = 1.2.3.4:51820
> > AllowedIPs = 0.0.0.0/0, ::/0
> > PersistentKeepalive = 25
> > --
> >
> > Network tab -> WAN Failover Configuration:
> > WAN Failover:
> > Failover: [enabled]
> > Secondary Gateway IPv4: 10.4.1.1
> > Secondary Gateway IPv6: fda6:a6:a6:ff::1
> >
> > External Failover Interface:
> > Connection Type: [DHCP]
> >
> > External Failover Destination Routes:
> > IPv4 Routes: 192.168.5.0/24 1.2.3.4
> >
> >
> > Network tab -> Firewall Configuration:
> > Firewall Options:
> > _x_ Allow WireGuard VPN tunnel to the [1st] LAN Interface(s)
> >
> >
> > == AstLinux "Static" Endpoint Configuration
> >
> > Network tab -> WireGuard Configuration:
> > Tunnel Options:
> > IPv4 Address: 10.4.1.1
> > IPv4 NetMask: 255.255.255.0
> > IPv6/nn Address: fda6:a6:a6:ff::1/64
> >
> >
> > -- /mnt/kd/wireguard/peer/wg0.peer snippet --
> > [Peer]
> > ## Static Endpoint
> > PublicKey = <For 4G/LTE Endpoint>
> > AllowedIPs = 10.4.1.10/32, 192.168.101.0/24, fda6:a6:a6:ff::10/128,
> fda6:a6:a6:d2::/64
> > --
> >
> > -- /mnt/kd/rc.conf.d/user.conf snippet --
> > NAT_FOREIGN_NETWORK="192.168.101.0/24"
> > --
> >
> > ==
> >
> > I personally tested this scenario and it worked as expected.
> >
> > Note that one AstLinux "Static" server can support many remote
> failover AstLinux "4G/LTE" boxes.
> >
> > Tip: if you have shell access to AstLinux "Static", 'ssh
> root@10.4.1.10' will access AstLinux "4G/LTE" over the VPN connection,
> regardless if failover is active.
> >
> > Lonnie
> >
> >
> >
> >
> >
> > ==================================
> > Per a post by Michael Knill "4G backup" I purchased a Netgear
> LB1121-100NAS (North America) supporting PoE and includes a power adapter.
> >
> > LTE Modem LB1120 and LB1121 User Manual
> > https://www.downloads.netgear.com/files/GDC/LB1120/LB112x_UM_EN.pdf
> >
> > Overall, I'm pleased with the LB1121, the PoE is good to have, makes
> easy positioning for good reception.
> >
> > I also tested the Netgear 6000450 MIMO Antenna, it can add 1-bar, but
> with no antenna and 4 out of 5 bars sitting on the lab bench I was able to
> get 90/20 Mbps (down/up) on a speed test.
> >
> > If a person were to mount the modem on a wall next to a window, the
> antenna would be useful to reach over and place on the glass.
> >
> > I tested with "Ting" a MVNO (Mobile Virtual Network Operator) for
> T-Mobile's GSM network. I ordered a GSM SIM card from Ting, the Netgear
> LB1121 comes with an empty SIM slot.
> >
> > I connected the Netgear LB1121 to a spare ethernet interface, Network
> tab -> Failover Interface: [eth2] and also ...
> > -- Network tab -> WAN Failover Configuration: --
> > External Failover Interface:
> > Connection Type: [DHCP]
> >
> > External Failover Destination Routes:
> > IPv4 Routes: 192.168.5.0/24
> > --
> > If you change the LB1121's IPv4 address, also change the above IPv4
> Routes: as this is required when the LB1121 is set to "Bridge Mode".
> > Note: WAN Failover is disabled at this point in time. We are now
> simply defining a 2nd external interface.
> >
> > With Ting I needed to edit the APN ...
> > --
> > Ting (GSM) T-Mobile
> > APN: wholesale
> > --
> > and the LB1121 easily allows for that via the web interface, which
> defaults to http://192.168.5.1
> >
> > Firmware updates are via the web interface, but you must have a SIM
> card activated and installed to perform an upgrade over the GSM network.
> >
> > Web interface password changes don't ask for a match, so a typo
> requires a reset to factory defaults to fix it. But overall, the web
> interface is nicely done.
> >
> > After I got the LB1121 configured as desired, working, and firmware
> upgraded, I then switched to "Bridge Mode", depending on your 4G/LTE
> carrier your DHCP will acquire a publicly routable IPv4 address or an
> address that looks public but is actually behind NAT.
> > BTW: Ting/T-Mobile uses odd "private" address ranges like 25.0.0.0/8
> (UK Ministry of Defense) and 100.128.0.0/9 (T-Mobile), they look publicly
> routable, but they are NAT'ed to a different public address :-(
> >
> > On a PoE 802.3af switch, the LB1121 draws 1.1 Watts, cool to the
> touch.
> >
> > The main issues are the 4G/LTE networks, the Ting MVNO for T-Mobile
> is IPv4 only, and NAT'ed even when in bridge mode. So a true failover is
> difficult to do, but by limiting your failover requirements this can still
> be useful. Below is one such technique using WireGuard VPN.
> >
> > I have a test AstLinux box talking to my main AstLinux box over
> WireGuard over 4G/LTE ... works nicely. Though "PersistentKeepalive = 25"
> is required to deal with the NAT and dynamic addressing.
> >
> > FYI: Interestingly, the WireGuard overhead even with a keepalive
> every 25 seconds results in 454 KB/day of data, which at $10/GB is only
> 0.00454 $/day.
> >
> > == Dynamic 4G/LTE Modem Endpoint
> >
> > -- WireGuard IPv4 10.4.1.10/255.255.255.0 --
> > [Peer]
> > ## 4G/LTE Endpoint
> > PublicKey = <For Static Endpoint>
> > Endpoint = 1.2.3.4:51820
> > AllowedIPs = 10.4.1.1/32
> > PersistentKeepalive = 25
> > --
> >
> > -- Network tab -> WAN Failover Configuration: --
> > External Failover Interface:
> > Connection Type: [DHCP]
> >
> > External Failover Destination Routes:
> > IPv4 Routes: 192.168.5.0/24 1.2.3.4
> > --
> >
> > == Static IPv4 1.2.3.4 Endpoint
> >
> > -- WireGuard IPv4 10.4.1.1/255.255.255.0 --
> > [Peer]
> > ## Static Endpoint
> > PublicKey = <For 4G/LTE Endpoint>
> > AllowedIPs = 10.4.1.10/32
> > --
> >
> > iperf3 test across the VPN ...
> >
> > 4G/LTE ~ # iperf3 -s
> >
> > Static ~ # iperf3 -c 10.4.1.10 -u
> > Connecting to host 10.4.1.10, port 5201
> > [ 5] local 10.4.1.1 port 37415 connected to 10.4.1.10 port 5201
> > [ ID] Interval Transfer Bitrate Total Datagrams
> > [ 5] 0.00-1.00 sec 128 KBytes 1.05 Mbits/sec 96
> > ...
> > [ 5] 9.00-10.00 sec 128 KBytes 1.05 Mbits/sec 96
> > - - - - - - - - - - - - - - - - - - - - - - - - -
> > [ ID] Interval Transfer Bitrate Jitter
> Lost/Total Datagrams
> > [ 5] 0.00-10.00 sec 1.25 MBytes 1.05 Mbits/sec 0.000 ms 0/959
> (0%) sender
> > [ 5] 0.00-10.16 sec 1.25 MBytes 1.03 Mbits/sec 2.543 ms 0/959
> (0%) receiver
> >
> >
> > Typical ping times: 100-400 ms
> >
> > Note that without the VPN there would be no way to reach "4G/LTE"
> from "Static" with the network NAT issues described above.
> >
> > So with a Netgear LB1121 4G/LTE Modem, by using this WireGuard VPN
> technique on the "Failover Interface" (2nd External) your public server on
> 1.2.3.4 will be able to access a remote AstLinux box via 4G/LTE.
> >
> >
> > Lonnie
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Astlinux-users mailing list
> > Astlinux-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Astlinux-users mailing list
> > Astlinux-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
