Re: Configure WireGuard for Roaming Between IPv4, IPv6
I haven't actually tried that specific scenario but I don't see why the tunnel wouldn't "come up". I mean really it's up when the interface is up and the tunnel "connection" (it's UDP) isn't actually "established" (in a NAT/firewall sense) unless data is sent. You can have an interface configured for IPv6 on an "IPv4 only" network, it just won't get responses to its router solicitations so the kernel (Linux, at least--BSDs do this in userspace) won't configure routes for IPv6 traffic. If you look at your physical interfaces, you'll probably notice they all have IPv6 link-local addresses unless you've actually turned off IPv6 support in the kernel The reason your IPv6 traffic goes out unencrypted on dual stack networks is because the default route for IPv6 traffic is not the Wireguard interface, but rather one of the physical ones. All you need to do to send your IPv6 traffic through the tunnel is configure the interface to be part of the IPv6 network you're trying to reach, and of course allow an IPv6 address from the client in the server config. In fact, if you configure your interface with IPv6 address(s) and a route pointing at the wg interface, you can even send IPv6 traffic on an IPv4 only tunnel provided your server can route IPv6 traffic. If you're using wg-quick, simply adding an IPv6 address to the interface and allowing all IPv6 traffic from the server peer would suffice. On Sat, Sep 15, 2018 at 11:01 AM Lane Russell wrote: > What is the best practice for configuring Wireguard to work over diverse > networks, including IPv4-only, IPv6-only, and dual-stack? > > For example, my current configuration only deals with IPv4. When I roam > from an IPv4-only network to a dual-stack, my device routes IPv4 traffic > over the WireGuard interface, but IPv6 traffic goes out unencrypted. > > > > My VPN server is IPv6-capable, so I could enable it. However, will the > client tunnel fail to come up on an IPv4-only network if the config > contains IPv6 addresses? > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
WireGuard behaviour with systemd-resolved
I've noticed some concerning behaviour using WireGuard on Manjaro GNOME. When the WireGuard interface is brought up, the system starts using the DNS servers provided in the wg-client.conf file. Intermittently however, internal DNS records will resolve using their public IP addresses. Using tcpdump, I'm able to see the system is using 8.8.8.8 and 8.8.4.4 for some queries. These addresses are configured as fallback DNS servers in systemd-resolved. They were acquired via DHCP before the WireGuard interface was brought up. Is this an issue with WireGuard, or systemd-resolved? Based on what information I'm able to find, it appears there are some big concerns with how systemd-resolved handles DNS, so I'm more inclined to think the issue lies there.___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Broadcasts over L3 tunnel
I've been playing around with wireguard and I'd really like to enable a scenario where a remote peer appears like they're on a LAN (at L3) somewhere so that e.g. mDNS broadcasts reach the remote peer. I can create all sorts of topologies where traffic can flow between the remote peer(s) and the LAN peers, but I'm hung up on getting the kernel to send broadcasts to the wireguard interface. If you put everything on the same subnet, you essentially end up with two conflicting entries in the LAN host's routing table: one that routes LAN traffic to the gateway for egress or if you're running on the gateway then egresses upstream, and a second entry telling the kernel that the same subnet is available across the wg interface. Is a topology like this possible without hacking up some facade into L2? David ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
wireguard-go bug with IPv6-less kernels
I've been setting up wireguard-go on an old Linux kernel (no module), and hit a bug with ipv6-less kernels. The create6() function returns 0 as the port number when an error occurs, so even though CreateBind checks for EAFNOSUPPORT, it still ends up with port getting set to zero, resulting in a random port. I solved it by returning port instead of zero - as far as I can see this shouldn't break anything, as CreateBind will return 0 anyway on errors other than EAFNOSUPPORT. I did not check whether the same bug exists in conn_default.go - Kent --- conn_linux.go.old 2018-09-05 23:11:19.407372785 +0200 +++ conn_linux.go 2018-09-07 16:58:28.971914271 +0200 @@ -335,7 +335,7 @@ ) if err != nil { - return -1, 0, err + return -1, port, err } addr := unix.SockaddrInet4{ @@ -366,7 +366,7 @@ return unix.Bind(fd, ) }(); err != nil { unix.Close(fd) - return -1, 0, err + return -1, port, err } return fd, uint16(addr.Port), err @@ -383,7 +383,7 @@ ) if err != nil { - return -1, 0, err + return -1, port, err } // set sockopts and bind @@ -425,7 +425,7 @@ }(); err != nil { unix.Close(fd) - return -1, 0, err + return -1, port, err } return fd, uint16(addr.Port), err ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Configure WireGuard for Roaming Between IPv4, IPv6
What is the best practice for configuring Wireguard to work over diverse networks, including IPv4-only, IPv6-only, and dual-stack? For example, my current configuration only deals with IPv4. When I roam from an IPv4-only network to a dual-stack, my device routes IPv4 traffic over the WireGuard interface, but IPv6 traffic goes out unencrypted. My VPN server is IPv6-capable, so I could enable it. However, will the client tunnel fail to come up on an IPv4-only network if the config contains IPv6 addresses?___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard