Re: routing table doesn't report wireguard routes
Turns out, I didn't understand quite how the routing table works in Linux. Here is a good high-level description of how this works: (thanks to wurtel over at stackexhange: https://unix.stackexchange.com/questions/188584/which-order-is-the-route-table-analyzed-in ) ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
routing table doesn't report wireguard routes
Ubuntu 16.04.4 LTS Currently, WireGuard's routes don't seem to show up in the routing table, at least as viewed via "route -n" and "netstat -rn". Is this an issue, or am I misunderstanding the mechanism WireGuard uses to route traffic? In my case, the client config has "AllowedIPs = 0.0.0.0/0", and this is working fine, it's just that the routes aren't visible. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Connection issues with Google Fi
Using a Nexus 6P on Google Fi, I'm noticing that when roaming between cellular and WiFi, I occasionally lose the ability to use WireGuard. Coming from Verizon, I didn't previously have this issue. I can only assume this has something to do with Fi manipulating the routing table in such a way that breaks WireGuard connectivity. I verified that WiFi Assitant is disabled. A simple tunnel-up, tunnel-down doesn't seem to fix the issue. Rebooting fixes the issue. Next time the issue occurs, I can dump the ip rule list, but may need some assistance figuring out which ip tables to pull. Is this the info that will be needed to troubleshoot?___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Connection issues with Google Fi
I believe I'm using the userspace implementation. I have stock Android on my Nexus 6P and installed the WireGuard app from Google Play. I am able to consistently replicate the issue by bringing the WireGuard tunnel up while connected to cellular only, then connecting to WiFi. Log 1: After bringing up tunnel on cellular, then roaming to Wifi https://s3.amazonaws.com/pyrahex-misc/logs/wireguard-log_1_cellular2wifi.txt Log 2: After connecting to WiFi, I restarted the WireGuard tunnel https://s3.amazonaws.com/pyrahex-misc/logs/wireguard-log_2_restart_tunnel.txt Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Thursday, September 27, 2018 10:48 AM, Jason A. Donenfeld wrote: > Hi Lane, > > Are you using the kernel module or the userspace implementation? Can > you send a debug log? > > Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Connection issues with Google Fi
Installed the new release and tried roaming from Fi service to WiFi, all appears to be working as expected. Thanks for following up! ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Connection issues with Google Fi
Interesting, now that I have a better chance to look at this, I see that the logs show: Failed to send data packet write udp6 [::]:49896->[2607:7700:0:8::48ca:860f]:51820 This is interesting because the DNS name my client interface is pointed at does not have a record. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Thursday, September 27, 2018 12:23 PM, Lane Russell wrote: > I believe I'm using the userspace implementation. I have stock Android on my > Nexus 6P and installed the WireGuard app from Google Play. > > I am able to consistently replicate the issue by bringing the WireGuard > tunnel up while connected to cellular only, then connecting to WiFi. > > Log 1: After bringing up tunnel on cellular, then roaming to Wifi > https://s3.amazonaws.com/pyrahex-misc/logs/wireguard-log_1_cellular2wifi.txt > > Log 2: After connecting to WiFi, I restarted the WireGuard tunnel > https://s3.amazonaws.com/pyrahex-misc/logs/wireguard-log_2_restart_tunnel.txt > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > On Thursday, September 27, 2018 10:48 AM, Jason A. Donenfeld ja...@zx2c4.com > wrote: > > > Hi Lane, > > Are you using the kernel module or the userspace implementation? Can > > you send a debug log? > > Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Connection issues with Google Fi
Ah, thanks for your help! I'll be off to learn about XLAT/CLAT. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Configure WireGuard for Roaming Between IPv4, IPv6
What is the best practice for configuring Wireguard to work over diverse networks, including IPv4-only, IPv6-only, and dual-stack? For example, my current configuration only deals with IPv4. When I roam from an IPv4-only network to a dual-stack, my device routes IPv4 traffic over the WireGuard interface, but IPv6 traffic goes out unencrypted. My VPN server is IPv6-capable, so I could enable it. However, will the client tunnel fail to come up on an IPv4-only network if the config contains IPv6 addresses?___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
WireGuard behaviour with systemd-resolved
I've noticed some concerning behaviour using WireGuard on Manjaro GNOME. When the WireGuard interface is brought up, the system starts using the DNS servers provided in the wg-client.conf file. Intermittently however, internal DNS records will resolve using their public IP addresses. Using tcpdump, I'm able to see the system is using 8.8.8.8 and 8.8.4.4 for some queries. These addresses are configured as fallback DNS servers in systemd-resolved. They were acquired via DHCP before the WireGuard interface was brought up. Is this an issue with WireGuard, or systemd-resolved? Based on what information I'm able to find, it appears there are some big concerns with how systemd-resolved handles DNS, so I'm more inclined to think the issue lies there.___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: WireGuard behaviour with systemd-resolved
I'm not sure of the proper way to resolve this issue with systemd-resolved, but I was able to get to a more comfortable position in my case by disabling systemd-resolved and manually configuring my DNS servers in /etc/resolv.conf. Since the machine in question always sends all traffic over the VPN, I statically set the IP of the WireGuard server in the wg-quick config file so I wouldn't have to have public DNS in /etc/resolv.conf. It appears that some testing is needed with WireGuard/wg-quick on systems using systemd-resolved. I'm happy to help test, but I'm not very familiar with systemd-resolved's inner workings, so I may be of limited use.___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Configure WireGuard for Roaming Between IPv4, IPv6
Since this is a home setup and my /56 might (will) change at some point, I don't want to have to reconfigure my router, server, and clients. Unless there's a way to dynamically reconfigure these devices in such a situation? Original Message On Sep 16, 2018, 12:47 PM, Toke Høiland-Jørgensen wrote: > Lane Russell writes: > >> Thanks so much for setting me straight. I've gotten IPv6 working over >> my IPv4 tunnels to ensure that IPv6 traffic can't leak out while I'm >> using Wireguard. Since my ISP uses SLAAC to hand out /56s, I have a >> /64 pointed at the local subnet where my VPN server is. From there, >> the VPN clients use my ULA prefix to talk to the server. The server >> masquerades these ULA addresses to its global address. > > Why are you using masquerading? Kinda defeats the whole point of IPv6, > doesn't it? :) > > You can just pick a public /64 from your subnet and assign that for use > inside the tunnel, then give your clients addresses from that and use > normal routing on the wireguard server. You'll have to get the prefix > routed to your wireguard server, of course; either set that up manually, > or use something like DHCP prefix delegation, or a routing daemon... > > If you don't want to use a whole /64 (but really, there's no reason you > shouldn't be able to), you can also use /128's inside the tunnel and > just route those from your gateway to your wireguard server. > > -Toke___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard