I figured out the first two bits of using source specific routing for ipv6 with wireguard...
The first trick was to watch what wg-quick wanted to do and change it. So I setup my vpn client (deep within my network) thusly: [Interface] #Address = 2600:8211:e001:9300::2/60 ListenPort = 51820 PrivateKey = neveryoumind [Peer] PublicKey = notdoingthat AllowedIPs = 2600:8211:e001:9300::/60, ::/0 Endpoint = tun.taht.net:51820 This tells wireguard to let any ipv6 address through and treat it like a default route. We don't really want this but I fix this later. The server is setup similarly, but no ::/0 and an address of ::1/60 Then I changed the default startup to look like this: #!/bin/sh ip link add wg0 type wireguard wg setconf wg0 /etc/wireguard/wg0.conf # preferred_lft 0 makes sure you don't use this address for anything you don't explicitly bind to # Otherwise *because* it is static, with a preferred_lft of forever, it gets chosen as # a default ipv6 addr over the dynamic ipv6 addresses. I only want the vpn for # specific tools... ip address add 2600:8211:e001:9300::2/60 dev wg0 preferred_lft 0 ip link set mtu 1420 dev wg0 ip link set wg0 up ip route add 2600:8211:e001:9300::/60 dev wg0 # the default line generated by wg-quick inserts a default route for everything # which disables my native ipv6 addrs and routing # The trick - note the from and the proto ip -6 route add ::/0 from 2600:8211:e001:9300::/60 dev wg0 proto 48 then I setup babeld.conf to have redistribute proto 48 allow which exports that "from default" to the rest of my network without doing a default default route that RA picks up I can then do stuff anywhere else on my net (running babel rfc61236bis) , like ip address add 2600:8211:e001:9301::1/64 dev whichever preferred_lft 0 which gives me a valid_lft of forever... and this lets me use my native, dynamic, ipv6 ips from comcast in the general case, and the vpn tunnel'd ipv6 address ranges only when I explicitly specify it. I have no idea if dhcpv6-pd can be configured (with a valid_lft of a lot, constantly renewed, and a prefeered of 0) this way or hnetd, or if there was some better way to deprioritize a given set of ipv6 addrs, but... Now that I have a whole /56 I can finally fiddle more with hnetd again. This also gives me cheap failover if one of my gws goes down... On Thu, Nov 8, 2018 at 3:57 PM Dave Taht <d...@taht.net> wrote: > > > Now that I can use the rfc6126bis version of babel's source specific > routing... > > and wireguard is looking stabler and stabler... > > I'd like to come up with some reliable subset of the following > idea. > > I've had this linode ipv6/56 for ages. I used to use hurricane for > static ipv6's until netflix started blocking that. comcast dynamic ipv6 > is a real pita. My hope was, with a whole /56 that I could actually run > a mail server on my side of it (at least), and dole out portions of the > /56 to other boxes both on my campus lan, boat, laptop, etc - any place > I need it.... > > somewhere along the way I wanted to get a wireguard tunnel with a babel > "from" route up. > > My thinking is weird, in that I'd like to run the tunnel/56 to > tun.taht.net from ceres.taht.net (dynamic ipv6 ip) > > I'd like to break out individual /60s, so, for example, my boat (running > wireguard over a cell phone, over ipv6!!) would have it's own /60 to > address every router in it... and in that case I do NOT want to touch it > down in the cloud (because my phone is guarunteed to have ipv6), I want > it to go to my dynamic dns ipv6 address for ceres. > > I tried to do this quite some time ago in wireguard's evolution. > > Most of the examples out there are for sending *all* your traffic via > wireguard through a default gw, where what I want is just the ipv6/56 > addrs I've exported to automagically go through the vpn. e.g. I'd bind > the house mail server to the vpn address of whatever::3/64, campus > server at whatever:20::3/64, boat ssh server at whatever:30::neveryoumind/64 > > When doing that normally you'd do something like > > ip -6 route default from vpn:add:ress::/56 via dev wireguardvpn > > > If I can possibly make anything more complicated!!! it would be great to > be able always go directly to the ipv6 ceres and fall back to the (ipv4) > cloud... announcing to the rest of my boxes (via babel) where I am... > > tun.taht.net has the /56 > > campus 1 needs at least a 60, maybe even a 58. > > lab needs a 60 > > boat warriors (half dozen boxes, a /62?) (yes, this is excessive but I > can't get dhcpv6-pd out of the phone, and I have multiple routers on > board because that's the work I do) > > road warriors > laptop - needs a mobile 128? But I don't want it to try to connect over > the vpn over the vpn.... > > so that's the crazy question. I don't think I've described it well enough. > > so quick and slightly less question - how's android working and does > wireguard on > android work over ipv6? Can a android tether at least, export RA? > > alternatively anyone know of a good usb stick for cell? > > PS I used to do this sort of crazy stuff with tinc, but... > > PPS yes, my boat runs babel. It would be awesome if more boats ran adhoc > wifi, babel, and hnetd. VHF sucks compared to wifi. A picostation on the > mast has about 20 mile range. > > > _______________________________________________ > Babel-users mailing list > babel-us...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users -- Dave Täht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740 _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard