From: tlhackque <tlhackque@yahoo.com>
To: wireguard <wireguard@lists.zx2c4.com>
Subject: Wireguard Neighborhood (IPv6)
Date: Fri, 24 Sep 2021 11:31:40 -0400 [thread overview]
Message-ID: <0fa09c57-e2de-b1fc-8ca1-2f03fe543bec@yahoo.com> (raw)
In-Reply-To: <0fa09c57-e2de-b1fc-8ca1-2f03fe543bec.ref@yahoo.com>
[-- Attachment #1.1: Type: text/plain, Size: 1760 bytes --]
TLDR; It seems that WireGuard isn't supporting IPv6 NDP, and it should.
Use case & a work-around.
Full story:
Configuration:
WireGuard server (Linux, details below) behind a site router that
handles IPv4 NAT & an IPv6 tunnel.
Server LAN has other hosts (and multiple subnets/vlans) - mostly dual stack.
The WireGuard server is able to access the WireGuard peers (clients)
over IPv6. The other hosts (and the router) are not.
The clients can't even ping the other hosts - the echo replies are
generated, but they end up with an icmp6 unreachable.
It turns out that the other hosts (and router) send an icmp6 Neighbor
Solicitation for the clients, which is never answered.
My interim solution was to implement
https://github.com/setaou/ndp-proxy, which will respond with Neighbor
Advertisements for the entire WireGuard subnet.
This is a rather crude solution - since ndp-proxy doesn't know what
clients are connected, and since it requires one proxy process/wg interface.
It seems to me that WireGuard (in this case on the server) should at
least be responding to Neighbor Solicitations for AllowedIPs of its
active peers... Of course in the case of a WireGuard tunnel between two
such sites, this is symmetric.
I did look at net.ipv6.conf.*.proxy_ndp, but that requires adding each
address - and in any case I couldn't get it to work. Neither did
advertising the server as a "router" with radvd.
Unless I'm missing something, it seems to me that supporting NDP is the
simplest "it just works" approach in any case...
wireguard-tools v1.0.20210424 - https://git.zx2c4.com/wireguard-tools/
Linux hagrid 5.13.16-200.fc34.x86_64 #1 SMP Mon Sep 13 12:39:36 UTC 2021
x86_64 x86_64 x86_64 GNU/Linux
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
next parent reply other threads:[~2021-09-24 15:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <0fa09c57-e2de-b1fc-8ca1-2f03fe543bec.ref@yahoo.com>
2021-09-24 15:31 ` tlhackque [this message]
2021-09-24 15:45 ` Jeroen Massar
2021-09-24 15:58 ` Roman Mamedov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0fa09c57-e2de-b1fc-8ca1-2f03fe543bec@yahoo.com \
--to=tlhackque@yahoo.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).