Development discussion of WireGuard
 help / color / mirror / Atom feed
* Endpoint address dns resolution - option to prefer IPv6 or IPv4
@ 2020-03-13 14:52 Torsten Krah
  2020-03-14  7:40 ` Stefan Tatschner
                   ` (2 more replies)
  0 siblings, 3 replies; 9+ messages in thread
From: Torsten Krah @ 2020-03-13 14:52 UTC (permalink / raw)
  To: wireguard

Hi,

I've got an endpoint with a DNS name which has both, an A and AAAA
record.
I would like to configure the client, so that I can tell him, to either
prefer IPv6 or IPv4 for the vpn connection.

How can I do that (no I don't want to remove either an A or AAAA record
from DNS - just in the client)?

If its not yet possible -  can support be added for this? I am also
happy with some code pointers where this decision is done to come up
with a patch maybe?

kind regards

Torsten



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4
  2020-03-13 14:52 Endpoint address dns resolution - option to prefer IPv6 or IPv4 Torsten Krah
@ 2020-03-14  7:40 ` Stefan Tatschner
  2020-03-14 14:53   ` Torsten Krah
       [not found] ` <CAADpXXY7ajNwRoF1sivACxUfFj-SpWf6o6+1Uq2N0XzEp3bvTw@mail.gmail.com>
  2020-03-14 16:52 ` Luis Ressel
  2 siblings, 1 reply; 9+ messages in thread
From: Stefan Tatschner @ 2020-03-14  7:40 UTC (permalink / raw)
  To: krah.tm, wireguard

On Fri, 2020-03-13 at 15:52 +0100, Torsten Krah wrote:
> I would like to configure the client, so that I can tell him, to
> either prefer IPv6 or IPv4 for the vpn connection.

If you use the Wireguard Support in NetworkMananger, it does update the
Endpoint dynamically. I am not sure if you can configure a preference
on v4/v6, but at least it updates the endpoint automatically depending
on the current network capabilities. IIRC it uses the system wide
settings in /etc/gai.conf.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4
       [not found] ` <CAADpXXY7ajNwRoF1sivACxUfFj-SpWf6o6+1Uq2N0XzEp3bvTw@mail.gmail.com>
@ 2020-03-14 14:51   ` Torsten Krah
  2020-03-16  5:05     ` Roman Mamedov
  0 siblings, 1 reply; 9+ messages in thread
From: Torsten Krah @ 2020-03-14 14:51 UTC (permalink / raw)
  To: wireguard

resend to the list:

Hm, sorry I don't get the message. Imho its down to the user. I can
choose to use ping or ping6 or tell e.g. java via a system property to
prefer IPv4 if dual stack is available.

In wireguard I can force ipv6 only by writing an ipv6 address in the
endpoint, but via dns ... how to choose which one I prefer?

kind regards

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4
  2020-03-14  7:40 ` Stefan Tatschner
@ 2020-03-14 14:53   ` Torsten Krah
  0 siblings, 0 replies; 9+ messages in thread
From: Torsten Krah @ 2020-03-14 14:53 UTC (permalink / raw)
  To: wireguard

I don't use NetworkManager - just the wireguard command line tool -
searching a way to configure the preference on v4/v6.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4
  2020-03-13 14:52 Endpoint address dns resolution - option to prefer IPv6 or IPv4 Torsten Krah
  2020-03-14  7:40 ` Stefan Tatschner
       [not found] ` <CAADpXXY7ajNwRoF1sivACxUfFj-SpWf6o6+1Uq2N0XzEp3bvTw@mail.gmail.com>
@ 2020-03-14 16:52 ` Luis Ressel
  2020-03-14 17:08   ` Matthias Urlichs
  2 siblings, 1 reply; 9+ messages in thread
From: Luis Ressel @ 2020-03-14 16:52 UTC (permalink / raw)
  To: Torsten Krah; +Cc: wireguard

On Fri, Mar 13, 2020 at 03:52:19PM +0100, Torsten Krah wrote:
> I've got an endpoint with a DNS name which has both, an A and AAAA
> record.
> I would like to configure the client, so that I can tell him, to either
> prefer IPv6 or IPv4 for the vpn connection.

The relevant source code can be found here:
https://git.zx2c4.com/wireguard-tools/tree/src/config.c#n242

As you can see, wg resolves host names through the libc's getaddrinfo()
function, and simply uses the first ip address returned by that
function.

A standards-compliant implementation should return an ipv6 address in
the first position if one is available and the host has a working
connection to the v6 internet. As far as I know, both glibc and musl do
this (though the behaviour of glibc can be modified by editing
/etc/gai.conf); I'm not sure what other libcs do.

It would of course be possible to make this behaviour configurable for
wg; we just need to figure out if that's an useful feature, and what the
exact semantics should be.

Cheers,
Luis

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4
  2020-03-14 16:52 ` Luis Ressel
@ 2020-03-14 17:08   ` Matthias Urlichs
  2020-03-14 18:03     ` Luis Ressel
  0 siblings, 1 reply; 9+ messages in thread
From: Matthias Urlichs @ 2020-03-14 17:08 UTC (permalink / raw)
  To: wireguard

On 14.03.20 17:52, Luis Ressel wrote:
> A standards-compliant implementation should return an ipv6 address in
> the first position if one is available and the host has a working
> connection to the v6 internet.

Unfortunately that is necessary but not sufficient for the link to
actually succeed. Also a host might have two IPv4 (or IPv6) addresses,
only one of which works, so this problem is not v6-vs.-v4 specific.

Ideally some background process forked by `wg` or `wg-quick` should set
the first address, monitor the peer, and use the next one if it hasn't
been established after some configurable number of seconds (or when the
keepalive fails). Bonus points for re-resolving the address when it expires.

-- 
-- Matthias Urlichs


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4
  2020-03-14 17:08   ` Matthias Urlichs
@ 2020-03-14 18:03     ` Luis Ressel
  0 siblings, 0 replies; 9+ messages in thread
From: Luis Ressel @ 2020-03-14 18:03 UTC (permalink / raw)
  To: Matthias Urlichs; +Cc: wireguard

On Sat, Mar 14, 2020 at 06:08:35PM +0100, Matthias Urlichs wrote:
> Ideally some background process forked by `wg` or `wg-quick` should set
> the first address, monitor the peer, and use the next one if it hasn't
> been established after some configurable number of seconds (or when the
> keepalive fails). Bonus points for re-resolving the address when it expires.

Yes, trying the ips in order until a tunnel can be established is
certainly a good idea, and in fact what the relevant standards
recommend, but so far noone has bothered to implement it.

Running a daemon that periodically re-resolves the host and sets the
endpoint to its current ip, on the other hand, would interfere with
wireguard's transparent roaming support, so wg(8) isn't ever going to do
that. Of course, you can easily do this yourself if it makes sense for
your setup.

Cheers,
Luis

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4
  2020-03-14 14:51   ` Torsten Krah
@ 2020-03-16  5:05     ` Roman Mamedov
  2020-03-16  8:30       ` Torsten Krah
  0 siblings, 1 reply; 9+ messages in thread
From: Roman Mamedov @ 2020-03-16  5:05 UTC (permalink / raw)
  To: Torsten Krah; +Cc: wireguard

On Sat, 14 Mar 2020 15:51:51 +0100
Torsten Krah <krah.tm@gmail.com> wrote:

> resend to the list:
> 
> Hm, sorry I don't get the message. Imho its down to the user. I can
> choose to use ping or ping6 or tell e.g. java via a system property to
> prefer IPv4 if dual stack is available.
> 
> In wireguard I can force ipv6 only by writing an ipv6 address in the
> endpoint, but via dns ... how to choose which one I prefer?

If it is so important to you to force one or the other, then make separate DNS
records for IPv4 and IPv6, server4.example.com, server6.example.com.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4
  2020-03-16  5:05     ` Roman Mamedov
@ 2020-03-16  8:30       ` Torsten Krah
  0 siblings, 0 replies; 9+ messages in thread
From: Torsten Krah @ 2020-03-16  8:30 UTC (permalink / raw)
  To: wireguard

Am Montag, den 16.03.2020, 10:05 +0500 schrieb Roman Mamedov:
> If it is so important to you to force one or the other, then make
> separate DNS
> records for IPv4 and IPv6, server4.example.com, server6.example.com.


Please read the first post again, that was not the question.

kind regards

Torsten


^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2020-03-17 17:24 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-13 14:52 Endpoint address dns resolution - option to prefer IPv6 or IPv4 Torsten Krah
2020-03-14  7:40 ` Stefan Tatschner
2020-03-14 14:53   ` Torsten Krah
     [not found] ` <CAADpXXY7ajNwRoF1sivACxUfFj-SpWf6o6+1Uq2N0XzEp3bvTw@mail.gmail.com>
2020-03-14 14:51   ` Torsten Krah
2020-03-16  5:05     ` Roman Mamedov
2020-03-16  8:30       ` Torsten Krah
2020-03-14 16:52 ` Luis Ressel
2020-03-14 17:08   ` Matthias Urlichs
2020-03-14 18:03     ` Luis Ressel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).