Development discussion of WireGuard
 help / color / mirror / Atom feed
* Wireguard Neighborhood (IPv6)
       [not found] <0fa09c57-e2de-b1fc-8ca1-2f03fe543bec.ref@yahoo.com>
@ 2021-09-24 15:31 ` tlhackque
  2021-09-24 15:45   ` Jeroen Massar
  2021-09-24 15:58   ` Roman Mamedov
  0 siblings, 2 replies; 3+ messages in thread
From: tlhackque @ 2021-09-24 15:31 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1.1: Type: text/plain, Size: 1760 bytes --]

TLDR; It seems that WireGuard isn't supporting IPv6 NDP, and it should. 
Use case & a work-around.

Full story:

Configuration:

WireGuard server (Linux, details below) behind a site router that
handles IPv4 NAT & an IPv6 tunnel.

Server LAN has other hosts (and multiple subnets/vlans) - mostly dual stack.

The WireGuard server is able to access the WireGuard peers (clients)
over IPv6.  The other hosts (and the router) are not.

The clients can't even ping the other hosts - the echo replies are
generated, but they end up with an icmp6 unreachable.

It turns out that the other hosts (and router) send an icmp6 Neighbor
Solicitation for the clients, which is never answered.

My interim solution was to implement
https://github.com/setaou/ndp-proxy, which will respond with Neighbor
Advertisements for the entire WireGuard subnet.

This is a rather crude solution - since ndp-proxy doesn't know what
clients are connected, and since it requires one proxy process/wg interface.

It seems to me that WireGuard (in this case on the server) should at
least be responding to Neighbor Solicitations for AllowedIPs of its
active peers... Of course in the case of a WireGuard tunnel between two
such sites, this is symmetric.

I did look at net.ipv6.conf.*.proxy_ndp, but that requires adding each
address - and in any case I couldn't get it to work.  Neither did
advertising the server as a "router" with radvd.

Unless I'm missing something, it seems to me that supporting NDP is the
simplest "it just works" approach in any case...

wireguard-tools v1.0.20210424 - https://git.zx2c4.com/wireguard-tools/

Linux hagrid 5.13.16-200.fc34.x86_64 #1 SMP Mon Sep 13 12:39:36 UTC 2021
x86_64 x86_64 x86_64 GNU/Linux



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Wireguard Neighborhood (IPv6)
  2021-09-24 15:31 ` Wireguard Neighborhood (IPv6) tlhackque
@ 2021-09-24 15:45   ` Jeroen Massar
  2021-09-24 15:58   ` Roman Mamedov
  1 sibling, 0 replies; 3+ messages in thread
From: Jeroen Massar @ 2021-09-24 15:45 UTC (permalink / raw)
  To: tlhackque; +Cc: wireguard

If you have something like the very common setup:

{internet} -> [wgserver] -> [wgclient] -> [local LAN]

Then if you have address space routed to wgserver, just route a /64 to wgclient and then normally radvd(&dhcpv6) it, done.

If you only have a single /64 on the server, then indeed you need to hack around with ndproxy.

But given that ISPs have near infinite IPv6 space... they should be able to route you a simple /64 and technically, from a RIR perspective should even be doing minimal /56 or even a /48...

Greets,
 Jeroen

--

> On 20210924, at 17:31, tlhackque <tlhackque@yahoo.com> wrote:
> 
> TLDR; It seems that WireGuard isn't supporting IPv6 NDP, and it should. 
> Use case & a work-around.
> 
> Full story:
> 
> Configuration:
> 
> WireGuard server (Linux, details below) behind a site router that
> handles IPv4 NAT & an IPv6 tunnel.
> 
> Server LAN has other hosts (and multiple subnets/vlans) - mostly dual stack.
> 
> The WireGuard server is able to access the WireGuard peers (clients)
> over IPv6.  The other hosts (and the router) are not.
> 
> The clients can't even ping the other hosts - the echo replies are
> generated, but they end up with an icmp6 unreachable.
> 
> It turns out that the other hosts (and router) send an icmp6 Neighbor
> Solicitation for the clients, which is never answered.
> 
> My interim solution was to implement
> https://github.com/setaou/ndp-proxy, which will respond with Neighbor
> Advertisements for the entire WireGuard subnet.
> 
> This is a rather crude solution - since ndp-proxy doesn't know what
> clients are connected, and since it requires one proxy process/wg interface.
> 
> It seems to me that WireGuard (in this case on the server) should at
> least be responding to Neighbor Solicitations for AllowedIPs of its
> active peers... Of course in the case of a WireGuard tunnel between two
> such sites, this is symmetric.
> 
> I did look at net.ipv6.conf.*.proxy_ndp, but that requires adding each
> address - and in any case I couldn't get it to work.  Neither did
> advertising the server as a "router" with radvd.
> 
> Unless I'm missing something, it seems to me that supporting NDP is the
> simplest "it just works" approach in any case...
> 
> wireguard-tools v1.0.20210424 - https://git.zx2c4.com/wireguard-tools/
> 
> Linux hagrid 5.13.16-200.fc34.x86_64 #1 SMP Mon Sep 13 12:39:36 UTC 2021
> x86_64 x86_64 x86_64 GNU/Linux
> 
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Wireguard Neighborhood (IPv6)
  2021-09-24 15:31 ` Wireguard Neighborhood (IPv6) tlhackque
  2021-09-24 15:45   ` Jeroen Massar
@ 2021-09-24 15:58   ` Roman Mamedov
  1 sibling, 0 replies; 3+ messages in thread
From: Roman Mamedov @ 2021-09-24 15:58 UTC (permalink / raw)
  To: tlhackque; +Cc: wireguard

On Fri, 24 Sep 2021 11:31:40 -0400
tlhackque <tlhackque@yahoo.com> wrote:

> WireGuard server (Linux, details below) behind a site router that
> handles IPv4 NAT & an IPv6 tunnel.
> 
> Server LAN has other hosts (and multiple subnets/vlans) - mostly dual stack.
> 
> The WireGuard server is able to access the WireGuard peers (clients)
> over IPv6.  The other hosts (and the router) are not.
> 
> The clients can't even ping the other hosts - the echo replies are
> generated, but they end up with an icmp6 unreachable.
> 
> It turns out that the other hosts (and router) send an icmp6 Neighbor
> Solicitation for the clients, which is never answered.
> 
> My interim solution was to implement
> https://github.com/setaou/ndp-proxy, which will respond with Neighbor
> Advertisements for the entire WireGuard subnet.
> 
> This is a rather crude solution - since ndp-proxy doesn't know what
> clients are connected, and since it requires one proxy process/wg interface.
> 
> It seems to me that WireGuard (in this case on the server) should at
> least be responding to Neighbor Solicitations for AllowedIPs of its
> active peers... Of course in the case of a WireGuard tunnel between two
> such sites, this is symmetric.
> 
> I did look at net.ipv6.conf.*.proxy_ndp, but that requires adding each
> address - and in any case I couldn't get it to work.  Neither did
> advertising the server as a "router" with radvd.
> 
> Unless I'm missing something, it seems to me that supporting NDP is the
> simplest "it just works" approach in any case...

You are not configuring your network correctly routing-wise, and the issue is
not "WireGuard not supporting NDP" -- yes it doesn't, but that's not the point
to blame for the behavior that you observe -- which is completely normal.

Server LAN is one L2 network, the WG network is *another* and L3 network.
There is nothing nowhere that dictates that there would be NDP replies
*across* separate networks, let alone L2 vs L3.

The WG network needs its own separate IPv6 range, and other hosts need to have
a route to that range "via" the VPN server (if its not their default gateway).
Then, the WG clients need to know the route back to those other hosts, i.e.
the network they use needs to be in AllowedIPs for the VPN server.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-09-24 15:59 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <0fa09c57-e2de-b1fc-8ca1-2f03fe543bec.ref@yahoo.com>
2021-09-24 15:31 ` Wireguard Neighborhood (IPv6) tlhackque
2021-09-24 15:45   ` Jeroen Massar
2021-09-24 15:58   ` Roman Mamedov

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.vuxu.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git