Re: Configure WireGuard for Roaming Between IPv4, IPv6

From: David Cowden <david.w.cowden@gmail.com>
To: Lane Russell <lanerussell@protonmail.com>
Cc: "wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: Re: Configure WireGuard for Roaming Between IPv4, IPv6
Date: Sat, 15 Sep 2018 15:41:20 -0700	[thread overview]
Message-ID: <CAD=29B_P0eF7f3m5cKfxmm0hy8KqVA1dgfmagcotz84eqO_nvQ@mail.gmail.com> (raw)
In-Reply-To: <cLOCDzwe4IyvMeayGnJqwGcbyBRfTtha5e0S0zJ33t_4tNCutwD-Krje6NTotKw_lIJdZT7ldacMCg7Rv-m3UuEzS-diWg3-5Z3VE2J_thk=@protonmail.com>

[-- Attachment #1: Type: text/plain, Size: 2181 bytes --]

I haven't actually tried that specific scenario but I don't see why the
tunnel wouldn't "come up". I mean really it's up when the interface is up
and the tunnel "connection" (it's UDP) isn't actually "established" (in a
NAT/firewall sense) unless data is sent. You can have an interface
configured for IPv6 on an "IPv4 only" network, it just won't get responses
to its router solicitations so the kernel (Linux, at least--BSDs do this in
userspace) won't configure routes for IPv6 traffic. If you look at your
physical interfaces, you'll probably notice they all have IPv6 link-local
addresses unless you've actually turned off IPv6 support in the kernel

The reason your IPv6 traffic goes out unencrypted on dual stack networks is
because the default route for IPv6 traffic is not the Wireguard interface,
but rather one of the physical ones. All you need to do to send your IPv6
traffic through the tunnel is configure the interface to be part of the
IPv6 network you're trying to reach, and of course allow an IPv6 address
from the client in the server config. In fact, if you configure your
interface with IPv6 address(s) and a route pointing at the wg interface,
you can even send IPv6 traffic on an IPv4 only tunnel provided your server
can route IPv6 traffic. If you're using wg-quick, simply adding an IPv6
address to the interface and allowing all IPv6 traffic from the server peer
would suffice.

On Sat, Sep 15, 2018 at 11:01 AM Lane Russell <lanerussell@protonmail.com>
wrote:

> What is the best practice for configuring Wireguard to work over diverse
> networks, including IPv4-only, IPv6-only, and dual-stack?
>
> For example, my current configuration only deals with IPv4. When I roam
> from an IPv4-only network to a dual-stack, my device routes IPv4 traffic
> over the WireGuard interface, but IPv6 traffic goes out unencrypted.
>
>
>
> My VPN server is IPv6-capable, so I could enable it. However, will the
> client tunnel fail to come up on an IPv4-only network if the config
> contains IPv6 addresses?
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #2: Type: text/html, Size: 3344 bytes --]