NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Setting up IPv6 wg tunnel
On 6/13/26 14:00, Greg Troxel wrote:
> You have left out your addressing design. IPv6 is not a place where
> people use NAT much. It seems obvious you should have a /64 assigned
> to your VPS and use that on the VPN, but it seems you only have one address.
Not every VPS provider does this. The current one is *supposedly* giving
me a /64 segment but GUAs other than ::1 sometimes work and sometimes
they don't, so I'm assuming they're just giving me a single address, or
their routing is broken. One thing might be to ask them about this,
although their support is terrible, as I already have an open ticket
with them regarding NDP resolution issues, which they dismissed as "I
can ping fine so it works". I'm also the customer of another provider
but they explicitly give me a single address - their support is good
though, so I might politely ask for a /64 segment, but their route isn't
as good (it has occasional packet loss). That's why I was attempting NAT
with this provider first.
> You didn't explain if you ran ifconfig on wg0 on the client once up, and
> what you see.
The client is a Linux machine:
9: jp6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state
UNKNOWN group default qlen 1000
link/none
inet 10.2.0.2/24 scope global jp6
valid_lft forever preferred_lft forever
inet6 fd00::2/64 scope global
valid_lft forever preferred_lft forever
> You didn't show pinging of the server-side fd00 address from the client
> (or just say that it works, don't need to see it).
They can ping each other through their private IPv6 addresses just fine
(fd00::1 <-> fd00::2).
> This seems funny, to have stateful in for all.
Well that's just the wg1 group, I should probably paste the entire
ruleset. Note that I have one wg0 interface just for peer-to-peer
connectivity for private services, and a wg1 to experiment with this
road warrior tunnel.
chiaki# cat /etc/npf.conf
$ext_if = ifaddrs(wm0)
$int_if = ifaddrs(wg0)
$vpn_if = ifaddrs(wg1)
# NAT
map wm0 dynamic 10.2.0.0/24 -> $ext_if
map wm0 dynamic fd00::/64 -> 2a06:a880:3:27b4::1
$services_ext_tcp = { domain, http, https, 10050 }
$services_ext_udp = { domain, 51821, 51822 }
$services_int_tcp = { 4245 }
table <bad> type ipset file "/etc/npf_bad"
# WAN
group "external" on $ext_if {
# allow outbound
pass stateful out all
# block ips
block in final from <bad>
# allow ping
pass in final proto icmp icmp-type echo all
pass in final proto ipv6-icmp all
# allow inet services
pass stateful in final proto tcp to $ext_if port $services_ext_tcp
pass stateful in final proto udp to $ext_if port $services_ext_udp
}
# internal VPN
group "internal" on $int_if {
# pass all outbound
pass stateful out final all
# allow internal services
pass stateful in final proto tcp to $int_if port $services_int_tcp
}
# road warrior
group "vpn" on $vpn_if {
pass all
}
group default {
pass final on lo0 all
pass in final proto icmp icmp-type echo all
pass in final proto ipv6-icmp all
block all
}
> Also there is tcpdump, to see packets arriving and departing on every
> interface you can look at.
Yes I looked at it. wg1 is receiving the echo requests and replying with
destination unreachable:
listening on wg1, link-type NULL (BSD loopback), snapshot length 262144
bytes
00:24:21.942744 IP6 fd00::2 > tu-in-f101.1e100.net: ICMP6, echo request,
id 810, seq 1, length 64
00:24:21.942777 IP6 fd00::1 > fd00::2: ICMP6, destination unreachable,
unreachable address tu-in-f101.1e100.net, length 112
00:24:22.943693 IP6 fd00::2 > tu-in-f101.1e100.net: ICMP6, echo request,
id 810, seq 2, length 64
00:24:22.943726 IP6 fd00::1 > fd00::2: ICMP6, destination unreachable,
unreachable address tu-in-f101.1e100.net, length 112
The echo requests aren't going to the wm0 interface at all - I can't see
any echo requests appearing at all in the wm0 tcpdump.
The server has IPv6 connectivity just fine from its main GUA:
chiaki# ping6 -S 2a06:a880:3:27b4::1 -c 1 google.com
PING6(56=40+8+8 bytes) 2a06:a880:3:27b4::1 --> 2404:6800:400b:c005::64
16 bytes from 2404:6800:400b:c005::64, icmp_seq=0 hlim=113 time=1.592 ms
Although not from the wg1's ULA:
PING6(56=40+8+8 bytes) fd00::1 --> 2404:6800:400b:c00c::65
ping6: sendmsg: Cannot allocate memory
ping6: wrote google.com 16 chars, ret=-1
--- google.com ping6 statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
Not sure if this is expected, though.
The routing table looks like this:
chiaki# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default 85.121.122.1 UG - - - wm0
10.0.0/24 10.0.0.11 UGS - - - wg0
10.0.0.11 wg0 UHl - - - wg0
10.0.0.11/32 10.0.0.11 U - - - wg0
10.2.0/24 10.2.0.1 U - - - wg1
10.2.0.1 wg1 UHl - - - wg1
85.121.122/24 link#1 UC - - - wm0
85.121.122.175 link#1 UHl - - - lo0
127/8 127.0.0.1 UGRS - - 33624 lo0
127.0.0.1 lo0 UHl - - 33624 lo0
192.168.0/24 10.0.0.11 UGS - - - wg0
85.121.122.1 0c:59:9c:8c:dc:e4 UHL - - - wm0
Internet6:
Destination Gateway Flags Refs Use Mtu Interface
::/104 ::1 UGRS - - 33624 lo0
::/96 ::1 UGRS - - 33624 lo0
default fe80::e59:9c00:1e8c:dce4 UGS - - - wm0
::1 lo0 UHl - - 33624 lo0
::127.0.0.0/104 ::1 UGRS - - 33624 lo0
::224.0.0.0/100 ::1 UGRS - - 33624 lo0
::255.0.0.0/104 ::1 UGRS - - 33624 lo0
::ffff:0.0.0.0/96 ::1 UGRS - - 33624 lo0
2001:db8::/32 ::1 UGRS - - 33624 lo0
2002::/24 ::1 UGRS - - 33624 lo0
2002:7f00::/24 ::1 UGRS - - 33624 lo0
2002:e000::/20 ::1 UGRS - - 33624 lo0
2002:ff00::/24 ::1 UGRS - - 33624 lo0
2a06:a880:3:27b4::/64 link#1 UC - - - wm0
2a06:a880:3:27b4::1 link#1 UHl - - - lo0
fd00::/64 fd00::1 U - - - wg1
fd00::1 link#4 UHl - - - lo0
fe80::/10 ::1 UGRS - - 33624 lo0
fe80::%wm0/64 link#1 UC - - - wm0
fe80::216:3eff:fe1b:723a link#1 UHl - - - lo0
fe80::%lo0/64 fe80::1 U - - - lo0
fe80::1 lo0 UHl - - - lo0
fe80::%wg0/64 fe80::216:3eff:fe1b:723a U - - - wg0
fe80::216:3eff:fe1b:723a link#3 UHl - - - lo0
fe80::%wg1/64 fe80::216:3eff:fe1b:723a U - - - wg1
fe80::216:3eff:fe1b:723a link#4 UHl - - - lo0
ff01:1::/32 link#1 UC - - - wm0
ff01:2::/32 ::1 UC - - 33624 lo0
ff01:3::/32 fe80::216:3eff:fe1b:723a UC - - - wg0
ff01:4::/32 fe80::216:3eff:fe1b:723a UC - - - wg1
ff02::%wm0/32 link#1 UC - - - wm0
ff02::%lo0/32 ::1 UC - - 33624 lo0
ff02::%wg0/32 fe80::216:3eff:fe1b:723a UC - - - wg0
ff02::%wg1/32 fe80::216:3eff:fe1b:723a UC - - - wg1
2a06:a880:3:27b4::8 00:16:3e:1b:72:3a UHLSp - - - wm0
fe80::e59:9c00:1e8c:dce4 0c:59:9c:8c:dc:e4 UHLS - - - wm0
Home |
Main Index |
Thread Index |
Old Index