[Babel-users] ipv6 tunnels and babel's source specific routing

Dave Taht dave.taht at gmail.com
Fri Nov 9 03:57:40 CET 2018

I figured out the first two bits of using source specific routing for
ipv6 with wireguard...

The first trick was to watch what wg-quick wanted to do and change it.
So I setup my vpn client (deep within
my network) thusly:

#Address = 2600:8211:e001:9300::2/60
ListenPort = 51820
PrivateKey = neveryoumind

PublicKey = notdoingthat
AllowedIPs = 2600:8211:e001:9300::/60, ::/0
Endpoint = tun.taht.net:51820

This tells wireguard to let any ipv6 address through and treat it like
a default route. We don't really want this but I fix this later.

The server is setup similarly, but no ::/0 and an address of ::1/60

Then I changed the default startup to look like this:

ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
# preferred_lft 0 makes sure you don't use this address for anything
you don't explicitly bind to
# Otherwise *because* it is static, with a preferred_lft of forever,
it gets chosen as
# a default ipv6 addr over the dynamic ipv6 addresses. I only want the vpn for
# specific tools...
ip address add 2600:8211:e001:9300::2/60 dev wg0 preferred_lft 0
ip link set mtu 1420 dev wg0
ip link set wg0 up
ip route add 2600:8211:e001:9300::/60 dev wg0
# the default line generated by wg-quick inserts a default route for everything
# which disables my native ipv6 addrs and routing
# The trick - note the from and the proto
ip -6 route add ::/0 from 2600:8211:e001:9300::/60 dev wg0 proto 48

then I setup babeld.conf to have

redistribute proto 48 allow

which exports that "from default" to the rest of my network without
doing a default default route that RA picks up

I can then do stuff anywhere else on my net (running babel rfc61236bis) , like

ip address add 2600:8211:e001:9301::1/64 dev whichever preferred_lft 0

which gives me a valid_lft of forever... and

this lets me use my native, dynamic, ipv6 ips from comcast in the general case,
and the vpn tunnel'd ipv6 address ranges only when I explicitly specify it.

I have no idea if dhcpv6-pd can be configured (with a valid_lft of a
lot, constantly renewed, and a prefeered of 0) this way or hnetd, or
if there was some better way
to deprioritize a given set of ipv6 addrs, but...

Now that I have a whole /56 I can finally fiddle more with hnetd
again. This also gives me cheap failover if one of my gws goes down...

On Thu, Nov 8, 2018 at 3:57 PM Dave Taht <dave at taht.net> wrote:
> Now that I can use the rfc6126bis version of babel's source specific
> routing...
> and wireguard is looking stabler and stabler...
> I'd like to come up with some reliable subset of the following
> idea.
> I've had this linode ipv6/56 for ages. I used to use hurricane for
> static ipv6's until netflix started blocking that. comcast dynamic ipv6
> is a real pita. My hope was, with a whole /56 that I could actually run
> a mail server on my side of it (at least), and dole out portions of the
> /56 to other boxes both on my campus lan, boat, laptop, etc - any place
> I need it....
> somewhere along the way I wanted to get a wireguard tunnel with a babel
> "from" route up.
> My thinking is weird, in that I'd like to run the tunnel/56 to
> tun.taht.net from ceres.taht.net (dynamic ipv6 ip)
> I'd like to break out individual /60s, so, for example, my boat (running
> wireguard over a cell phone, over ipv6!!) would have it's own /60 to
> address every router in it... and in that case I do NOT want to touch it
> down in the cloud (because my phone is guarunteed to have ipv6), I want
> it to go to my dynamic dns ipv6 address for ceres.
> I tried to do this quite some time ago in wireguard's evolution.
> Most of the examples out there are for sending *all* your traffic via
> wireguard through a default gw, where what I want is just the ipv6/56
> addrs I've exported to automagically go through the vpn. e.g. I'd bind
> the house mail server to the vpn address of whatever::3/64, campus
> server at whatever:20::3/64, boat ssh server at whatever:30::neveryoumind/64
> When doing that normally you'd do something like
> ip -6 route default from vpn:add:ress::/56 via dev wireguardvpn
> If I can possibly make anything more complicated!!! it would be great to
> be able always go directly to the ipv6 ceres and fall back to the (ipv4)
> cloud... announcing to the rest of my boxes (via babel) where I am...
> tun.taht.net has the /56
> campus 1 needs at least a 60, maybe even a 58.
> lab needs a 60
> boat warriors (half dozen boxes, a /62?) (yes, this is excessive but I
> can't get dhcpv6-pd out of the phone, and I have multiple routers on
> board because that's the work I do)
> road warriors
> laptop - needs a mobile 128? But I don't want it to try to connect over
> the vpn over the vpn....
> so that's the crazy question. I don't think I've described it well enough.
> so quick and slightly less question - how's android working and does wireguard on
> android work over ipv6? Can a android tether at least, export RA?
> alternatively anyone know of a good usb stick for cell?
> PS I used to do this sort of crazy stuff with tinc, but...
> PPS yes, my boat runs babel. It would be awesome if more boats ran adhoc
> wifi, babel, and hnetd. VHF sucks compared to wifi. A picostation on the
> mast has about 20 mile range.
> _______________________________________________
> Babel-users mailing list
> Babel-users at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users


Dave Täht
CTO, TekLibre, LLC
Tel: 1-831-205-9740

More information about the WireGuard mailing list