Support of multiple endpoints to support IPv6/IPv4 protocol change

Nico Schottelius nico.schottelius at ungleich.ch
Sat Aug 17 15:50:43 CEST 2019 

Hello,

TL;DR
How difficult is it to add support for multiple endpoints in wireguard?

My problem is that sometimes we need to connect to the VPN server
via IPv4, sometimes via IPv6 and the other protocol won't work anymore.


Long story:
We are a cloud provider offering free IPv6 VPNs with VMs, to enable
customers to have IPv6 anywhere. In some situations customers are
confused, because their network doesn't work anymore while wireguard is
active or the tunnel doesn't work in some networks. I will describe some
situations that we experienced and how we work around it at the moment.


Story 1: using VPN in VPN
Some of our customers have an IPv6 tunnel to provide a /48 to their
network. They usually use a couple of /64s to separate their internal
networks. Some of these customers also have a VPN to their end device
(like a notebook) with another /48 routed to it. In this situation, they
are unable to reach the VPN server or local clients if they don't
explicitly change their configuration to reach the VPN server via IPv4
instead of IPv6:

With a standard config, the DNS name of the tunnel endpoint in
in wg0.conf, not fixed to IPv4/IPv6, we had the following report:

In this case if the notebook connects via IPv6 to the VPN server,
it effectively connects to the VPN server through the VPN. We had
reports that in this situation the notebook can either not establish the
VPN tunnel or is unable to reach local devices

Workaround from some customers: hard code the IPv4 address as an endpoint

Story 2: Change from IPv4 only to IPv6 only networks

We have reports from clients that the VPN is not established again, if
they switch from an IPv4 only network to an IPv6 only network and vice
versa. I assume this is due to wireguard resolving the address at
startup and never re-resolving and/or not storing all DNS results (A and
AAAA answers).

Workaround from some customers: restart wireguard when changing
underlying protocol network


Story 3: Combination of above
Some of our clients hard coded the IPv4 address of the tunnel endpoint
in their wg0.conf to avoid the problem from story 1. However this breaks
their Internet when switching to IPv6 only networks. In this case the
endpoint is fixed to IPv4, but they don't have any IPv4 connectivity.

Workaround from some customers: reconfigure wireguard to use hardcoded
IPv6 or IPv4 only endpoint.


--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.

More information about the WireGuard mailing list