Support of multiple endpoints to support IPv6/IPv4 protocol change

Derrick Lyndon Pallas derrick at pallas.us
Sun Aug 25 21:23:35 CEST 2019


I recently ran into this issue. My solution was to sort a list of endpoint addresses (not domains) by priority and first check whether the client had a route to an address before picking it. It would be nice if Wireguard kept a list of fallback addresses in case the currently active address stopped working, but this can be achieved by tooling today.

~Derrick • iPhone

> On Aug 17, 2019, at 6:50 AM, Nico Schottelius <nico.schottelius at ungleich.ch> wrote:
> 
> 
> Hello,
> 
> TL;DR
> How difficult is it to add support for multiple endpoints in wireguard?
> 
> My problem is that sometimes we need to connect to the VPN server
> via IPv4, sometimes via IPv6 and the other protocol won't work anymore.
> 
> 
> Long story:
> We are a cloud provider offering free IPv6 VPNs with VMs, to enable
> customers to have IPv6 anywhere. In some situations customers are
> confused, because their network doesn't work anymore while wireguard is
> active or the tunnel doesn't work in some networks. I will describe some
> situations that we experienced and how we work around it at the moment.
> 
> 
> Story 1: using VPN in VPN
> Some of our customers have an IPv6 tunnel to provide a /48 to their
> network. They usually use a couple of /64s to separate their internal
> networks. Some of these customers also have a VPN to their end device
> (like a notebook) with another /48 routed to it. In this situation, they
> are unable to reach the VPN server or local clients if they don't
> explicitly change their configuration to reach the VPN server via IPv4
> instead of IPv6:
> 
> With a standard config, the DNS name of the tunnel endpoint in
> in wg0.conf, not fixed to IPv4/IPv6, we had the following report:
> 
> In this case if the notebook connects via IPv6 to the VPN server,
> it effectively connects to the VPN server through the VPN. We had
> reports that in this situation the notebook can either not establish the
> VPN tunnel or is unable to reach local devices
> 
> Workaround from some customers: hard code the IPv4 address as an endpoint
> 
> Story 2: Change from IPv4 only to IPv6 only networks
> 
> We have reports from clients that the VPN is not established again, if
> they switch from an IPv4 only network to an IPv6 only network and vice
> versa. I assume this is due to wireguard resolving the address at
> startup and never re-resolving and/or not storing all DNS results (A and
> AAAA answers).
> 
> Workaround from some customers: restart wireguard when changing
> underlying protocol network
> 
> 
> Story 3: Combination of above
> Some of our clients hard coded the IPv4 address of the tunnel endpoint
> in their wg0.conf to avoid the problem from story 1. However this breaks
> their Internet when switching to IPv6 only networks. In this case the
> endpoint is fixed to IPv4, but they don't have any IPv4 connectivity.
> 
> Workaround from some customers: reconfigure wireguard to use hardcoded
> IPv6 or IPv4 only endpoint.
> 
> 
> --
> Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard



More information about the WireGuard mailing list