WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

pawlisko · Sun Aug 07, 2022 7:02 am

Hi all,

I couldn't find any discussion on how to do it, maybe I am wrong, and that should be done another way, but hear me out.

I run a WG instance on my MT (RB5009). I have multiple interfaces (mostly VPN), but I do have two for my use - let's call them wg0 (family and me) and wg1 (friends). Each interface has its IP addresses (both IPv4 and IPv6). As my ISP just turned on dual-stack, I am retiring 6-to-4 tunnel, but it comes with a cost. HE.net tunnel provided static prefixes, and each peer had its own IPv6 address (already publically routable one). ISP has dynamic prefix distribution, so even if I keep it as long as possible, I may need to change peers' IPv6 addresses now and then. This is not what I want to do. As I get /56 scope, I can create /64 scopes for each WG interface. Each client would get their fec0:: address for config, which later on MT will be translated to their IPv6 publically routable address.

The typical WG client setup code looks like this:

[Interface]
PrivateKey = [PRIVATE]
DNS = [MT IPv4 address for that Interface]
Address = 10.99.95.220/32,2001:470:8d99:95::220/128
 
[Peer]
PublicKey = WtXIFRTHmr8b0n7y5GuCAIZ98zIVf1hZwJs8RazQ/1A=
PresharedKey = [PRIVATE]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = somewhere.over.internet:52895
PersistentKeepalive = 25

So I thought that I could do a WG client setup like this:

[Interface]
PrivateKey = [PRIVATE]
DNS = [MT IPv4 address for that Interface]
Address = 10.99.95.220/32,fec0:99:95:220/128
 
[Peer]
PublicKey = WtXIFRTHmr8b0n7y5GuCAIZ98zIVf1hZwJs8RazQ/1A=
PresharedKey = [PRIVATE]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = somewhere.over.internet:52895
PersistentKeepalive = 25

But the outside site would report back address like 2102

a3ba:7504:95::220 (just an example - also ability to use similar numbering to IPv4 makes my life easier)

In addition, I have network devices like Cisco WLC, which requires static IPv6, which means that a similar solution would need to be also deployed in my LAN

Does that make sense, or am I overcomplicating things and need to look at another solution?

pawlisko · Mon Aug 08, 2022 7:06 pm

So first part of the issue was solved by me:

/ipv6 address add address=fec0:99:95:: advertise=no interface=wg-interface
/ipv6 address add address=::1 advertise=no from-pool=ISP-v6 interface=wg-interface
/ipv6 firewall address-list add address=fec0:99:95::/64 comment="wg-interface" list="wg-interface"
/ipv6 firewall filter add action=accept chain=forward comment="Allow WireGuard to Internet" out-interface=WAN src-address-list="wg-interface"
/ipv6 firewall nat add action=src-nat chain=srcnat src-address=fec0:99:95:220/128 to-address=2102:1010:a3ba:7504::220/128
/ipv6 firewall nat add action=dst-nat chain=dstnat dst-address=2102:1010:a3ba:7504::220/128 to-address=fec0:99:95:220/128

Each peer has to have those two firewall nat lines and it works like magic

Now the script when IPv6 changes then all firewall nat lines should be updated... how?

Znevna · Mon Aug 08, 2022 7:18 pm

What are the clients using those fec:: addresses for?

pawlisko · Mon Aug 08, 2022 7:40 pm

What are the clients using those fec:: addresses for?

Wireguard clients.

So my ISP uses dynamic IPv6 prefix allocation. When prefix changes then I would need to change each of the client's setup.

In this case each client has fec:: address (static-non routable) after connecting with WG server (MT) this address is translated to dynamic routable by MT itself - in this scenario client's setup is static which is my goal

Unless you have better solution

Znevna · Mon Aug 08, 2022 7:57 pm

I understood that, but those addresses are useless on the clients. They can't use it for much. That's why I've asked what are they supposed to use it for?

pawlisko · Mon Aug 08, 2022 8:05 pm

I think that I don't understand your question/point. Could you elaborate? I think that we may have different idea of requirements that solution answers for.

Znevna · Mon Aug 08, 2022 9:33 pm

You are trying to translate fec:: to some Global IPv6.
But the clients won't be picking that fec:: to go outside, so I'm failing to see why you are struggling with this.

pawlisko · Tue Aug 09, 2022 3:25 am

So my scenario is a bit convoluted but also very down-to-earth.

There is my network behind MT. There are few services that I have inside of my network which (maybe in my head due to security reasons) are available only inside of the network - NAS, Plex, etc. - just to name few. The only ports open to the network are DHCP for router (IPv6) and wireguard.
MT has dynamic IPv4 address and IPv6 prefix assigned by ISP.
I have 2 VLANs, 3 SSIDs (Cisco WLC+WAPs), 4 private IPv4 addressing (Home Network + IoT, Guest Network, Wireguard for home, Wireguard for Friends), running 8 concurrent WG VPN connections to different part of the world, etc. Also I travel and I have to be able to always connect to home, or through home to work (I work in a very particular institution that does not like for people working for it to connect from non-approved places. Those places run mostly dual-stack, but I've been in IPv4 only and IPv6 only environments - therefore my WG runs dual-stack.

As provided above my wg client config provides both addresses - they used to have IP for Wireguard for home private addressing, and global routable public IPv6 address from 6-to-4 tunnel when my IP was running only IPv4.

My ISP just upgraded me to dual-stack and I am responding to those changes. My IPv6 prefixes are not longer static so I have to provide my wg clients new addresses. As prefixes changes and rest of my family is not technically savvy I need to figure out a way to have a robust setup.

I figure it out that I will provide wg-client with fec0 addressing inside wg later to be translated to my dynamic IPv6 addressing so every client would be visible with its own IPv6 address. I could do masquerade but I don't want to do it.

Hence you see this setup:
WG client connects to MT with 2 local addresses (both IPv4 and IPv6). IPv4 address connects later to the internet using masquerade, IPv6 is translated to proper IP address via src- and dst-nats (therefore script to update nats is needed when prefix is changed). So in fact it runs a bit like VPN access to intranet and VPN address to internet (especially from places like public WiFis, etc).

If you have any other idea how to achieve that it would be awesome.

Znevna · Tue Aug 09, 2022 7:59 am

Ok, try to understand what I'm screaming about here, for the last time.
The clients will not use fec:: to go out the internet, those are Link-Local addresses (LL), they will only reach services inside your network and that's it.
Browsers (for example) will not pick a fec:: address to visit .. google for example, because fec:: is not a global unicast address (GUA), you can test yourself from a client trying to browse https://test-ipv6.com/ do you have IPv6 connectivity on the client via your wireguard tunnel? no, you don't.
And taking into consideration all of the above it is useless to translate fec:: which is a LL to a GUA.
So yes, there is a better way, don't srcnat and dstnat fec:: and use them as they are to reach your services from inside the wireguard tunnels, and that's it.

pawlisko · Tue Aug 09, 2022 4:40 pm

Ok, try to understand what I'm screaming about here, for the last time.
The clients will not use fec:: to go out the internet, those are Link-Local addresses (LL), they will only reach services inside your network and that's it.
Browsers (for example) will not pick a fec:: address to visit .. google for example, because fec:: is not a global unicast address (GUA), you can test yourself from a client trying to browse https://test-ipv6.com/ do you have IPv6 connectivity on the client via your wireguard tunnel? no, you don't.
And taking into consideration all of the above it is useless to translate fec:: which is a LL to a GUA.
So yes, there is a better way, don't srcnat and dstnat fec:: and use them as they are to reach your services from inside the wireguard tunnels, and that's it.

And this is where you are wrong - YES, I am able to do that with that translation. Try it yourself and you will be amazed. Not only I can connect to IPv6 sites, but I am able to ping devices from the internet and get a valid answer.

Let me put what I do in the context of IPv4.
There are 3 classes of private addresses (equivalents to LL)
Class A IP addresses. Configurations range from 10.0. 0.0 to 10.255. 255.255. ...
Class B IP addresses. Configurations range from 172.16. 0.0 to 172.31. 255.255. ...
Class C IP addresses. Configurations range from 192.168. 0.0 to 192.168. 255.255.
If what you are saying is true any computer with address in those class would not be able to connect to the Internet.
But somehow magically, with unicorns rainbows and stuff I am writing this post from computer with IP address of 10.80.68.120.
What I have in the middle is a router which is doing NAT masquerade so to the world I appear with a different IP address (equivalent to GUA) but somehow still able to connect to webpages even thou my IP is LL. Same goes with VPN setup. Usually each address assigned to you comes from Class A.
I wrote that I can do IPv6 masquerade but having an entire prefix I am able to do something better - each LL address can get it's own dynamic GUA via translations.
Please check yourself - if still in doubt, let me know. I will do screenshots.
And there are RFCs for that as well - 6296, 7157, etc. Even wiki has it's page on that - https://en.wikipedia.org/wiki/IPv6-to-I ... ranslation but... you know better

Znevna · Tue Aug 09, 2022 11:10 pm

Well you're right, I'm wrong. But for a reason.
fec0::/10 was "site-local" (deprecated by rfc3879 https://www.rfc-editor.org/rfc/rfc3879.html ), not link-local, my bad.
The default MikroTik firewall blocks this range (among others which I left out for now):

/ipv6 firewall address-list
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6

/ipv6 firewall filter
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6

But yes, after "fixing" all this, it works, ..partially.
On Android at least, Firefox refuses to preffer IPv6, even if it's functional. I'm guessing other pieces of software might behave the same.
If you insist on this approach you might encounter other issues with time.
I would ditch those src-nat and dst-nat lines and use masquerade only when something wants to talk with the outside:

/ipv6 firewall nat
add action=masquerade chain=srcnat dst-address=!fec0:whatever::/64 src-address=fec0:whatever::/64

Or you can search for scripts around the forum that extract the current prefix and change the src-nat and dst-nat rules based on that, but.. is it worth it?

pawlisko · Wed Aug 10, 2022 2:41 am

Cisco WLC just pushed my addressing scheme to fdc0:

I am using iOS so it comes also with some issues but on Edge, Safari, FireFox I can connect to IPv6 websites and it is working.

I am writing script myself - multiple functions - detecting IP change, updating dDNS, verifying DNS updates and changing nat tables. Will share it here.

pawlisko · Fri Aug 12, 2022 12:18 am

Hi all,

So my provider finally moved to dynamic dual stack solution. That made HE.net tunnel obsolete, but also gave me some issues - like I don't have static routable IPv6 addressing. Here is the set-up only for IPv6. Some refinement needed but all bones are here.

Some issues/workarounds which exists:
a) 3 entrance to Dynamic DNS (here HE.net) - 1 IPv4 and 2 IPv6
1, MT does not have a dedicated resolve for IPv6, so if you have A and AAAA record pointing to same name MT will always choose IPv4
2. Same goes to i.e. WireGuard for iOS. Client will always choose IPv4 over IPv6. There is bug request to change it but it is there for few years and probably it will not be fixed soon

b) With HE.net you can have different "Update key" for A and AAAA record for the same name. Based on time spent on those scripts - make it the same. A and AAAA update keys should be the same

c) In main script I disable and enable IPv6 addressing - this is done because after reboot even if my code states which address goes first but I've seen that even thou i.e. wg0 is called 3rd it can take first prefix. That solves that, better solution would be going through some sort of array and be independent but....

d) Probably you can have a script which takes IP addresses from WireGuard peers and do automation - I am not a coder, I used to write some code like 25 years ago but...

Disclaimers:
I - Due to issue of dynamic addressing I will be using site-local addressing. If you don't know much about this - get familiar with RFCs: 6296, 7157
II - I am using 4 prefixes - 0 for WAN, 1 for LAN, 2 for wg0 (family interface with full access to network), 3 for wg1 (friends access - private VPN)
III - each interface (less WAN) gets site-local addressing - in LAN I am using this for Cisco WLC or different UPSes I have
IV - main script limits interactions with HE.net to necessary minimums. Hence it will check by itself if address needs updating and if it needs it will validate that it was successful.
V - my global prefixes are sequential - it would be awesome if there is a mechanism so I could change assigned prefixes to each interface. Any ideas?

Addressing

/ipv6 address add address=::1 advertise=no from-pool=ISP-v6 interface=WAN
/ipv6 address add address=::1 from-pool=ISP-v6 interface=LAN
/ipv6 address add address=fdc0:1::1 interface=LAN
/ipv6 address add address=::1 from-pool=ISP-v6 interface=wg0
/ipv6 address add address=fdc0:2::1 interface=wg0
/ipv6 address add address=::1 from-pool=ISP-v6 interface=wg1
/ipv6 address add address=fdc0:2::1 interface=wg1

Firewall Filter

/ipv6 firewall address-list add address=fdc0:1::::/64 comment="LAN interface" list="Allowed Site-local addresses"
/ipv6 firewall address-list add address=fdc0:2::::/64 comment="wg0" list="Allowed Site-local addresses"
/ipv6 firewall address-list add address=fdc0:3::::/64 comment="wg1" list="Allowed Site-local addresses"
/ipv6 firewall filter add action=accept chain=forward comment="Allow Site-Locals to Internet" out-interface=WAN src-address-list="Allowed Site-local addresses"

Now each device needs its own translation lines in Firewall NAT. Maybe someone knows how to automate this with the script. I did this manually (sample of the device from LAN)

/ipv6 firewall nat add action=src-nat chain=srcnat src-address=fdc0:1::220/128 to-address=2102:1010:a3ba:7501::220/128
/ipv6 firewall nat add action=dst-nat chain=dstnat dst-address=2102:1010:a3ba:7501::220/128 to-address=fdc0:1::220/128

A script runs every 1 minute to check for a change in either IP address. If it sees a change, it runs the next script:

/system scheduler add interval=1m name=IP-Check on-event=IP-Check policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system script add dont-require-permissions=yes name=IP-Check owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#Detele this and copy script via www"

Just copy-paste below script via web

# Check dynamic IPv4 and IPv6 addresses

:global currentIPv4;
:global currentIPv6;
:local WANiface WAN 
:local newIPv4
:local newIPv6

:set newIPv4 [/ip address get [find interface="$WANiface"] address]
:set newIPv6  [/ipv6 address get [find interface="$WANiface" global] address]

# If IPv6 changed, then log change and execute HE-Update script

:if ($newIPv6 != $currentIPv6) do={
    :log info ("New IPv6 detected on " . $WANiface . "!!! New address is: " . $newIPv6 . ". Running HE-Update script")
    :set currentIPv6 $newIPv6
/system/script
run HE-Updater
};

# If IPv4 changed, then log change and execute HE-Update script 
 
:if ($newIPv4 != $currentIPv4) do={
    :log info ("New IPv4 detected on " . $WANiface . "!!! New address is: " . $newIPv4 . ". Running HE-Update script")
    :set currentIPv4 $newIPv4
/system/script
run HE-Updater
};

And now - main script. Same as above

/system script add dont-require-permissions=yes name=HE-Updater owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#Detele this and copy script via www"

Actual script:

# Update IPv6-NAT and Hurricane Electric DDNS IPv4 and IPv6 address

:local ddnshost1 "some address"
:local ddnshost2 "dedicated ipv6 address"
:local key1 "common key for common ipv4 and ipv6"
:local key2 "dedicated key for dedicated ipv6"
:local updatehost "dyn.dns.he.net"
:local updatepath "/nic/update"
:local WANinterface "WAN"
:local outputfile1 ("HE_DDNS_IPv4" . ".txt")
:local outputfile2 ("HE_DDNS_IPv6_Dedicated" . ".txt")
:local outputfile3 ("HE_DDNS_IPv6" . ".txt")

# Internal processing below...
# ----------------------------------
:local ipv4addr
:local ipv6addr
:local ipv6pref
:local ipv6post
:local ipv6postpref 0::1/64 
:local HEaddress1
:local HEaddress2
/ip/dns/cache/flush
:set HEaddress1 [:resolve $ddnshost1]
:set HEaddress2 [:resolve $ddnshost2]


# Get WAN interface IPv4 and IPv6 addresses
:set ipv4addr [/ip address get [/ip address find interface=$WANinterface] address]
:set ipv4addr [:pick [:tostr $ipv4addr] 0 [:find [:tostr $ipv4addr] "/"]]
:set ipv6addr [/ipv6 address get [/ipv6 address find interface=$WANinterface global] address]
:set ipv6addr [:pick [:tostr $ipv6addr] 0 [:find [:tostr $ipv6addr] "/"]]

:if ([:len $ipv4addr] = 0) do={
	:log error ("Could not get IPv4 for interface " . $WANinterface)
	:error ("Could not get IPv4 for interface " . $WANinterface)
}

:if ([:len $ipv6addr] = 0) do={
	:log error ("Could not get IPv6 for interface " . $WANinterface)
	:error ("Could not get IPv6 for interface " . $WANinterface)
}

# Make sure that all prefixes are in the correct order (WAN=0, LAN=1, wg0=2, wg1=3) - important for Firewall NAT
:set ipv6post [:pick [:tostr $ipv6addr] 19 26]
:if ($ipv6post != $ipv6postpref) do={
/ipv6/address
 disable [find interface="WAN" global]
 disable [find interface="LAN" global]
 disable [find interface="wg0" global]
 disable [find interface="wg1" global]

/ipv6/dhcp-client
 disable [find interface="WAN"]
:delay 1s
 enable [find interface="WAN"]
:delay 1s
/ipv6/address
 enable [find interface="WAN" global]
:delay 1s
 enable [find interface="LAN" global]
:delay 1s
 enable [find interface="wg0" global]
:delay 1s
 enable [find interface="wg1" global]
/ip/dns/cache/flush
:set ipv6addr ::1/128
:set ipv6addr [/ipv6 address get [/ipv6 address find interface=$WANinterface global] address]
:set ipv6addr [:pick [:tostr $ipv6addr] 0 [:find [:tostr $ipv6addr] "/"]]
:if ([:len $ipv6addr] = 0) do={
	:log error ("Could not get IPv6 for interface " . $WANinterface)
	:error ("Could not get IPv6 for interface " . $WANinterface)
}
}

# Update IPv6-Firewall-NAT - each address has 2 entires, either do by type (like I did) or by address. This can be done better. One IP example for each prefix
:set ipv6pref [:pick [:tostr $ipv6addr] 0 18]
:if ($HEaddress2 != $ipv6addr) do={
/ipv6/firewall/nat
set 0 to-address=($ipv6pref . "1::5/128")
set 1 to-address=($ipv6pref . "2::80/128")
set 2 to-address=($ipv6pref . "3::200/128")
set 3 dst-address=($ipv6pref . "1::5/128")
set 4 dst-address=($ipv6pref . "2::80/128")
set 5 dst-address=($ipv6pref . "3::200/128")
}

# Check if IPv6 addresses need change - if yes than change; if IPv4 is also changed change it as well
:while ($HEaddress2 != $ipv6addr) do={
:log info ("Updating DDNS IPv6 dedicated address" . " Client IPv6 address to new IP " . $ipv6addr . "...")
/tool fetch mode=https host=($updatehost) url=("https://" . $updatehost . $updatepath . "?hostname=" . $ddnshost2 . "&myip=" . $ipv6addr) user=($ddnshost2) password=($key2) dst-path=$outputfile2
:log info ([/file get ($outputfile2) contents])
:delay 10s
:log info ("Updating DDNS IPv6 address" . " Client IPv6 address to new IP " . $ipv6addr . "...")
/tool fetch mode=https host=($updatehost) url=("https://" . $updatehost . $updatepath . "?hostname=" . $ddnshost1 . "&myip=" . $ipv6addr) user=($ddnshost1) password=($key1) dst-path=$outputfile3
:log info ([/file get ($outputfile3) contents])
:delay 10s
:if ($HEaddress1 != $ipv4addr) do={
:log info ("Updating DDNS IPv4 address" . " Client IPv4 address to new IP " . $ipv4addr . "...")
/tool fetch mode=https host=($updatehost) url=("https://" . $updatehost . $updatepath . "?hostname=" . $ddnshost1 . "&myip=" . $ipv4addr) user=($ddnshost1) password=($key1) dst-path=$outputfile1
:log info ([/file get ($outputfile1) contents])
};
:delay 310s
/ip/dns/cache/flush
:set HEaddress2 [:resolve $ddnshost2]
:set HEaddress1 [:resolve $ddnshost1]
};
:log info ("Client IPv6 address is " . $ipv6addr . ". Confirmed with HE.net DNS service")

:delay 5s

# Check if IPv4 address needs change - if yes than change
:while ($HEaddress1 != $ipv4addr) do={
:log info ("Updating DDNS IPv4 address" . " Client IPv4 address to new IP " . $ipv4addr . "...")
/tool fetch mode=https host=($updatehost) url=("https://" . $updatehost . $updatepath . "?hostname=" . $ddnshost1 . "&myip=" . $ipv4addr) user=($ddnshost1) password=($key1) dst-path=$outputfile1
:log info ([/file get ($outputfile1) contents])
:delay 310s
/ip/dns/cache/flush
:set HEaddress1 [:resolve $ddnshost1]
};
:log info ("Client IPv4 address is " . $ipv4addr . ". Confirmed with HE.net DNS service")

# :delay 10s
# /file remove ($outputfile2)
# /file remove ($outputfile3)
# /file remove ($outputfile1)

WG - client setup sample:

[Interface]
PrivateKey = [PRIVATE]
DNS = [MT IPv4 address for that Interface]
Address = 10.0.1.220/32,fdc0:1::220/128
 
[Peer]
PublicKey = WtXIFRTHmr8b0n7y5GuCAIZ98zIVf1hZwJs8RazQ/1A=
PresharedKey = [PRIVATE]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = somewhere.over.internet:52895
PersistentKeepalive = 25

Any thoughts?

Znevna · Fri Aug 12, 2022 9:02 am

I - Due to issue of dynamic addressing I will be using site-local addressing. If you don't know much about this - get familiar with RFCs: 6296, 7157
Any thoughts?

I suggest you get familiar with the forum talk about RFC 6296 too, if not the whole topic, at least starting from here: viewtopic.php?t=69238#p934630
And maybe you can figure out why, your fdc0:: addresses are not preffered. I've tried telling you before but you're a little stubborn. And no, it's not a bug.
Good luck.

WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - IPv6 - Dynamic prefixes - Script/other solution?

Re: WireGuard - RoadWarrior on dynamic dual-stack connection - IPv6 only