Trying to fix the address family problem

[Nico Schottelius <nico.schottelius@ungleich.ch>]

Good morning,

I am travelling between IPv6 only and IPv4 only networks on a daily
basis, which usually breaks the wireguard tunnel I have on my notebook,
as the previous address family is unreachable.

I wanted to write a script that checks "which address family of my
endpoint is reachable" and use wg set to update the configuration.

However, it seems it is not as easy as that: inside the tunnel I am
always using IPv6 networks and if wireguard is active with the IPv4
family endpoint, but when I am in an IPv6 only network, I cannot reach
the Internet due to the default rule of wg-quick:

[#] ip -6 route add ::/0 dev wgungleich table 51820
[#] ip -6 rule add not fwmark 51820 table 51820

So essentially I have to tear down the tunnel first to checkout which
address family can be used and then restart the tunnel.

My question to this list:

- is there any notion of adding multiple endpoints (even if it is the
  same host at the other end) in the future?
- is there a better way to check reachability without turning wireguard
  completely off?

I have attached the sketch of the script I was writing below in case it
helps anyone.

Best,

Nico

--------------------------------------------------------------------------------
#!/bin/sh
# 2020-01-19
# Nico Schottelius
# Periodically fix the wireguard endpoint

endpoint=vpn-2a0ae5c1.ungleich.ch
tunnel=wgungleich
config=/etc/wireguard/${tunnel}.conf

endpoint=$(grep -i ^endpoint ${config}  | cut -d= -f2)
host=$(echo $endpoint| cut -d: -f1)
port=$(echo $endpoint| cut -d: -f2)
publickey=$(grep -i ^publickey ${config}  | cut -d= -f2)

# If wireguard is up, but with the wrong endpoint
# (v4 address in an v6 only network or
# v6 address in an v4 only network) the routing of
# wireguard can break connectivity (i.e. AllowedIPs = ::/0
# breaks IPv6 connectivity)

# Thus we first need to shutdown the wireguard VPN to confirm
# it's not wireguard preventing us to access the endpoint itself.
# It would certainly be better to not needing to shut it down,
# however I don't see a reliable way without skipping the wireguard
# set `ip rule`

wg-quick down ${tunnel}

# Now do the DNS lookups, which should work without a tunnel up
# (they also might have been prevented by wireguard up in the incorrect
# address family)
v6_addr=$(dig +short $endpoint aaaa)
v4_addr=$(dig +short $endpoint a)

v6_ok=""
v4_ok=""

ping -c3 $v6_addr >/dev/null && v6_ok=yes
ping -c3 $v4_addr >/dev/null && v4_ok=yes

# Now verify/check what is reachable
if [ $v6_ok ]; then
    wg-quick up ${tunnel}
    wg set wgungleich peer ${publickey} endpoint ${v6_addr}:${port}
elif [ $v4_ok ]; then
    wg-quick up ${tunnel}
    wg set wgungleich peer ${publickey} endpoint ${v4!_addr}:${port}
else
    echo "The endpoint ${endpoint} is unreachable, try again later" >&2
    exit 1
fi


--
Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard