Re: [Babel-users] IPv6 ULA GUA S2S routing problem
Hi Jochen, On Tue, Mar 14, 2023 at 09:28:48AM +0100, Jochen Demmer wrote: > > What do you mean? If your AllowedIPs set is empty wireguard will just > > act as a big useless black hole. > > Well there were several blog posts and texts that said running > wireguard without a filter to IPs was a bad idea. I do not concur > that's why I implemented it without a filter and I'm happy with it :-) Right, that is true in general. You want AllowedIPs to be as restrictive as is practical (but never empty). In the case of dynamic routing things are just a bit more complicated than in a static setup. Essentially the problem is the dynamic v6 prefix at your Site A. In a static setup you could just set AllowedIPs to be the prefix(es) of the site at the other end of the tunnel and that'll work, but if the prefix keeps changing you can't do that. You'd need support for setting AllowedIPs dynamically in babeld which just isn't a thing yet. Together with babel's source-specific routing support I do thing this is something we can do even without any protocol changes and I have at numerous occations thought about adding it but just haven't really had the motivation yet. Mainly because I have static prefixes everywhere since I run my own AS :P --Daniel ___ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
Re: [Babel-users] IPv6 ULA GUA S2S routing problem
Hi Daniel, Am Dienstag, dem 14.03.2023 um 06:53 +0100 schrieb Daniel Gröber: > Hi Jochen, > > On Mon, Mar 13, 2023 at 10:43:02PM +0100, Jochen Demmer wrote: > > Yet I cannot communicate. Is it possible that the wireguard tunnel > > itself doesn't have the prefix in its allowed IPs? I always thought > > this allowed_ips parameter is only for seting up the routing, even > > if > > the name suggests otherwise. > > With wg-quick (which OpenWrt is trying to mirror I guess) the > AllowedIPs do > double duty as source address ACL and routes. I actually forgot to > mention > you'd have to use Table=0 to get rid of the static routes. IIRC the > route_allowed_ips option you found is the equivalent here. > > On Tue, Mar 14, 2023 at 02:09:27AM +0100, Jochen Demmer wrote: > > allright I figured it out. > > On both sides I needed to set allowed-ips to 0.0.0.0/0 and ::/0. > > Then set route_allowed_ips to 0. > > Are you sending any v4 traffic over the tunnel? If not 0.0.0.0/0 > should be > unnecessary. > > > This seems to work, yet it is generally recommended not to allow > > any in > > a wireguard tunnel. I don't see another way right now thogh. > > What do you mean? If your AllowedIPs set is empty wireguard will just > act > as a big useless black hole. Well there were several blog posts and texts that said running wireguard without a filter to IPs was a bad idea. I do not concur that's why I implemented it without a filter and I'm happy with it :-) > > To see how the OpenWrt stuff maps to wg options see the script > handling the > conversion: > > > https://github.com/openwrt/openwrt/blob/master/package/network/utils/wireguard-tools/files/wireguard.sh > > AFAICT it does a straight conversion of the allowed_ips list to the > wg > option. > > --Daniel ___ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
Re: [Babel-users] IPv6 ULA GUA S2S routing problem
Hi Jochen, On Mon, Mar 13, 2023 at 10:43:02PM +0100, Jochen Demmer wrote: > Yet I cannot communicate. Is it possible that the wireguard tunnel > itself doesn't have the prefix in its allowed IPs? I always thought > this allowed_ips parameter is only for seting up the routing, even if > the name suggests otherwise. With wg-quick (which OpenWrt is trying to mirror I guess) the AllowedIPs do double duty as source address ACL and routes. I actually forgot to mention you'd have to use Table=0 to get rid of the static routes. IIRC the route_allowed_ips option you found is the equivalent here. On Tue, Mar 14, 2023 at 02:09:27AM +0100, Jochen Demmer wrote: > allright I figured it out. > On both sides I needed to set allowed-ips to 0.0.0.0/0 and ::/0. > Then set route_allowed_ips to 0. Are you sending any v4 traffic over the tunnel? If not 0.0.0.0/0 should be unnecessary. > This seems to work, yet it is generally recommended not to allow any in > a wireguard tunnel. I don't see another way right now thogh. What do you mean? If your AllowedIPs set is empty wireguard will just act as a big useless black hole. To see how the OpenWrt stuff maps to wg options see the script handling the conversion: https://github.com/openwrt/openwrt/blob/master/package/network/utils/wireguard-tools/files/wireguard.sh AFAICT it does a straight conversion of the allowed_ips list to the wg option. --Daniel ___ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
Re: [Babel-users] IPv6 ULA GUA S2S routing problem
allright I figured it out. On both sides I needed to set allowed-ips to 0.0.0.0/0 and ::/0. Then set route_allowed_ips to 0. This seems to work, yet it is generally recommended not to allow any in a wireguard tunnel. I don't see another way right now thogh. So I believe my setup is save, thank you! Thanks Jochen Am Montag, dem 13.03.2023 um 22:43 +0100 schrieb Jochen Demmer: > Thank you for that detailed description. > It seems to be working. I simulate a prefix change at my home site by > adding a prefix to the redistribute: > > config filter > option type "redistribute" > option ip "2a03:fe3:fe3::/48" > > I then add an ip from that prefix to an interface and very fast it > will > show up as a route at the remote firewall (OpenWrt btw at both > sides). > > Yet I cannot communicate. Is it possible that the wireguard tunnel > itself doesn't have the prefix in its allowed IPs? I always thought > this allowed_ips parameter is only for seting up the routing, even if > the name suggests otherwise. > > Regards > Jochen > > Am Montag, dem 13.03.2023 um 10:51 +0100 schrieb Daniel Gröber: > > Hi Jochen, > > > > On Mon, Mar 13, 2023 at 09:50:31AM +0100, Jochen Demmer wrote: > > > I though I could use babeld to just fill that gap and always have > > > a > > > route to the prefix I get at home. So even when there is a > > > disconnect > > > and a new prefix, I thought babeld will just fetch it and push it > > > over > > > to site B. > > > > > > Is that a valid idea? If so, what would a configuration will look > > > like? > > > > You can definetly use babel here. You just need to add some config > > lines to > > redistribute your prefixes. Quoting the manpage: > > > > By default, babeld redistributes all local addresses, > > and > > no other > > routes. In order to make sure that only the routes you > > specify are re‐ > > distributed, you should include the line > > > > redistribute local deny > > > > So that's a good start and then you just need to add filters to get > > the > > prefixes in: > > > > redistribute local deny > > redistribute ip fd5e:ef07:ec1a::/48 #< Site A ULA prefix > > redistribute ip 2000::/3 #< Site X GUA prefixes > > > > And that's pretty much it for the babel side. Just add the > > interface(s) you > > want to run on to /etc/default/babeld (on Debian at least) and you > > should > > be good to go. > > > > There is one gotcha that I'd like to point out. babeld fucks with a > > number > > of ip sysctls which you might not expect if your routers are > > already > > setup > > as you want them. You can disable this using `skip-kernel-setup > > true`. Grep > > the source for skip_kernel_setup to see the sysctls it touches. > > > > Note that by default babeld will accept all routes from neighbours. > > You > > might want to add `in` filters to prevent the other site from > > announcing > > routes it's not allowed to send. > > > > You can be more specific with the GUA prefixes if you like but > > that's > > a > > local policy matter :) > > > > > Do I just have to configure the wireguard interface on both sites > > > or > > > will I have to add filters? > > > > To get babel to work on wg you have to 1) add a unique fe80::/64 > > interface > > address on each side and 2) if using restrictive AllowedIPs include > > fe80::/64 and ff02::1:6 in the list. > > > > Let me know how it goes, > > --Daniel > > > ___ > Babel-users mailing list > Babel-users@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users ___ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
Re: [Babel-users] IPv6 ULA GUA S2S routing problem
Thank you for that detailed description. It seems to be working. I simulate a prefix change at my home site by adding a prefix to the redistribute: config filter option type "redistribute" option ip "2a03:fe3:fe3::/48" I then add an ip from that prefix to an interface and very fast it will show up as a route at the remote firewall (OpenWrt btw at both sides). Yet I cannot communicate. Is it possible that the wireguard tunnel itself doesn't have the prefix in its allowed IPs? I always thought this allowed_ips parameter is only for seting up the routing, even if the name suggests otherwise. Regards Jochen Am Montag, dem 13.03.2023 um 10:51 +0100 schrieb Daniel Gröber: > Hi Jochen, > > On Mon, Mar 13, 2023 at 09:50:31AM +0100, Jochen Demmer wrote: > > I though I could use babeld to just fill that gap and always have a > > route to the prefix I get at home. So even when there is a > > disconnect > > and a new prefix, I thought babeld will just fetch it and push it > > over > > to site B. > > > > Is that a valid idea? If so, what would a configuration will look > > like? > > You can definetly use babel here. You just need to add some config > lines to > redistribute your prefixes. Quoting the manpage: > > By default, babeld redistributes all local addresses, and > no other > routes. In order to make sure that only the routes you > specify are re‐ > distributed, you should include the line > > redistribute local deny > > So that's a good start and then you just need to add filters to get > the > prefixes in: > > redistribute local deny > redistribute ip fd5e:ef07:ec1a::/48 #< Site A ULA prefix > redistribute ip 2000::/3 #< Site X GUA prefixes > > And that's pretty much it for the babel side. Just add the > interface(s) you > want to run on to /etc/default/babeld (on Debian at least) and you > should > be good to go. > > There is one gotcha that I'd like to point out. babeld fucks with a > number > of ip sysctls which you might not expect if your routers are already > setup > as you want them. You can disable this using `skip-kernel-setup > true`. Grep > the source for skip_kernel_setup to see the sysctls it touches. > > Note that by default babeld will accept all routes from neighbours. > You > might want to add `in` filters to prevent the other site from > announcing > routes it's not allowed to send. > > You can be more specific with the GUA prefixes if you like but that's > a > local policy matter :) > > > Do I just have to configure the wireguard interface on both sites > > or > > will I have to add filters? > > To get babel to work on wg you have to 1) add a unique fe80::/64 > interface > address on each side and 2) if using restrictive AllowedIPs include > fe80::/64 and ff02::1:6 in the list. > > Let me know how it goes, > --Daniel ___ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
Re: [Babel-users] IPv6 ULA GUA S2S routing problem
> There is one gotcha that I'd like to point out. babeld fucks with a number > of ip sysctls which you might not expect if your routers are already setup > as you want them. You can disable this using `skip-kernel-setup true`. Grep > the source for skip_kernel_setup to see the sysctls it touches. If you use "skip-kernel-setup", it is your job to ensure that the kernel is set up correctly for routing. Here's the list of sysctls that babeld tweaks: /proc/sys/net/ipv6/conf/all/forwarding /proc/sys/net/ipv4/conf/all/forwarding /proc/sys/net/ipv6/conf/all/accept_redirects /proc/sys/net/ipv4/conf/all/rp_filter /proc/sys/net/ipv4/conf/$interface/rp_filter -- Juliusz ___ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
Re: [Babel-users] IPv6 ULA GUA S2S routing problem
On Mon, Mar 13, 2023 at 10:51:52AM +0100, Daniel Gröber wrote: > So that's a good start and then you just need to add filters to get the > prefixes in: > > redistribute local deny > redistribute ip fd5e:ef07:ec1a::/48 #< Site A ULA prefix > redistribute ip 2000::/3#< Site X GUA prefixes Argh, forgot an `allow` statement at the end. That should be: redistribute local deny redistribute ip fd5e:ef07:ec1a::/48 allow #< Site A ULA prefix redistribute ip 2000::/3 allow#< Site X GUA prefixes --Daniel ___ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
Re: [Babel-users] IPv6 ULA GUA S2S routing problem
Hi Jochen, On Mon, Mar 13, 2023 at 09:50:31AM +0100, Jochen Demmer wrote: > I though I could use babeld to just fill that gap and always have a > route to the prefix I get at home. So even when there is a disconnect > and a new prefix, I thought babeld will just fetch it and push it over > to site B. > > Is that a valid idea? If so, what would a configuration will look like? You can definetly use babel here. You just need to add some config lines to redistribute your prefixes. Quoting the manpage: By default, babeld redistributes all local addresses, and no other routes. In order to make sure that only the routes you specify are re‐ distributed, you should include the line redistribute local deny So that's a good start and then you just need to add filters to get the prefixes in: redistribute local deny redistribute ip fd5e:ef07:ec1a::/48 #< Site A ULA prefix redistribute ip 2000::/3#< Site X GUA prefixes And that's pretty much it for the babel side. Just add the interface(s) you want to run on to /etc/default/babeld (on Debian at least) and you should be good to go. There is one gotcha that I'd like to point out. babeld fucks with a number of ip sysctls which you might not expect if your routers are already setup as you want them. You can disable this using `skip-kernel-setup true`. Grep the source for skip_kernel_setup to see the sysctls it touches. Note that by default babeld will accept all routes from neighbours. You might want to add `in` filters to prevent the other site from announcing routes it's not allowed to send. You can be more specific with the GUA prefixes if you like but that's a local policy matter :) > Do I just have to configure the wireguard interface on both sites or > will I have to add filters? To get babel to work on wg you have to 1) add a unique fe80::/64 interface address on each side and 2) if using restrictive AllowedIPs include fe80::/64 and ff02::1:6 in the list. Let me know how it goes, --Daniel ___ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users