Ability to use on wireguard interfaces that have no MAC address

[TheLinuxGuy]

Very interesting project, I was trying to tinker with corerad for having IPv6 autoconfiguration / SLAAC to work over a wireguard tunnel. This does not seem to be possible at the moment?

root@mia2:/etc/systemd/system# /usr/local/bin/corerad -c=/etc/corerad/corerad.toml
CoreRAD v0.3.0-15-g8f828f7 (2021-03-05) starting with configuration file "/etc/corerad/corerad.toml"
starting HTTP debug listener on "localhost:9430": prometheus: true, pprof: false
eth0: initialized, monitoring from fe80::216:3eff:fec5:213d
failed to run: failed to serve: failed to run task advertiser "noproxy": failed to reinitialize "noproxy" listener: interface "noproxy" has no MAC address
root@mia2:/etc/systemd/system# wg show
interface: noproxy
  public key: nope
  private key: (hidden)
  listening port: 88

peer: somepeer
  preshared key: (hidden)
  endpoint: [2x]:56692
  allowed ips: 10.100.100.10/32, 2x:b00b::10/128
  latest handshake: 1 minute, 51 seconds ago
  transfer: 18.58 KiB received, 354.57 KiB sent

I have a VPS with a public IPv6 /64 allocation that I am hoping to route via wireguard to my home. I have been successful at configuring wireguard peers with the public IPv6 segment and then on the VPS host using linux kernel 'net.ipv6.conf.all.proxy_ndp' and manual 'ip -6 neigh add proxy ' commands to allow RAs to be proxied.

eth0 is VPS connection to the internet and where IPv6 /64 is assigned.
'noproxy' is the wireguard interface name that clients connect to.

While this works great when I want to give a wireguard client only a single IPv6 I was trying to explore if I could allow more of the available IPv6 public pool to work over wireguard as well. For example, Windows 10 has by default IPv6 privacy extensions enabled and its common to see a win10 client have 4-6 IPv6s autoconfigured on the network. I was experimenting in ways to make it work over wireguard - I think I am halfway there but I think I am limited by linux's ndp proxy capabilities - and I rather not have to deal with cumbersome manual adding of proxy entries to the IPv6 neighbors table if I could have corerad or similar service handle this for me.

Hope this makes sense? Again, just experimenting to see what other alternatives could work and truly enable SLAAC via wireguard. corerad seems promising but it crashed after I tried to run it - as it seems to have a depency on a mac address.

[danderson]

IPv6 autoconfiguration depends on multicast, which WireGuard doesn't support. So, it's unlikely that any generic IPv6 autoconfiguration system will work over wireguard, unfortunately.

[mdlayher]

That's what I was thinking too Dave. I do have a unicast only mode (not really tested) available but I think the fundamentals of NDP still require a MAC address because it's the IPv6 way of mapping IP/MAC pairs too. But frankly I'm pretty rusty and haven't put much thought into this yet.

You would probably want to run CoreRAD on the router at your house that then sets up a WireGuard tunnel to your VPS to get the IPv6 subnet routed in.

[mdlayher]

Also I have never messed with NDP proxying and CoreRAD doesn't have any knowledge of it either IIRC. I guess it is something I should look into.

[TheLinuxGuy]

IPv6 autoconfiguration depends on multicast, which WireGuard doesn't support. So, it's unlikely that any generic IPv6 autoconfiguration system will work over wireguard, unfortunately.

Ah! you may be correct on this one. However there is a fork of wireguard that does allow multicast traffic: https://tunsafe.com/user-guide/config

I have tested tunsafe vs. wireguard - the wireguard kernel implementation is much faster but tunsafe has traffic obfuscation and TCP port abilities to avoid ISP QoS throttling.

I can experiment with tunsafe and enable the multicast option if I get some guidance on corerad?

[mdlayher]

I'm not sure what kind of guidance you're looking for but https://corerad.net/ covers a lot of the basics.

You're welcome to play around with the source to see if you can get things working, but I'm not sure this use case is typical enough where I would feel comfortable adding special cases for and supporting it.

[skoef]

I have a question that relates to this issue but is unrelated to WireGuard however: I'm currently running a RAD that I've built myself to send out router advertisements on behalf of my actual router. Basically the trick is to use the router's link local address in the router advertisement instead of the interface's which is sending the RA.

This wouldn't be possible in the current implementation either since the hardwareaddr is taken from the interface from the dialcontext, but if CoreRAD would allow me to do this, I could replace my own implementation for CoreRAD right away: it has everything I need and then some.

Would this be something that CoreRAD could offer, or is it perhaps against some principal ideas behind CoreRAD and/or hardcore violating RFCs (didn't check but can imagine). Otherwise I would gladly send in a PR for this feature!

[mdlayher]

@skoef thanks for reaching out. This sounds different enough and probably merits more investigation. Opening a new issue to continue discussion: #26 .

[mdlayher]

v0.3.4 supports interfaces without MAC addresses, such as PPPoE. I'm still not sure how this may or may not apply with WireGuard.