Assign multiple defined IP addresses for end clients

[NerijusRazvodovskis]

Hello,

recently you've introduced a new feature (Multiple addresses per network interface in gateway with IPv4 and IPv6).

However defguard itself configures only one address for the end client as you described here: https://docs.defguard.net/admin-and-features/features-and-configuration/wireguard/create-your-vpn-network#gateway-vpn-ip-address-and-mask.

Would it be an big deal to configure all defined addresses for the end clients? By this we would be able to use one gateway for IPv4 and for IPv6 network connectivity in a automated way.

Will wait for your insights!

[jnemeiksis]

+1 for this as well

[audmas]

+1

[samuel-apps]

I literally can not wait until this is rolled out, and I do mean literally. It's really awkward having to tell our employees to turn off IPv6 after telling them last week we'd be transfering to a better VPN. Terrible first impression.

[teon]

The feature is nearly ready - but we have some real major changes in 1.3 regarding ACLs/firewall and two-way ldap/active directory sync, thus we don't want to add this feature to this release, but if you could help with 1.3 testing (alphas were released) - so we would roll it out quickly, then we could release 1.3.1 with this feature.

Thank you in advance for any help! 🫡

[samuel-apps]

That would be plenty, thank you. Should be no problem, we really wanted to try ACLs so we're already testing it. Will definitely let you know if we find any issues.

[kchudy]

@j-chmielewski Please test using client applications

[teon]

@NerijusRazvodovskis we would appreciate if you could test the feature: https://github.com/DefGuard/defguard/releases/tag/v1.4.0-alpha1

please note that this feature requires Defguard client 1.4.0-alphaX: https://github.com/DefGuard/client/releases/tag/v1.4.0-alpha1 (Linux is already available, MacOS / Windows alpha packages should be tomorrow)

[NerijusRazvodovskis]

@teon hello, thank you for pinging me, will do it per 2 next days (hopefully tomorrow), thanks!

[NerijusRazvodovskis]

@teon are you going to build binaries, seems like core/proxy/gateway releases has just source files without any prebuilt binaries?

[teon]

@NerijusRazvodovskis sorry for that - some GitHub actions pipeline error, we'll working on that - let you know tomorrow.

[teon]

@NerijusRazvodovskis sorry for that - some GitHub actions pipeline error, we'll working on that - let you know tomorrow.

[NerijusRazvodovskis]

Hey @teon, i've tested on linux already, seems like everything is fine, however we are waiting for MacOS client package too since tons of users using it. So after you release it, we will test it out also.

[teon]

@NerijusRazvodovskis thank you, macOS should be today...

[NerijusRazvodovskis]

Hey @teon,

i've did a bit more testing with linux and some use cases and seems like i was able to find some issues:

For example if i'm using split tunnel with following config:

Default IPv6 route gets installed, but 10.12.0.0/24 route isn't installed.

Interface on the client looks:

18: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.222.2/32 brd 192.168.222.2 scope global wg1
       valid_lft forever preferred_lft forever
    inet6 fd00::6/128 scope global 
       valid_lft forever preferred_lft forever

Route tables on the client looks:

nerijus@Lin-PF4E6SBW:~$ ip -4 r show table all | grep wg1
local 192.168.222.2 dev wg1 table local proto kernel scope host src 192.168.222.2 
broadcast 192.168.222.2 dev wg1 table local proto kernel scope link src 192.168.222.2 
nerijus@Lin-PF4E6SBW:~$ ip -6 r show table all | grep wg1
default dev wg1 table 51820 metric 1024 pref medium
fd00::6 dev wg1 proto kernel metric 256 pref medium
local fd00::6 dev wg1 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev wg1 table local proto kernel metric 256 pref medium

If i'm using split tunnel, but without providing ::/0 to allowed IP's, route 10.12.0.0/24 gets installed. Everything works fine in that case.

Config

Route tables on the client looks:

nerijus@Lin-PF4E6SBW:~$ ip -4 r show table all | grep wg1
10.12.0.0/24 dev wg1 scope link 
192.168.222.0/24 dev wg1 scope link 
local 192.168.222.2 dev wg1 table local proto kernel scope host src 192.168.222.2 
broadcast 192.168.222.2 dev wg1 table local proto kernel scope link src 192.168.222.2
nerijus@Lin-PF4E6SBW:~$ ip -6 r show table all | grep wg1
fd00::6 dev wg1 proto kernel metric 256 pref medium
fd00::/8 dev wg1 metric 1024 pref medium
local fd00::6 dev wg1 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev wg1 table local proto kernel metric 256 pref medium

Another case if im using Full Tunnel with config

IPv6 default route is not installed, route table looks like:

nerijus@Lin-PF4E6SBW:~$ ip -4 r show table all | grep wg1
default dev wg1 table 51820 scope link 
local 192.168.222.2 dev wg1 table local proto kernel scope host src 192.168.222.2 
broadcast 192.168.222.2 dev wg1 table local proto kernel scope link src 192.168.222.2 
nerijus@Lin-PF4E6SBW:~$ ip -6 r show table all | grep wg1
fd00::6 dev wg1 proto kernel metric 256 pref medium
local fd00::6 dev wg1 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev wg1 table local proto kernel metric 256 pref medium

In this case we should receive both default routes, but seems like we are receiving IPv4 only.

Even if i use this:

Only IPv4 default gets installed, but IPv6 default is missing

So seems like this implementation needs some corrections

[teon]

@j-chmielewski can you take over the issues? Thanks!

[j-chmielewski]

Hey @NerijusRazvodovskis, thanks helping us test this. Let's start with those:

1. Could you show me the output of sudo wg show for those use cases? Are the allowed IPs also missing on the wireguard interfaces?
2. How did you setup the client? Did you use the activation token or download the config file?
3. Are those routes already present on any other interface?

[NerijusRazvodovskis]

Yes, i can help of course

Split tunnel with following config:

nerijus@Lin-PF4E6SBW:~$ sudo wg show wg1
[sudo] password for nerijus: 
interface: wg1
  public key: bbe/FMqYjgphpxYQGAN1pbj/b4aR/ysFmQ5cDJk4Ljk=
  private key: (hidden)
  listening port: 40487
  fwmark: 0xca6c

peer: RKlQyD/lE8SavKliqhcnOZ+4pWqCwxxiw2gJ6qtpJXQ=
  preshared key: (hidden)
  endpoint: External_IP:55555
  allowed ips: 192.168.222.0/24, 10.12.0.0/24, ::/0
  latest handshake: 17 seconds ago
  transfer: 180 B received, 272 B sent
  persistent keepalive: every 25 seconds

Split tunnel with following config:

nerijus@Lin-PF4E6SBW:~$ sudo wg show wg1
interface: wg1
  public key: bbe/FMqYjgphpxYQGAN1pbj/b4aR/ysFmQ5cDJk4Ljk=
  private key: (hidden)
  listening port: 39705

peer: RKlQyD/lE8SavKliqhcnOZ+4pWqCwxxiw2gJ6qtpJXQ=
  preshared key: (hidden)
  endpoint: External_IP:55555
  allowed ips: 192.168.222.0/24, 10.12.0.0/24, fd00::/8
  latest handshake: 7 seconds ago
  transfer: 92 B received, 180 B sent
  persistent keepalive: every 25 seconds

Full tunnel with following config:

nerijus@Lin-PF4E6SBW:~$ sudo wg show wg1
interface: wg1
  public key: bbe/FMqYjgphpxYQGAN1pbj/b4aR/ysFmQ5cDJk4Ljk=
  private key: (hidden)
  listening port: 40939
  fwmark: 0xca6c

peer: RKlQyD/lE8SavKliqhcnOZ+4pWqCwxxiw2gJ6qtpJXQ=
  preshared key: (hidden)
  endpoint: External_IP:55555
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 5 seconds ago
  transfer: 570.78 KiB received, 270.00 KiB sent
  persistent keepalive: every 25 seconds

Full tunnel with following config:

nerijus@Lin-PF4E6SBW:~$ sudo wg show wg1
interface: wg1
  public key: bbe/FMqYjgphpxYQGAN1pbj/b4aR/ysFmQ5cDJk4Ljk=
  private key: (hidden)
  listening port: 44005
  fwmark: 0xca6c

peer: RKlQyD/lE8SavKliqhcnOZ+4pWqCwxxiw2gJ6qtpJXQ=
  preshared key: (hidden)
  endpoint: External_IP:55555
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 2 seconds ago
  transfer: 48.47 KiB received, 74.56 KiB sent
  persistent keepalive: every 25 seconds

So allowed IP's are not missing.

Also regarding Full Tunnel example, it's just enough to add default IPv6 route by hands through wg interface and that's enough.

2. With activation token. However it was activated/settuped with version v1.2.0 i believe, and later i've upgraded it to 1.4.0-alpha1.
3. No, there's no such routes from any other interface.

[NerijusRazvodovskis]

Also i saw MacOS client is out already, hopefully i will test it out tomorrow

[j-chmielewski]

@NerijusRazvodovskis I've been able to reproduce this, looks like it might be something deeper in our wireguard-rs stack. I'll get back to you once I have some results.

[NerijusRazvodovskis]

Hey, @j-chmielewski, was testing this with MacOS today, couldn't replicate same issues, and everything looks fine from the first inisghts.

However in MacOS case, PC receives 2x /1 (which covers whole IPv6 space) IPv6 routes instead of default, but it's probably by design?

Regarding linux cases, i will wait for an update from you, and will retest it.

Regarding windows, i don't have any abilities to do the tests, neither i have windows, neither anyone from the company.

[NerijusRazvodovskis]

Also by the way, now gateways will stop to work on Ubuntu 20.04 due to

/usr/sbin/defguard-gateway: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by /usr/sbin/defguard-gateway)
/usr/sbin/defguard-gateway: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by /usr/sbin/defguard-gateway)
/usr/sbin/defguard-gateway: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /usr/sbin/defguard-gateway

root@indonesia1:~# ldd --version
ldd (Ubuntu GLIBC 2.31-0ubuntu9.18) 2.31

2.31 is the latest for Ubuntu 20.04, as an workaround it's possible to install manually newer version by hands i believe, but that's not very safe method

Perhaps you could rebuild it? Or we need to dist upgrade for that?

[j-chmielewski]

Since ubuntu 20.04 reached eol in may it would probably be best to dist-upgrade. If it is a big issue for you, you may open a ticket and we'll discuss it internally.

[j-chmielewski]

@NerijusRazvodovskis fixed linux client is available here: https://github.com/DefGuard/client/releases/tag/v1.4.0-alpha2. Let me know if this resolves all the issues you've found.

MacOS and Windows builds should be available later today too.

[NerijusRazvodovskis]

Hey @j-chmielewski, now it works correctly on linux too i can confirm.

Just one nit appearead, now it always pushes default IPv6 route even if you don't define it on the gateway itself:

nerijus@Lin-PF4E6SBW:~$ ip -4 r show default table all
default dev wg0 table 51820 scope link 
default via 192.168.0.1 dev wlp0s20f3 proto dhcp metric 600 
nerijus@Lin-PF4E6SBW:~$ ip -6 r show default table all
default dev wg0 table 51820 metric 1024 pref medium

nerijus@Lin-PF4E6SBW:~$ ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 192.168.48.2  netmask 255.255.255.255  destination 192.168.48.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 49355  bytes 61399364 (61.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19458  bytes 6895260 (6.8 MB)
        TX errors 0  dropped 8 overruns 0  carrier 0  collisions 0

nerijus@Lin-PF4E6SBW:~$ sudo wg show
interface: wg0
  public key: j8gWxn3QfnyAgc1EGl4S/4vSgUwSeiZBV2uazvN8CTQ=
  private key: (hidden)
  listening port: 41661
  fwmark: 0xca6c

peer: BiALoMmGOU/3vnvqHKM+paKtknDmYA0eLLw+XPa+vkw=
  preshared key: (hidden)
  endpoint: ExternalIP:55555
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 23 seconds ago
  transfer: 61.50 MiB received, 6.69 MiB sent
  persistent keepalive: every 25 seconds
nerijus@Lin-PF4E6SBW:~$ 

It's not an big deal, but i believe it shouldn't be like that so just informing you.

[NerijusRazvodovskis]

Since ubuntu 20.04 reached eol in may it would probably be best to dist-upgrade. If it is a big issue for you, you may open a ticket and we'll discuss it internally.

Regarding this, probably i will migrate it to docker, and after dist-upgrade we will back to the native package.

[j-chmielewski]

Just one nit appearead, now it always pushes default IPv6 route even if you don't define it on the gateway itself:

Hey @NerijusRazvodovskis, I can't reproduce this one - are you sure interface info you pasted corresponds to gateway settings in your screenshots? On my system no IPv6 route is added when gateway address is 192.168.48.1/22 with 192.168.48.0/22 allowed ips. Also your wg show output looks suspicious, not what I'd expect with this gateway config.

[NerijusRazvodovskis]

@j-chmielewski Hey, seems like you are right, perhaps it was route cache thing on my side (since i was testing with IPv6 firstly, and later removed it from the gateway), i can't replicate it neither now. Sorry.

[NerijusRazvodovskis]

or wait, actually it exists, i need more morning coffee, yeah, gateway has only 192.168.48.1/22 with 192.168.48.0/22 allowed ips. And i can see IPv6 default. If i disconnect from the VPN, default IPv6 route disappears.

nerijus@Lin-PF4E6SBW:~$ ip -6 r show table all
default dev wg0 table 51820 metric 1024 pref medium

9: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.48.2/32 brd 192.168.48.2 scope global wg0
       valid_lft forever preferred_lft forever

However, i could test it with clean PC if you would like to

Also this happens with Full Tunnel. (It overrides allowed IP's to 0.0.0.0/0, ::/0 and that's right i believe)

[NerijusRazvodovskis]

Tested with clean PCs, i could replicate that too

My PC uses: Pop!_OS 22.04 LTS Clean PC: 24.04 Ubuntu Another PC: 22.04 Ubuntu