Full IPv6 support

[akhepcat]

Is your feature request related to a problem? Please describe. It seems there's lots of calls for IPv6 support, but due to the lack of IPv6 connectivity, or experience, it's falling by the wayside.

I'm a network engineer, with IPv6 deployment experience, and experience in running a manually curated wireguard tunnel brokerage for IPv6-over-IPv4 connectivity.

Describe the solution you'd like I can help with testing and feedback, as well as offer ideas and suggestions based on my prior experience for fully implementing IPv6 support within WGDashboard - and from there into the wireguard server.

My current setup is based on some scripting wrappers that I wrote to help me manage a brokerage after SIXXS was shutdown, and those scripts are published at https://github.com/akhepcat/sixbroker

It supports full routed IPv6 with nat'd IPv4 - I haven't implemented NAT'd IPv6, because that breaks the end-to-end IPv6 experience.

I did only just find this software, so haven't really played much with it except to set up a small home version of it on a proxmox container, and of course that means trying to figure out how to get IPv6 fully enabled here.

[akhepcat]

With a bit of manual configuration overriding, I can make this work.
However, the dashboard will need to support the additional configuration options, as well as some sane limitations on allocating IPv6 address space.

The relevant bits from the config file:

[Interface]
Address = 100.64.49.1/24
Address = 2001:0DB8:64:49::1/64

[Peer]
AllowedIPs = 100.64.49.2/32, 2001:0DB8:64:49::2/128

With this configuration enabled, and a static route on my router/firewall, as well as enabling IPv6 forwarding on the wg-vpn box, i'm able to connect to both local and remote ipv6 resources.

no nat, no static routing, it just works.

[akhepcat]

My suggestion is to limit the available IPv6 addresses to the same range as the IPv4 subnet.

i.e., if you're using a /24, then you're limited to the first 253 IPv6 addresses of your range. (given the first usable address in the net is for the server)

That will keep the provisioning engine from trying to allocate quadrillions of addresses that will not be utilized.

[NOXCIS]

@akhepcat I experimented with ipv6 on my fork when it was on v3, I kept having Regex issues and problems with the second address line. I would like your input.

[akhepcat]

Happy to help out where I can.

I will note that having two Address= lines in the config file makes the app a little confused about what IPs are allowed when first defining a client. but after it's built, you can add the second address family IP just fine when editing.

Ahhh,,, in "class WireguardConfiguration" Address is a string, but it should be an array of strings (until parsed) because the Address lines can be repeated, and also contain multiple IP definitions per line.

[akhepcat]

okay, so, help me out. What is the purpose of:

def iPv46RegexCheck(ip):
    return re.match(
        r'((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9a
-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){
3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9
a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(
([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3
}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-
9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|
1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-
9]?\d)){3}))|:)))(%.+)?\s*$))',
        ip)

    ip_patterns = (
        r"((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|\/)){4}([0-9]{1,2})(,|$)",
        r"[0-9a-fA-F]{0,4}(:([0-9a-fA-F]{0,4})){1,7}\/([0-9]{1,3})(,|$)"
    )

    ip_patterns = (
        r"((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}",
        r"[0-9a-fA-F]{0,4}(:([0-9a-fA-F]{0,4})){1,7}$"
    )

specifically? Because if you're trying to validate both IPv4 and IPv6 network objects as valid... why not just use the standard "ipaddress" module's "validate_ip" ?

[donaldzou]

Hi @akhepcat, thank you for bringing this up! Yes I don't have much experience in deploying IPv6 network so WGDashboard is not fully tested under IPv6, and I'm happy to have your input on this!

Regarding this,

However, the dashboard will need to support the additional configuration options, as well as some sane limitations on allocating IPv6 address space.

I think I fixed this issue by combining 2 address range into one line, i.e Address = 100.64.49.1/24,2001:0DB8:64:49::1/64 due to the standard library of reading the .conf file does not support duplicate keys in a section.

My suggestion is to limit the available IPv6 addresses to the same range as the IPv4 subnet.

Currently, the dashboard won't generate quadrillion addresses for IPv6 lol. I've prevented by only generating 255 addresses at a time so this is good ;) https://github.com/donaldzou/WGDashboard/blob/5d041b2fd380550c4bd9c1f566c56fe34b8ccae8/src/dashboard.py#L1411

why not just use the standard "ipaddress" module's "validate_ip"

Yes I should've lol, and I will implement it in the v4.1 release :)

[akhepcat]

configparse.zip

Here's a quick example of parsing config files with duplicate keys ("Address")

My python isn't as good as my perl, but hopefully this makes sense - it's cobbled together for sure. The MultiOrderedDict class isn't mine: it's a stackexchange answer from years ago

But this should give you a good start on being able to parse any version of the config file, normalizing it internally, and rewriting it into a canonically-acceptable style.

[luiskugel]

Hey, is there a timetable for when we can expect it to be usable. I don't want to push. I just need it relatively soon, and if it doesn't ship this year, I'll have to see if I can develop it myself.

But of course that would be unnecessary if it's almost ready. Then I'd rather help somewhere else.