IPv6 support

[treysis]

Warpinator relies on IPv4, as it seems. Therefor, it doesn't work on IPv6-only systems. That is weird in 2020.

[treysis]

Any plans on changing that?

[OdinVex]

A good, solid afternoon of tinkering from someone more familiar with Linux and sockets would be best.

Preliminary support could be added if python scripts "auth, server, utils, warpinator" were re-worked to support it but right now there are a lot of IPv4-related magic-numbers/constants and assumptions (I'd rather have a working IPv4 than IPv6 if it meant getting it out earlier, personally). The assumptions have been implemented in a way that would take quite a re-write.

Specifically: the zeroconf backend would need to be modified to announce "per-interface" IPv4/IPv6 (either/both), server and auth socket-binding would need to support multiple interfaces IPv4/IPv6 (either/both), and finally, authentication is a bit tricky to consider because the current implementation sets up SANs in the certificates and identifying a single server across multiple IPs would need to be done "by the user" (tacky?) and if all IPs were automatically included, it'd reveal more information about the server than necessary. I think the "tacky" way might be best in the long run so as not to leak any IPs the server is listening on (cert SANs). I'd rather see something like a single cert piece that can identify a server regardless of IP but then you have the whole cert-validation based on IP to deal with. Maybe certs that have only one SAN IP (one being interfaced with) and all certs on a server being signed with same key and simply validate entity by same-key. I dunno, just a thought. Eating a can of corn right now, eh.

On my own git pull, I've already got it all working but I've got the option to include all IPs in the SANs or to go tacky because I can guarantee my own network. ...Not backwards-compatible but eh. I have a 'multiple interface+multiple IP-stack' combination network to test it on. So far it all works but eh, I think Clem and others should dictate how they want to resolve that.

[mtwebster]

Hi, I had started work on ipv6, but I've got a decent size update to add net interface selection, among other things, I'm getting ready to merge. I didn't get too far on the ipv6 thing though (other than lots of reading), so I'd welcome the contribution. It may be better to wait (or maybe work off of that). I had a pr open, but it was a bit obsolete, I've opened a new one just to show wip: https://github.com/linuxmint/warpinator/pull/60.

The primary goal here is to keep it as simple as possible for the user, this is why we're creating our own certificates, etc..

There are a lot of bad things in there, I'm sure - I'm admittedly nothing close to an expert. The changes I've been working on improve some of the connection issues. I'd been planning to switch to python ipaddress to clean things up a bit also when ipv6 was added.

[OdinVex]

I agree with creating certs but the issue I meant about multiple networks and multiple certs is the aggregation of identities vs IP-leaking and whether there should be an inherit trade-off by leaking (I disagree) or simply coming up with another way to verify identities for aggregation (I prefer).

I'm no expert on Python (I despise it, C++/ASM fan) but yes, a bit stringy/messy. Considering the age of Warpinator, I get it, rush to release a working version, all good. Just might've been easier to develop for IPv4+IPv6 stacks and interfaces at ground-up.

I'll wait until your changes get pulled and then consider adding IPv6. The design of multiple interfaces must really be decided upon though, first. Specifically the aggregation of identities such as being able to reach a server over both IPv4 and IPv6, which interface is preferred (higher link speed?), and recognizing it as one entity, despite IPs maybe changing such as ISP-issued IPv6.

The hard-coded Google DNS stuff needs to go though, without any doubt. Bad idea altogether. Privacy issue. May not be as much as some might consider but I see no reason at all to probe any third-party DNS.

The ability to combine interfaces in a way similar to 802.3ad would be extremely awesome for any 'home' setup. I run real 802.3ad setups so I don't have to worry about that but some of my friends have limited budgets for such niceties.

[OdinVex]

I've decided to move on to Syncthing, unfortunately. It has clients on most platforms and suffices for my needs. My apologies, @treysis.