Wazuh is not ready for IPv6 out of the box and there is no documentation

[kkovaletp]

Hi Team,

I'm a new user of Wazuh and recently deployed a single-node setup on my Kubuntu 22.04 with both real IPv4 and IPv6. I followed the docker-compose installation guide, but later when I tried to connect 1 of my agents to the server, I discovered that the IPv6 is not used at all, so all the traffic to the opened server ports from IPv6 is just ignored.

I tried to find a solution in the Wazuh online documentation, but I couldn't do that, except for a couple of low-level config options documented. While I did my investigation, I found out that the application's default settings disable IPv6.

I had to ask the community and with help from Ebuka John Onyejegbu, I managed to configure it to use both IPv4 and IPv6 transparently. Please check the Slack conversation to get more details, I'll describe only the final solution here:

• the docker engine has to be configured to allow IPv6 communication by adding the next lines into the /etc/docker/daemon.json:

  {
  "experimental": true,
  "ip6tables": true
  }

• restart the docker service on the server to apply changes in the /etc/docker/daemon.json
• the next section of the compose file (see my other issue #1106 with more docker-compose changes proposed) should be added to allow the solution to utilize the IPv6 capabilities in the case it is working on the host:

  networks:
  wazuh_net:
   enable_ipv6: true
   ipam:
     config:
       - subnet: 172.20.0.0/16
       - subnet: 2001:0DB8::/64

• this network has to be mentioned in each service definition of the compose file

  networks:
  - wazuh_net

• add the <ipv6>yes</ipv6> line into the remote and auth sections of the ./config/wazuh_cluster/wazuh_manager.conf
• replace the 0.0.0.0 with the hostname of the corresponding container in the dashboard (./config/wazuh_dashboard/opensearch_dashboards.yml) and indexer (./config/wazuh_indexer/wazuh.indexer.yml) configs, as well as in the API config ./volumes/wazuh_api_configuration/api.yaml (see the #1106 to find out why is it there and what is the ./volumes folder). BTW, it would be great to remap the wazuh_api_configuration to the ./config folder to be consistent.
• recreate the compose solution by invocation of the down followed by up -d

Now both IPv4 and IPv6 protocols should work as expected. I think that the mentioned changes are mostly backward compatible with the IPv4-only environment, so they have to be set out-of-the-box and only some of them need to be commented out by default. The complete guide for the IPv6 use case has to be published on the documentation portal to provide clear instructions for users.

[Hannsre]

Wow, thank you! I thought I'm going crazy over this. I was only trying to setup a playground for testing so I just gave it an ipv6 address as they are free to us. This should be in the defaults or at least be properly documented.

Also, for anyone ending up here looking for a solution on a non-docker setup, you'll have to edit /var/ossec/etc/ossec.conf and add <ipv6>yes</ipv6> in the <remote> and <auth> blocks. Simply restarting the wazuh services didn't work, but rebooting the server did.

Thanks again!