[Networkmanager] Wireguard and IPv6&IPv4 dual stack endpoint with roaming clients from IPv6&IPv4 → IPv4 only networks

Samuel Le Thiec sltrash at posteo.net
Wed Mar 1 10:19:47 UTC 2023 

Hello,

I'm facing a quite annoying problem with wireguard with NetworkManager.

After reading https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/

> *Dynamically Resolving Endpoints*
> In WireGuard, peers may have an endpoint configured but also [roaming is built-in]
> NetworkManager supports peer endpoints specified as DNS names: it will resolve the
> names before configuring the IP address in kernel. NetworkManager resolves endpoint
> names every 30 minutes or whenever the DNS configuration of the host changes, in
> order to pick up changes to the endpoint’s IP address.

I thought great! This is one good reason to let NetworkManager manage wireguard 
instead of using plain wg toolkit.

My endpoint is a dualstacked IPv6/IPv4 specified by its name, e.g.:
   example.com. 7152 IN A 93.184.216.34
   example.com. 7149 IN AAAA 2606:2800:220:1:248:1893:25c8:1946

→ "Connecting" from a IPv4 only network or a dual stacked network works just fine!

→ However, when switching from a IPv4&IPv6 network to a IPv4 only network, Network
Manager does not seem to realize the endpoint is no longer reachable via IPv6. I 
suspect this is because there is no DNS change and NM just assumes things should
still be working.

When checking wg status(sudo wg show wg0), the endpoint is still pointing to the IPv6
address.

   $ sudo wg show wg0
   interface: wg0
   public key: SSBrbm93IGkndHMgcHVibGljLCBidXQgaXQncyBhbHNvIGZ1bm55IT8K
   private key: (hidden)
   listening port: 55075
   
   peer: VGhpcyBpcyBub3Q/IE9rLCBXb24ndCBpdCBkbyBhZ2Fpbgo=
   endpoint: [2606:2800:220:1:248:1893:25c8:1946]:45333
   allowed ips: 10.12.13.0/24, fdba:e3b1:1b22:42::/64
   latest handshake: 1 minute, 40 seconds ago
   transfer: 632 B received, 984 B sent


As of now, I have to down&up the profile/connection so it starts working again.

Actually, I think the "DNS change" NM is monitoring is a DNS change in the client
configuratoin (like new nameservers, and so on), and not a DNS change in the DNS
Resource Records (example) as I initialy thought it was when reading the article.

And indeed, I am moving between Wifi networks which happened to "send" the same DNS
settings (but one network is dual stacked and the other is not).

→ Can NM detect this on its own? (the unreachability of an IPv6 Endpoint over an
IPv4 only network?)

Many thanks!

samuel




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/networkmanager/attachments/20230301/5db78772/attachment.htm>

More information about the Networkmanager mailing list