No place like home [LAN]

Alex -

In this post I will describe roughly my personal VPN configuration, the one I use in my laptop. It is a basic WireGuard configuration between a Ubuntu 20.04 desktop OS and an OPNsense router. I will detail two things that are often overlooked: the IPs/subnets aspect (including IPv6!) and the DNS configuration.

The following addresses/subnets will be used as an example:

  • 10.0.0.0/8 is the LAN (private) subnet.
  • 192.168.8.0/24 is an unused (private) subnet, which I will be using as the WireGuard subnet.
  • 2001:db8::/48 is an IPv6 range (assigned by the ISP).
  • 2001:db8:1::/64 is an unused IPv6 subnet, which I will be using as the WireGuard subnet.
  • opnsense.example.net is a (typically dynamic) hostname that resolves to the OPNsense router. A port needs to be open; I will be using 51820, the WireGuard default.

Note that I describe two different and disjoint IPv6 ranges, but that is not required (and not common IMHO). In my particular setup, I am given a /56 by my ISP and I am partitioning that as follows:

  • 2001:db8:be7a:400::/56 is my IPv6 range.
  • 2001:db8:be7a:480::/60 to 2001:db8:be7a:4f0::/60 are used for prefix delegation (configured in OPNsense > Router Advertisements).
  • 2001:db8:be7a:401::/64 is used for WireGuard.
  • 2001:db8:be7a:400::/64 is used for my main LAN.

In that partitioning one can see that 2001:db8:be7a:400::/56 includes both the main LAN addresses as well as the WireGuard ones, making the configuration a bit simpler. Just do whatever fits your use case.

OPNsense configuration

WireGuard is not built-in, but there is a plugin so installation is easy and painless: go to System > Firmware > Plugins and install the package named os-wireguard. Once installed it will appear in VPN > WireGuard.

Following the web interface should be easy, and there are plenty of instructions online. Things to consider while configuring it:

  • Remember to decide on an IP and subnet for the WireGuard tunnel. In the examples I will be using 192.168.8.1/24 for IPv4 and 2001:db8:1::1/64 for IPv6.
  • Once you have configured the Local, you need to copy the public key for later (keep reading into Laptop configuration).

Laptop configuration

After looking around a little bit, Google search provided a concensus on how to install and configure wireguard on Ubuntu (I am using 20.04, but I assume that the main outline will remain valid for 22.04 as well). I won't go into detail but basically:

  • Install wireguard.
  • Generate a new key with wg genkey.
  • Store the public and private key in the /etc/wireguard folder (taking into account the restrictive permissions on that folder and also using 0600 permissions on the private.key.
  • Create the /etc/wireguard/wg0.conf configuration file.
  • Enable the systemd service with the command systemctl enable wg-quick@wg0.service.

The configuration file will be something like the following:

[Interface]
Address = 192.168.8.16/32, 2001:db8:1::10/128
ListenPort = 51820
PrivateKey = <laptop private key>

[Peer]
PublicKey = <OPNsense public key>
AllowedIPs = 192.168.8.0/24, 10.0.0.0/8, 2001:db8:1::/64, 2001:db8::/48
Endpoint = opnsense.example.net:51820

The AllowedIPs in my case it is simply 2001:db8:be7a:400::/56, as that is the whole IPv6 range given by my ISP and it also encompasses the WireGuard subnet.

Updating the peer on OPNsense

The public key for the laptop should be introduced into OPNsense (as a new Endpoint). This new endpoint should have both addresses (the field named Allowed IPs). Following the previous example:

192.168.8.16/32 2001:db8:1::10/128

Remember that you need to add this newly added endpoint to the list of peers of the Local configuration.

And also remember to Apply the configuration once you are done.

DNS configuration with systemd-resolved

There are multiple ways of configuring DNS. I will be using the systemd-resolved. The main setup can be achieved by opening the configuration file /etc/systemd/resolved.conf and editing it:

[Resolve]
DNS=10.0.0.1
Domains=~my.lan ~mydomain.net

This translates to:

Use the DNS server on 10.0.0.1 when trying to resolve things that end with my.lan or mydomain.net.

This assumes that you have a DNS server (for instance, the OPNsense instance itself) that you want to use for name resolution for your domain.

This configuration can be considered fairly non-intrusive: even if the OPNsense is down, name resolution will keep working (through your main connectivity) and only the subnets configured in WireGuard will stop working.

The changes are applied by restarting systemd-resolved.service.

Android

I have some bad news for IPv6 maximalists. Configuring WireGuard for Android is very easy, and IPv6 mostly works... but! If you try to use WireGuard through a IPv6-less connectivity, then name resolution to IPv6 addresses (AAAA records) will not work. You can use IPv6 addresses manually, but it seems very dirty.

Here a Stack Exchange question inquiring on this issue; at the time of writing this blog entry it is unanswered:

Convince android to use AAAA records when VPN has IPv6 but main connectivity doesn’t
I have a VPN (WireGuard right now, but the same behaviour manifested with OpenVPN) that provides me with an IPv6 address. I can confirm that it is working because pings (both from the android termi...
Android Enthusiasts Stack ExchangeMariusSiuram