What and why
The objective is to set up a demonstration IPv6-only "corporate intranet" type VPN, with services such as secure DNS and NAT64.
IPv6-only, because I've seen various disasters relating to IPv4 corporate networks
operating in the 10.x.x.x and 192.168.x.x spaces, which many ISP devices in
people's homes also use... and merging companies using the same spaces...
How to reproduce the demonstration locally
In the Vagrantfile, you can find a description of the virtual machines which are
automatically created by Vagrant for this demonstration, as well as their local IP
addresses, and memory and CPU reservations, which you might want to tweak if necessary.
-
Install VirtualBox and Vagrant
-
vagrant up -
vagrant ssh home1,ping fd8d:407b:d075:8a7e::1andsudo wg show -
vagrant ssh gateway,ping fd8d:407b:d075:8a7e::5andsudo wg show
Network space
```plantuml format="png" nwdiag { network internet { gateway [address = "5.5.5.5"]; home1 [address = "1.2.3.4"]; office1 [address = "2.4.1.2"]; } network private { address = "fd8d:407b:d075:8a7e::/64"; gateway [address = "fd8d:407b:d075:8a7e::1"]; home1 [address = "fd8d:407b:d075:8a7e::5"]; office1 [address = "fd8d:407b:d075:8a7e::6"]; } }
### Chosen IPv6 private space
https://www.ultratools.com/tools/rangeGenerator
Prefix/L: fd Global ID: 8d407bd075 Subnet ID: 8a7e Combine/CID: fd8d:407b:d075:8a7e::/64 IPv6 addresses: fd8d:407b:d075:8a7e::/64:XXXX:XXXX:XXXX:XXXX Start Range: fd8d:407b:d075:8a7e:0:0:0:0 End Range: fd8d:407b:d075:8a7e:ffff:ffff:ffff:ffff No. of hosts: 18446744073709551616 ```
Local development
Vagrant and Virtualbox manage local VMs, Ansible provisions them.
Boxes:
VPN tools
WireGuard, ShadowSocks, TAYGA, CoreDNS.
WireGuard connects VPN clients and VPN servers.
ShadowSocks provides a TCP 443 connection for WireGuard.
TAYGA provides NAT64 services for connections from the VPN to the outside world.
CoreDNS provides DNS64 services and internal DNS for the VPN hosts.
Tools to investigate
https://xdeb.org/post/2019/09/26/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/
https://www.wrapsix.org/
https://github.com/DNSCrypt/dnscrypt-proxy