Re: Setting up a Wireguard router (with FreeBSD)

On Wed, Mar 06, 2024 at 10:33:38PM +0000, Christopher Waldbach wrote:

>>>I am currently trying to set up a Raspberry Pi 4 (4GB Model) as a 
>>>VPN-gateway with Wireguard. Since I got fibre channel for my internet 
>>>connection, I gained bandwidth but lost the public IPv4 address.
>
>>What?  How can you speak IPv4 to the world at all, with no public
>>address?  What does the ISP give you?
>
>I should habe known someone would be pedantic. :-)
>My ISP does not give me _my own_ public IPv4 address. :-D
>My ISP only provides a DS-Lite connection, which in my case means my 
>router is assigned an IP within the 100.64.0.0/10 realm.

Not pedantic, confused, by a major lack of information about your setup.

I'd never heard of that shared address space or of DS-Lite.  Just 
looked them up, got the idea.

For anybody else reading:

100.64.0.0/10 is quasi-private, used by ISPs internally to provide 
carrier-grade NAT:
<https://www.rfc-editor.org/rfc/rfc6598.html>

DS-Lite is probably Dual-Stack Lite, a way to tunnel IPv4 over IPv6:
<https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-ipv6-dual-stack-lite.html#UnderstandingIPv6Dual-StackLite-4C88A7ED>

All this is to squeeze the last drop out of IPv4 public addresses, 
which ran out in 2011.

So, I guess you're putting a tunnel inside an existing tunnel that goes 
to some faraway IPv4 NAT.  And I guess there's another NAT in your 
router, between your private IPv4 network and a single address on the 
other side of your router, within 100.64.0.0/10.  Is all that right?  
Complicated.  Not surprising there's some trouble.

 From here, I don't know what the trouble is.  I think it needs 
debugging, with a complete network diagram, including all the NATs and 
tunnels.  It might help to watch network traffic in various places, but 
I suppose you can't see it beyond your local network.  Maybe you could 
get clues from information in the Pi and your router, and experimentation.