From nobody Thu Mar 07 00:09:35 2024
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TqqRq3pdvz5Dh0y
	for <questions@mlmmj.nyi.freebsd.org>; Thu,  7 Mar 2024 00:09:43 +0000 (UTC)
	(envelope-from kh@panix.com)
Received: from mailbackend.panix.com (mailbackend.panix.com [166.84.1.89])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4TqqRp4xpJz4ggP
	for <questions@freebsd.org>; Thu,  7 Mar 2024 00:09:42 +0000 (UTC)
	(envelope-from kh@panix.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=panix.com header.s=panix header.b="gDBQx/EU";
	dmarc=pass (policy=none) header.from=panix.com;
	spf=pass (mx1.freebsd.org: domain of kh@panix.com designates 166.84.1.89 as permitted sender) smtp.mailfrom=kh@panix.com
Received: from rain.cave (c-73-142-21-0.hsd1.ma.comcast.net [73.142.21.0])
	by mailbackend.panix.com (Postfix) with ESMTPSA id 4TqqRn2VQCz4N1b
	for <questions@freebsd.org>; Wed,  6 Mar 2024 19:09:41 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=panix.com; s=panix;
	t=1709770181; bh=KBfXBk2sUr4fs3G6rKkEOGgymcBgw7Vg/lZZp5It+W0=;
	h=Date:From:To:Subject:References:In-Reply-To;
	b=gDBQx/EUBssO2+laC3xNbW8ktrV22PGaonZdTO5VjSPtBBnzIWsF/G5PNp+Z4suMs
	 23pZONtTBgE93KOWNWlc6iGuKeBfz0tBxRjNTjFghQyjJtFNbxBeJLiR9UFHoMK8E+
	 SDIRsU8Q5OEES77sfmu/V5lWnhzcY7FJZuh6ihrY=
Date: Wed, 6 Mar 2024 19:09:35 -0500
From: Kurt Hackenberg <kh@panix.com>
To: questions@freebsd.org
Subject: Re: Setting up a Wireguard router (with FreeBSD)
Message-ID: <ZekFvw6ro9iftrk0@rain.cave>
References: <00f7b360407633f787f061b4d15740b9@airmail.cc>
 <Zejoc-Wj4iPhXYQK@rain.cave>
 <17ae35e240ce2ec5cb414251e4fca43c@airmail.cc>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <17ae35e240ce2ec5cb414251e4fca43c@airmail.cc>
User-Agent: Mutt/2.2.12 (2023-09-09)
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.10 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[panix.com,none];
	R_DKIM_ALLOW(-0.20)[panix.com:s=panix];
	R_SPF_ALLOW(-0.20)[+ip4:166.84.1.64/26:c];
	RWL_MAILSPIKE_GOOD(-0.10)[166.84.1.89:from];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_TLS_ALL(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	ARC_NA(0.00)[];
	DKIM_TRACE(0.00)[panix.com:+];
	FROM_HAS_DN(0.00)[];
	ASN(0.00)[asn:2033, ipnet:166.84.0.0/16, country:US];
	RCPT_COUNT_ONE(0.00)[1];
	TO_DN_NONE(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_COUNT_ONE(0.00)[1];
	PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MLMMJ_DEST(0.00)[questions@freebsd.org];
	MIME_TRACE(0.00)[0:+]
X-Rspamd-Queue-Id: 4TqqRp4xpJz4ggP

On Wed, Mar 06, 2024 at 10:33:38PM +0000, Christopher Waldbach wrote:

>>>I am currently trying to set up a Raspberry Pi 4 (4GB Model) as a 
>>>VPN-gateway with Wireguard. Since I got fibre channel for my internet 
>>>connection, I gained bandwidth but lost the public IPv4 address.
>
>>What?  How can you speak IPv4 to the world at all, with no public
>>address?  What does the ISP give you?
>
>I should habe known someone would be pedantic. :-)
>My ISP does not give me _my own_ public IPv4 address. :-D
>My ISP only provides a DS-Lite connection, which in my case means my 
>router is assigned an IP within the 100.64.0.0/10 realm.

Not pedantic, confused, by a major lack of information about your setup.

I'd never heard of that shared address space or of DS-Lite.  Just 
looked them up, got the idea.

For anybody else reading:

100.64.0.0/10 is quasi-private, used by ISPs internally to provide 
carrier-grade NAT:
<https://www.rfc-editor.org/rfc/rfc6598.html>

DS-Lite is probably Dual-Stack Lite, a way to tunnel IPv4 over IPv6:
<https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-ipv6-dual-stack-lite.html#UnderstandingIPv6Dual-StackLite-4C88A7ED>

All this is to squeeze the last drop out of IPv4 public addresses, 
which ran out in 2011.

So, I guess you're putting a tunnel inside an existing tunnel that goes 
to some faraway IPv4 NAT.  And I guess there's another NAT in your 
router, between your private IPv4 network and a single address on the 
other side of your router, within 100.64.0.0/10.  Is all that right?  
Complicated.  Not surprising there's some trouble.

 From here, I don't know what the trouble is.  I think it needs 
debugging, with a complete network diagram, including all the NATs and 
tunnels.  It might help to watch network traffic in various places, but 
I suppose you can't see it beyond your local network.  Maybe you could 
get clues from information in the Pi and your router, and experimentation.