New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Randomly generated IP address for the local dns resolver #1429
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the IPv6 firewall rules, would the input rule need a -s
or does this suggestion keep it with the -d
? (or neither because i barely understand iptables)
I wonder if we need to change the IP address ranges in https://github.com/trailofbits/algo/blob/master/roles/cloud-ec2/defaults/main.yml, https://github.com/trailofbits/algo/blob/master/roles/cloud-ec2/files/stack.yaml, and documented https://github.com/trailofbits/algo/blob/master/docs/client-linux-wireguard.md, as well as the documented DNS workaround in the faq. Also, won't changing the DNS resolver to a random 10.x.x.x IP address introduce the 1/32512 chance that it lands in the 10.19.49.x or 10.19.48.x range and screws with Wireguard or IPsec? |
@TC1977 EC2 cidr blocks are different from the service IP and used only inside the VPC, so we don't need to change variables, but indeed, we need to update the docs and the faq, I'll do it shortly, thanks! |
Successfully cloud installed onto Vultr from macOS 10.14.4, with new random DNS resolver IP, and confirmed the Wireguard iOS client works:
Local installation onto a Vultr Ubuntu 18.04 instance also successful, and Wireguard iOS client works:
|
This comment has been minimized.
This comment has been minimized.
@davidemyers I've included the docs, thanks! |
I revised the whole method of allocating IPs, and made some changes. We need to do more tests. I didn't want to add more requirements, but seems we have to do that |
IPv6 appears to be broken in WireGuard. The server-side IPv6
|
This now works for me on DigitalOcean using WireGuard on iOS and Ubuntu Disco Desktop. |
* Add ipv6 * Add ipv6 * add ipv6 * add ipv6 * Switching out ipv6 address with local_service_ipv6 variable from #1429 * Fixing variable error
…ilofbits#1429)" This reverts commit 5904546.
Description
We need to generate a random service IP for each deployment in order to avoid DNS leaking (see #1422)
Motivation and Context
How Has This Been Tested?
Deployed to EC2 and digitalocean
Types of changes
Checklist: