~dricottone/blog

369b7146cccb4fc263afbd420e4ff6f0c5b3af3a — Dominic Ricottone 2 years ago 316d0d9 
New post and small footer update

Footer has been aggregated into a single line. TODO: make footer
collapse into rows on mobile? Or maybe hide it altogether? In any case,
need to do something more reactive/accessible.

"Generated" is now capitalized as well. I'm not on tumblr anymore.
patch browse .tar.gz 
2 files changed, 52 insertions(+), 2 deletions(-)

A content/posts/wireguard.md
M layouts/partials/footer.html

A content/posts/wireguard.md => content/posts/wireguard.md +51 -0
@@ 0,0 1,51 @@
---
title: "WireGuard"
date: 2022-09-28T20:05:20-05:00
draft: false
---

I am throwing in the towel.

For years I have *somewhat maintained* a VPN powered by WireGuard.
At first it was a simple configuration following the Arch wiki's section
on point-to-site.
That worked well enough, but didn't accomplish much.
Honestly, all I got from that setup was using a custom nameserver on
my carrier-locked phone.

Then I decided to set up a split tunnel that would forward WAN traffic
through a commercially-available VPN,
but forward LAN traffic into the WireGuard interface.
That naturally required a centralized bounce server that could forward packets.
That was ultimately an unsuccessful project.

The sticking point was my phone.
Every PC and laptop worked perfectly.
But the moment I stepped outside, my phone's DNS queries went into a black
hole.
Successful handshake;
I could ping the bounce server;
*absolutely nothing else worked*.
I'm 90% certain it had something to do with my carrier's IPv6 exchange messing
with the NATing I tried do within my VPN.
Which is difficult enough to research because entering "ipv6" and "nat" into
a Google search will *not* return anything helpful.

Amazingly, the closest I ever came to a functioning configuration was when I
setup a *second* bounce server in the cloud.
My phone could actually connect to AWS reliably
(*more cause to think it's IPv6? AWS certainly has working IPv6 routing...*)
and my WAN traffic was *definitely* going through the commercial VPN.
And *sometimes* I could even ping my other WireGuard clients.
But the times when it would fail were inexplicable, at least for me.

So I guess what I learned at the end of the day is *I don't understand
networks*.
I do *not* understand how IPv4 and IPv6 interact, or
how packets are forwarded between hosts, or
how to make the wheel-and-spoke VPN model work.

I have thrown in the towel;
my WireGuard network is now purely peer-to-peer connections.
It works well.



M layouts/partials/footer.html => layouts/partials/footer.html +1 -2
@@ 1,5 1,4 @@
<footer>
  <p>generated by <a href="https://gohugo.io/">Hugo</a> at {{ now.Format "2006-01-02 13:04:05 MST" }}</p>
  <p><a href="/sitemap.xml">Sitemap</a> | <a href="https://git.dominic-ricottone.com/~dricottone/blog/tree">Source code</a> | The content on this site is licensed under <a href="https://creativecommons.org/licenses/by/4.0/">CC BY 4.0</a></p>
  <p>Generated by <a href="https://gohugo.io/">Hugo</a> on {{ now.Format "2006-01-02" }} | <a href="/sitemap.xml">Sitemap</a> | <a href="https://git.dominic-ricottone.com/~dricottone/blog/tree">Source code</a> | The content on this site is licensed under <a href="https://creativecommons.org/licenses/by/4.0/">CC BY 4.0</a></p>
</footer>