What is the differences between Adguard Free & Premium (ex: Family lifetime plan)?

do the free one block ads at network level or just in web browser?

i'm thinkin to buy family lifetime plan on Stacksocial to get rid android in app ads

Here is a dirty diagram of how things would look like:

1. VPS
   2602:fed2:8888:106:: /64 assigned
   eth0 = 2602:fed2:8888:106::1
   wg0 = 2602:fed2:8888:106:100::1
   -- wg tunnel --

2. Home client
   wg0 = 2602:fed2:8888:106:100::10 (this will become a 'default gateway' at home - receiving traffic from multiple hosts)
   eth0 = 192.168.1.100

-- client 1 fowards packets to 192.168.1.100 asking for an IPv6 address. Hoping it automatically gets one from the available /64 space.

VPS provider won't give more IPv6 space than /64 unfortunately - I haven't tried asking for a /128 for a ptp thats routed to it - I was reading that may work but dont know.

I did try /etc/ndppd.conf with this config but did not see any requests comming from wg0 instance:

proxy eth0 {
  autowire yes
  rule 2602:fed2:8888:106::/64 {
      iface wghub
  }
}

Anyone with experience that could comment?

# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"

Is it impossible to run wireguard in these containers or is it a PEBKAC issue? Do you recommend any of the userspace wireguard implementations and, if so, which?

GitHub:
https://github.com/Nyr/wireguard-install

One-liner:
wget https://github.com/Nyr/wireguard-install/raw/master/wireguard-install.sh && bash wireguard-install.sh

Supported distros:
- Ubuntu
- Debian
- Centos
- Fedora
- AlmaLinux
- Rocky Linux

FAQ:

Will it work in my Raspberry Pi?
Probably, I don't have one to test. Install the raspberrypi-kernel-headers package and hope for the best. But you should consider using a distribution with built-in kernel support when it becomes available.

OpenVZ support?
Yes, via boringtun.

Can you add x feature?
Maybe, if it's worth it. But I'll keep the installer simple and functional, so keep that in mind. Niche features are unlikely to be implemented.

I like the project, how can I help?
Tell other people about it! wireguard-install is new and many people do not yet know about it. Some other low-quality tools based on my openvpn-install work exist, with credits and copyright notices removed. It's a sad sight to me after nearly a decade maintaining openvpn-install.

I get a /64 block of IPv6 address of which 1 is allocated to the eth0 interface on my VPS. I then allocate a /112 block to Wireguard outside of the eth0 address, and statically assign IPv6 address from this block to wireguard clients.

MaxKVM does not do routed IPv6, but uses on-link IPv6, so I have to enable proxy_ndp on my VPS so that the eth0 interface would respond to neighbor solication (NS) messages with a neighbor advertisement (NA) for addresses in the /112 block.

sudo sysctl -w net.ipv6.conf.all.proxy_ndp = 1
sudo ip -6 neigh add proxy 2402:xxxx:xxxx:xxxx::200:4 dev eth0

When I try to ping an external IPv6 address on my wireguard client, the upstream router of the VPS would then ask who has the 2402:xxxx:xxxx:xxxx::200:4 address so that it knows where to route the response to. The issue though is that the upstream router is sending NS messages with a fe80::xxxx:xxxx:xxxx:fdc0 (IPv6 EUI-64 address) and expecting a reply back to that fe80 address. See tcpdump output below.

jon@max1 /etc: sudo tcpdump -i eth0 -v 'icmp6[icmp6type]=icmp6-neighborsolicit or icmp6[icmp6type]=icmp6-neighboradvert'
04:32:07.414482 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::xxxx:xxxx:xxxx:fdc0 > ff02::1:ff00:4: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2402:xxxx:xxxx:xxxx::200:4
      source link-address option (1), length 8 (1): xx:xx:xx:xx:fd:c0
04:32:07.482930 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::yyyy:yyyy:yyyy:2d51 > fe80::xxxx:xxxx:xxxx:fdc0: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2402:xxxx:xxxx:xxxx::200:4, Flags [solicited]
      destination link-address option (2), length 8 (1): xx:xx:xx:xx:2d:51
04:32:07.550926 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::yyyy:yyyy:yyyy:2d51 > fe80::xxxx:xxxx:xxxx:fdc0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::xxxx:xxx:xxxx:fdc0
      source link-address option (1), length 8 (1): xx:xx:xx:xx:2d:51

Since I enabled ndp proxying, my VPS tries to respond back to the router's fe80 address with a NA, but determines that it cannot, and sends a NS asking for how to route to that address. As a result, my wireguard client gets a host unreachable error because it gets no response.

However, if I ping the global IPv6 address that is the IPv6 gateway (which is also the router) from the wireguard client, I will see a NS coming from that global IPv6 address. And because it is the gateway, my VPS has no problems with responding with a NA and IPv6 starts working on my wireguard client.

04:39:34.124527 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) 2402:zzzz:zzzz::1 > ff02::1:ff00:4: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2402:xxxx:xxxx:xxxx::200:4
      source link-address option (1), length 8 (1): xx:xx:xx:xx:fd:c0
04:39:34.718943 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) <My Public IPv6 address> > 2402:zzzz:zzzz::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2402:xxxx:xxxx:xxxx::200:4, Flags [solicited]
      destination link-address option (2), length 8 (1): xx:xx:xx:xx:2d:51

Is it normal to block ICMPv6 access to the fe80 address of the upstream router?

For now though, I have switch to NATed IPv6 for my wireguard clients, but what a waste of the /64 block though.

Thanks
Jonathan

On my KVM VPSes, I'm using the iptables rule iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
which would translate to iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE for OpenVZ I figured. However, iptables on my OpenVZ NAT VPS complains 'Chain 'MASQUERADE' does not exist'.

I already switched to the legacy version of iptables instead of nf using update-alternatives –config iptables but the error remains. And indeed, if I run iptables -L I see only three chains: INPUT, FORWARD and OUTPUT...

In the meantime I found this set of iptables rules that makes the VPN connection work:

#Forwarding
iptables -A FORWARD -i venet0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
#Hardening?
iptables -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -j DROP

However, apart from being 5 rules instead of just 1 simple rule, I'm not sure if the rules above are too permissive.

Since I'm no iptables hero myself, I was hoping someone could help me out here in figuring out the correct set of iptables rules to get WireGuard running on my NAT VPS.

Thanks!

Wireguard is now in bionic-updates.
PPA+dkms no longer required for bionic users.

Apparently, there was an official announce by Jason Donenfeld (author) on the mailing list on the next day : Aug 3, 2020.

You can safely remove the PPA config from /etc/apt/sources.d/ if you were previously on it on the supported OSes.
https://lists.zx2c4.com/pipermail/wireguard/2020-August/005737.html

Hi folks,

At long last, Ubuntu now supports WireGuard on releases 20.04, 19.10,
18.04, and 16.04, which means we've got all currently supported LTS
releases covered. For that reason, we're in the process of sunsetting
the PPA that previously provided packages to some users. This email
details possible changes users might consider.

The right way to install WireGuard on Ubuntu now consists of a single
command:

$ sudo apt install wireguard

This "wireguard" package will automatically pull in either one or two
packages with it:

1) wireguard-tools: this will always be pulled in and provides wg(8)
and wg-quick(8).
2) wireguard-dkms: this will only be pulled in if your kernel doesn't
already come with WireGuard.

As suggested by (2), most Ubuntu kernels now come with WireGuard out of
the box, even older releases, to which WireGuard has been backported.
This is great news and will result in much better reliability during
upgrades, as well as smoother compatibility with SecureBoot.

--snipped--

As a very good general recommendation for people new to wireguard ,
USE https://github.com/Nyr/wireguard-install/ (read the README first)

I have reviewed nyr's wireguard-install script and I am satisfied that it is well done.
I compared it with a manually configured wireguard tunnel, and all the defaults seem sensible.
Anything that saves you time should be welcomed.
Shoutout to @nyr, a long time LET/S MVP.

I wonder: Are you aware of any good Wireguard auto-install scripts like the one that @Nyr provides for OpenVPN?
Would be very grateful for your hints!

Thanks a lot in advance & one love,
the Amitz & his brother