Re: IPv6 Not Getting Past Server

From: Roman Mamedov <rm@romanrm.net>
To: "Aaron W. Swenson" <aaron@grandmasfridge.org>
Cc: wireguard@lists.zx2c4.com
Subject: Re: IPv6 Not Getting Past Server
Date: Tue, 25 Sep 2018 10:20:51 +0500	[thread overview]
Message-ID: <20180925102051.025c281f@natsu> (raw)
In-Reply-To: <20180922195522.GA25561@gengoff>

On Sat, 22 Sep 2018 15:55:22 -0400
"Aaron W. Swenson" <aaron@grandmasfridge.org> wrote:

> I’m going to use the official documentation IP addresses. I am using real IPv6
> addresses and not using NAT66. Naturally, NAT is being used for IPv4. Here are
> the definitions I’m using:
> 
>     Server Public IPv6: 2001:DB8::DEAD:F00D/64
>     Server Public IPv4: 192.0.2.1
>     Routed /116: 2001:DB8::BEEF:3000/116

Are you sure you have a *routed* subnet from your ISP? Moreover, does
this /116 lie within the above /64? (in your obfuscated example it does)

It could be that your provider gives you not a routed subnet, but an on-link
one instead. In which case you can use IPs from it on your server directly,
but can't route it somewhere else (because the upstream router expects all IPs
to be reachable directly on the same link that it has to your server).

One workaround is to set up ndppd, which turns an on-link subnet into routed:
https://github.com/DanielAdolfsson/ndppd
But in my experience it does not work on all ISPs/hosts.

>     Server Wireguard IPv6: 2001:DB8::BEEF:3001
>     Server Wireguard IPv4: 10.0.0.1
>     Client Wireguard IPv6: 2001:DB8::BEEF:3002
>     Client Wireguard IPv4: 10.0.0.2

You didn't post your WireGuard's AllowedIPs setting, but I tend to assume
everything is fine there. Just don't forget that to route to the outside world
AllowedIPs on the client must contain ::/0 for the server.

> I can ping the outside world through IPv4 just fine. However, with IPv6 I can
> only ping the server’s IPv6 addresses (2001:DB8::BEEF:3001 and
> 2001:DB8::DEAD:F00D). The outside world stays out of reach. The packets are just
> dropped. I’m not getting network unreachable or any other error message back.

Run tcpdump on the server both on the WG side and on the outgoing interface,
and you'll be able to say more precisely where or by whom they are dropped.

> When I enabled forwarding for IPv6 on the server, I did have to manually add
> the route so that IPv6 would continue working on the server
> (ip -r route add default fe80::1).

This is because the default behavior is such that enabling routing precludes
accepting Route Advertisements from upstream routers, so you lost the route
you were getting via those. To keep accepting them, set accept_ra to 2
(echo 2 > /proc/sys/net/ipv6/conf/ethX/accept_ra)

> I can SSH into the server, and ping the
> outside world no problem. And, the outside world can reach my server via IPv6
> just fine, too.

Try adding one of the IPs you wanted to route into WG directly to server's
uplink interface and see if it becomes pingable from the outside world. If so,
that would confirm (if a little bit) the non-routed subnet hypothesis.

-- 
With respect,
Roman
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard