From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: waishon009@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 9030e161 for ; Sun, 19 Aug 2018 17:00:46 +0000 (UTC) Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id b0729490 for ; Sun, 19 Aug 2018 17:00:46 +0000 (UTC) Received: by mail-it0-x234.google.com with SMTP id h20-v6so17655475itf.2 for ; Sun, 19 Aug 2018 10:13:18 -0700 (PDT) MIME-Version: 1.0 From: Waishon Date: Sun, 19 Aug 2018 19:13:05 +0200 Message-ID: Subject: wg-quick IPv6 same route on different interfaces To: wireguard@lists.zx2c4.com Content-Type: multipart/alternative; boundary="000000000000a061e60573cce809" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --000000000000a061e60573cce809 Content-Type: text/plain; charset="UTF-8" Hey there, I'm setting up an WireGuard tunnel between my VPS and my home network. This tunnel should be IPv6 only. I assigned the IPv6 subnet fd00:1:a/64 to my home network and my wireguard client got the static IP fd00:1:a::1. On the VPS I assigned the IP fd00::1 to the wg0 interface. Here're the configs: *Client:* > [Interface] > PrivateKey = XXXX > Address = fd00:1:a::1/64 > [Peer] > PublicKey = XXXX > AllowedIPs = fd00:0:0::/64 > EndPoint = vpn.domain.tld:51820 > PersistentKeepalive = 25 Server: > [Interface] > PrivateKey = ... > ListenPort = 51820 > Address = fd00:0:0::1 > > [Peer] > PublicKey = XXXX > AllowedIPs = fd00:1:a::/64 After running "wg-quick up wg0" I'm able to ping the Server and the Server is able to ping the client. However I'd like to reach all my clients in my home network. To do this I added a static route that forwards all traffic addressed to fd00::/64 to my wireguard client machine (fd00:1:a::1) and enabled IP-Forwarding on the client. When I now do a ping6 from my VPS to another client in my network I only get an unreachable error. Some further debugging shows that wireguard adds another route for my homes fd00:1:a::/64 network. Without wireguard I only have the "fd00:1:a::/64 dev wlan0" route. *IP -6 route show:* fd00::/64 dev wg0 metric 1024 pref medium fd00:1:a::/64 dev wlan0 proto kernel metric 256 expires 6993sec pref medium fd00:1:a::/64 dev wg0 proto kernel metric 256 pref medium Because it prioritizes the route where the packet comes from the packet is routed back to WireGuard which obviously don't know what to do with, because it's not configured as AllowedIPs. After manually removing the duplicate route entry everything works as expected and I'm able to ping all my clients in my network from the VPS. A friend of my has setup WireGuard to use IPv4 only. IP route doesn't show anly duplicate routes there. I were able to reproduce this error on two wireguard client machines. Do I miss something in the configuration or is this a bug? Kind regards Soeren --000000000000a061e60573cce809 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hey there,

I'm setting up an WireGu= ard tunnel between my VPS and my home network. This tunnel should be IPv6 o= nly.

I assigned the IPv6 subnet fd00:1:a/64 to my home network=C2= =A0and my wireguard client got the static IP fd00:1:a::1.

On the = VPS I assigned the IP fd00::1 to the wg0 interface.=C2=A0

Here're the configs:
Client:

[Interface]
PrivateKey =3D XXXX
A= ddress =3D fd00:1:a::1/64
[Peer]
PublicKey =3D XXXX
AllowedIPs =3D= fd00:0:0::/64
EndPoint =3D vpn.domain.tld:51820
PersistentKeepalive = =3D 25

Server:

[Interface]
PrivateKey =3D ...
ListenPort =3D 51820<= br>Address =3D fd00:0:0::1

[Peer]
PublicKey =3D XXXX
AllowedIP= s =3D fd00:1:a::/64

After running "wg-= quick up wg0" I'm able to ping the Server and the Server is able t= o ping the client.=C2=A0

However I'd like to reach all = my clients in my home network. To do this I added a static route that forwa= rds all traffic addressed to fd00::/64 to my wireguard client machine (fd00= :1:a::1) and enabled IP-Forwarding on the client. When I now do a ping6 fro= m my VPS to another client in my network I only get an unreachable error.= =C2=A0

Some further debugging shows that wireguard= adds another route for my homes fd00:1:a::/64 network. Without wireguard I= only have the "fd00:1:a::/64 dev wlan0" route.

IP -6 route show:

fd00::/64 dev wg0 metric 10= 24=C2=A0 pref medium

fd00:1:a::/64 dev wlan0 proto kernel metric = 256=C2=A0 expires 6993sec pref medium

fd00:1:a::/64 dev wg0 proto= kernel metric 256=C2=A0 pref medium

<= br>

Because it=C2=A0prioritizes=C2=A0the route w= here the packet comes from the packet is routed back to WireGuard which obv= iously don't know what to do with, because it's not configured as A= llowedIPs.

After manually re= moving the duplicate route entry everything works as expected and I'm a= ble to ping all my clients in my network from the VPS.

A friend of my has setup WireGuard to use IPv4 o= nly. IP route doesn't show anly duplicate routes there.

I were a= ble to reproduce this error on two wireguard client machines.

Do I miss something in the configuration = or is this a bug?

Kind regards

Soeren

--000000000000a061e60573cce809--