Ipv6 - Cannot ping ipv6 lan nodes after 'wg-quick up config_file'

Allen eawalker at pm.me
Tue Jun 26 20:58:10 CEST 2018


Problem: Bringing up wireguard via wq-quick causes pings to lan clients
to fail. Ip4 has no issues. Ultimately I think this is breaking LAN
client routing ipv6 packets thru my route (single board computer/rasp
pi) device. I need to fix my ipv6 routing table but don't know how.
Here's some info:

# wg-quick up mullvad-us1
[#] ip link add mullvad-us1 type wireguard
[#] wg setconf mullvad-us1 /dev/fd/63
[#] ip address add 10.99.XX.XXX/32 dev mullvad-us1
[#] ip address add fc00:bbbb:bbbb:bb01::XXXX/128 dev mullvad-us1
[#] ip link set mtu 1420 dev mullvad-us1
[#] ip link set mullvad-us1 up
[#] resolvconf -a tun.mullvad-us1 -m 0 -x
[#] wg set mullvad-us1 fwmark 51820
[#] ip -6 route add ::/0 dev mullvad-us1 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip -4 route add 0.0.0.0/0 dev mullvad-us1 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0

Ping a LAN ipv6 client FAILS

# ping fd00::ba27:ebff:feeb:a757
PING fd00::ba27:ebff:feeb:a757(fd00::XXXX:ebff:feeb:XXXX) 56 data bytes
^C
--- fd00::XXXX:ebff:feeb:XXXX ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5013ms

Take wireguard down:

# wg-quick down mullvad-us1
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev mullvad-us1
[#] resolvconf -d tun.mullvad-us1

Ping a LAN ipv6 client SUCCEEDS

# ping fd00::ba27:ebff:feeb:a757
PING fd00::ba27:ebff:feeb:a757(fd00::XXXX:ebff:feeb:XXXX) 56 data bytes
64 bytes from fd00::XXXX:ebff:feeb:XXXX: icmp_seq=1 ttl=64 time=0.884 ms
64 bytes from fd00::XXXX:ebff:feeb:XXXX: icmp_seq=2 ttl=64 time=0.881 ms
^C
--- fd00::XXXX:ebff:feeb:XXXX ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.881/0.882/0.884/0.029 ms


SYSTEM CONFIGURATION:

# uname -ra
Linux DietPi 3.16.56+ #1 SMP PREEMPT Wed Apr 18 16:59:34 CEST 2018
aarch64 GNU/Linux

# cat /proc/sys/net/ipv6/conf/all/forwarding
1

# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

radvd.conf:

interface eth0 {
      AdvSendAdvert on;
      MinRtrAdvInterval 3;
      MaxRtrAdvInterval 10;
      AdvDefaultPreference high;
      prefix fd00::/64 {
           AdvOnLink on;
           AdvAutonomous on;
           AdvRouterAddr on;
      };
      RDNSS fd00::1 {};
};

# cat /etc/network/interfaces
#/etc/network/interfaces
#Please use DietPi-Config to modify network settings.

# Local
auto lo
iface lo inet loopback

# Ethernet
allow-hotplug eth0
iface eth0 inet static
address 192.168.2.4
netmask 255.255.255.0
gateway 192.168.2.1
dns-nameservers 127.0.0.1 8.8.8.8

iface eth0 inet6 static
address fd00::1
netmask 64

# cat /etc/wireguard/mullvad-us1.conf
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXX
Address = 10.99.XX.XXX/32,fc00:bbbb:bbbb:bb01::XXXX/128
DNS = 8.8.8.8
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i
-j ACCEPT; iptables -t nat -A POSTROUTING -o %i -j MASQUERADE; ip6tables
-t nat -A POSTROUTING -s fd00::/64 -o %i -j SNAT --to-source
fc00:bbbb:bbbb:bb01::XXXX
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o
%i -j ACCEPT; iptables -t nat -D POSTROUTING -o %i -j
MASQUERADE;ip6tables -t nat -D POSTROUTING -s fd00::/64 -o %i -j SNAT
--to-source fc00:bbbb:bbbb:bb01::XXXX



[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXX
Endpoint = 185.232.XX.XX:51820
AllowedIPs = 0.0.0.0/0, ::/0

Wireguard down:

#ip -d -6 route
unicast fd00::/64 dev eth0 proto kernel scope global metric 256
unicast fe80::/64 dev eth0 proto kernel scope global metric 256

Wireguard up:

# ip -d -6 route
unicast fc00:bbbb:bbbb:bb01::XXXX dev mullvad-us1 proto kernel scope
global metric 256
unicast fd00::/64 dev eth0 proto kernel scope global metric 256
unicast fe80::/64 dev eth0 proto kernel scope global metric 256


With wireguard up, if I try to see the route taken to my lan ping I
see it's trying to go thru mullvad-us1 which logically is incorrect:

# ip -s route get fd00::XXXX:ebff:feeb:XXXX
fd00::XXXX:ebff:feeb:XXXX from :: dev mullvad-us1 table 51820 src
fc00:bbbb:bbbb:bb01::XXXX metric 0
       cache  users 1 used 1

No problems pinging google though:

# ping -6 google.com
PING google.com(lga25s56-in-x0e.1e100.net (2607:f8b0:4006:800::200e)) 56
data bytes
64 bytes from lga25s56-in-x0e.1e100.net (2607:f8b0:4006:800::200e):
icmp_seq=1 ttl=54 time=41.1 ms
64 bytes from lga25s56-in-x0e.1e100.net (2607:f8b0:4006:800::200e):
icmp_seq=2 ttl=54 time=41.1 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 41.144/41.153/41.162/0.009 ms






More information about the WireGuard mailing list