IPv6 Not Getting Past Server
Aaron W. Swenson
aaron at grandmasfridge.org
Sat Sep 22 21:55:22 CEST 2018
I’m going to use the official documentation IP addresses. I am using real IPv6
addresses and not using NAT66. Naturally, NAT is being used for IPv4. Here are
the definitions I’m using:
Server Public IPv6: 2001:DB8::DEAD:F00D/64
Server Public IPv4: 192.0.2.1
Routed /116: 2001:DB8::BEEF:3000/116
Server Wireguard IPv6: 2001:DB8::BEEF:3001
Server Wireguard IPv4: 10.0.0.1
Client Wireguard IPv6: 2001:DB8::BEEF:3002
Client Wireguard IPv4: 10.0.0.2
I can ping the outside world through IPv4 just fine. However, with IPv6 I can
only ping the server’s IPv6 addresses (2001:DB8::BEEF:3001 and
2001:DB8::DEAD:F00D). The outside world stays out of reach. The packets are just
dropped. I’m not getting network unreachable or any other error message back.
When I enabled forwarding for IPv6 on the server, I did have to manually add
the route so that IPv6 would continue working on the server
(ip -r route add default fe80::1). I can SSH into the server, and ping the
outside world no problem. And, the outside world can reach my server via IPv6
just fine, too.
I’m running Gentoo on the server and client.
=====================================
Sysctl Settings I know to be relevant
=====================================
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.default.accept_ra = 2
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
==============================
Wireguard Server Configuration
==============================
[Interface]
Address = 10.0.0.1/24, 2001:DB8::BEEF:3001/116
SaveConfig = true
ListenPort = 51820
PrivateKey = ServerPrivateKey
[Peer]
PublicKey = ClientPublicKey
AllowedIPs = 10.0.0.2/32, 2001:DB8::BEEF:3002/128
Endpoint = 192.0.2.204:53132
==============================
Wireguard Client Configuration
==============================
[Interface]
Address = 10.0.0.2/32
Address = 2001:DB8::BEEF:3002
PrivateKey = ClientPrivateKey
DNS = 8.8.8.8
[Peer]
PublicKey = ServerPublicKey
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 192.0.2.1:51820
PersistentKeepalive = 25
===============
Server Nftables
===============
flush ruleset;
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state {established, related} accept
# loopback interface
iifname "lo" accept
icmp type echo-request accept
icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert, redirect } accept
# TCP ports
tcp dport {smtp, http, https, submission, imaps, irc} accept
# ssh
tcp dport #ssh# accept
# Secured IRC
tcp dport #notthatchatty# accept
# UDP ports
udp dport 51820 accept
ip6 daddr 2001:DB8::BEEF:3000/116 accept
}
chain forward {
type filter hook forward priority 0;
# allow established/related connections
ct state {established, related} accept
# early drop of invalid connections
ct state invalid drop
# Allow packets to be forwarded from the VPNs to the outer world
ip saddr 10.0.0.0/8 iifname wg0 oifname enp0s3 accept
ip6 saddr 2001:DB8::BEEF:3000/116 iifname wg0 oifname enp0s3 accept
}
}
# IPv4 NAT table
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
ip saddr 10.0.0.0/8 oif "enp0s3" snat to 192.0.2.1
}
}
====================
Client ‘ip -6 route’
====================
# ip -6 route
2001:DB8::BEEF:3002 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev enp1s0 proto kernel metric 100 pref medium
====================
Server ‘ip -6 route’
====================
2001:DB8::BEEF:3000/116 dev wg0 proto kernel metric 256 pref medium
2001:DB8::/64 dev enp0s3 proto kernel metric 256 expires 2326066sec pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
default via fe80::1 dev enp0s3 metric 1024 pref medium
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 358 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180922/1e30c329/attachment-0001.asc>
More information about the WireGuard
mailing list