[Warning: DMARC Fail Email] Re: ipv6 connexion fail - ipv4 OK

Skyler Mäntysaari samip537 at kapsi.fi
Mon Aug 30 12:55:36 UTC 2021


On 8/30/21 1:24 PM, Daniel wrote:

> Hi
>
> Le 27/08/2021 à 23:44, Roman Mamedov a écrit :
>> On Sat, 28 Aug 2021 07:05:45 +0930
>> Mike O'Connor <mike at pineview.net> wrote:
>>
>>> On a 1500 link I'm having to use 1280 to get ipv6 to successfully go
>>> over a wireguard link.
>> Then it is not a true 1500 MTU link, something in-between drops 
>> packets at a
>> lower bar. Or maybe not all of them, but just UDP, for example.
>>
>> But yeah, 1280 is worth trying as well, maybe Daniel has a similar 
>> issue.
>>
>> As for me I am using MTU 1412 WG over IPv6 on a 1492 MTU underlying 
>> link just
>> fine.
>
> After lot of few testings, I think the problem is elsewhere. Setup of 
> the server:
>
> . eth0 with one public ipv4 IP and ipv6 /64
>
> . 2 tunnels (one gre, one sit), each of them having one ipv4 and one 
> ipv6 /64. They take care on trafic from/to our /48 ipv6 range
>
> . 2 tun openvpn interfaces for customers with ipv6 address from our 
> /48 range
>
> . wireguard interface with ipv6 address from our /48 range
>
> Using tcpdump -i any I see the trafic coming to the gre interface and 
> that's all. But netstat show
>
> udp6       0      0 :::12345 :::* 0          125391     -
>
> and ps aux output is
>
> dh at peech:~$ ps ax|grep wg
>    6969 ?        I<     0:00 [wg-crypt-wig4to]
>    7026 ?        I      0:00 [kworker/1:2-wg-kex-wig4tootai]
>
> Question: is wireguard really listening on all ipv6 addresses ? If 
> not, how is the address choosen ?
>
> [...]
>
> Thanks for your help
>
Hi,

I'm having to use MSS 1380 for IPv4 and MSS 1360 for IPv6 with 
Wireguard, and it works great. However I'm not entirely sure what the 
underlying link MTU actually is because WAN says 1500, but pinging with 
`-m DO` sometimes doesn't work like it is in fact MTU 1500 all the way.



More information about the WireGuard mailing list