Problem: Bringing up wireguard via wq-quick causes pings to lan clients to fail. Ip4 has no issues. Ultimately I think this is breaking LAN client routing ipv6 packets thru my route (single board computer/rasp pi) device. I need to fix my ipv6 routing table but don't know how. Here's some info:
# wg-quick up mullvad-us1 [#] ip link add mullvad-us1 type wireguard [#] wg setconf mullvad-us1 /dev/fd/63 [#] ip address add 10.99.XX.XXX/32 dev mullvad-us1 [#] ip address add fc00:bbbb:bbbb:bb01::XXXX/128 dev mullvad-us1 [#] ip link set mtu 1420 dev mullvad-us1 [#] ip link set mullvad-us1 up [#] resolvconf -a tun.mullvad-us1 -m 0 -x [#] wg set mullvad-us1 fwmark 51820 [#] ip -6 route add ::/0 dev mullvad-us1 table 51820 [#] ip -6 rule add not fwmark 51820 table 51820 [#] ip -6 rule add table main suppress_prefixlength 0 [#] ip -4 route add 0.0.0.0/0 dev mullvad-us1 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 Ping a LAN ipv6 client FAILS # ping fd00::ba27:ebff:feeb:a757 PING fd00::ba27:ebff:feeb:a757(fd00::XXXX:ebff:feeb:XXXX) 56 data bytes ^C --- fd00::XXXX:ebff:feeb:XXXX ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 5013ms Take wireguard down: # wg-quick down mullvad-us1 [#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip -6 rule delete table 51820 [#] ip -6 rule delete table main suppress_prefixlength 0 [#] ip link delete dev mullvad-us1 [#] resolvconf -d tun.mullvad-us1 Ping a LAN ipv6 client SUCCEEDS # ping fd00::ba27:ebff:feeb:a757 PING fd00::ba27:ebff:feeb:a757(fd00::XXXX:ebff:feeb:XXXX) 56 data bytes 64 bytes from fd00::XXXX:ebff:feeb:XXXX: icmp_seq=1 ttl=64 time=0.884 ms 64 bytes from fd00::XXXX:ebff:feeb:XXXX: icmp_seq=2 ttl=64 time=0.881 ms ^C --- fd00::XXXX:ebff:feeb:XXXX ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.881/0.882/0.884/0.029 ms SYSTEM CONFIGURATION: # uname -ra Linux DietPi 3.16.56+ #1 SMP PREEMPT Wed Apr 18 16:59:34 CEST 2018 aarch64 GNU/Linux # cat /proc/sys/net/ipv6/conf/all/forwarding 1 # cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=debian HOME_URL="https://www.debian.org/"; SUPPORT_URL="https://www.debian.org/support"; BUG_REPORT_URL="https://bugs.debian.org/"; radvd.conf: interface eth0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvDefaultPreference high; prefix fd00::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; }; RDNSS fd00::1 {}; }; # cat /etc/network/interfaces #/etc/network/interfaces #Please use DietPi-Config to modify network settings. # Local auto lo iface lo inet loopback # Ethernet allow-hotplug eth0 iface eth0 inet static address 192.168.2.4 netmask 255.255.255.0 gateway 192.168.2.1 dns-nameservers 127.0.0.1 8.8.8.8 iface eth0 inet6 static address fd00::1 netmask 64 # cat /etc/wireguard/mullvad-us1.conf [Interface] PrivateKey = XXXXXXXXXXXXXXXXXXXX Address = 10.99.XX.XXX/32,fc00:bbbb:bbbb:bb01::XXXX/128 DNS = 8.8.8.8 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o %i -j MASQUERADE; ip6tables -t nat -A POSTROUTING -s fd00::/64 -o %i -j SNAT --to-source fc00:bbbb:bbbb:bb01::XXXX PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o %i -j MASQUERADE;ip6tables -t nat -D POSTROUTING -s fd00::/64 -o %i -j SNAT --to-source fc00:bbbb:bbbb:bb01::XXXX [Peer] PublicKey = XXXXXXXXXXXXXXXXXXXX Endpoint = 185.232.XX.XX:51820 AllowedIPs = 0.0.0.0/0, ::/0 Wireguard down: #ip -d -6 route unicast fd00::/64 dev eth0 proto kernel scope global metric 256 unicast fe80::/64 dev eth0 proto kernel scope global metric 256 Wireguard up: # ip -d -6 route unicast fc00:bbbb:bbbb:bb01::XXXX dev mullvad-us1 proto kernel scope global metric 256 unicast fd00::/64 dev eth0 proto kernel scope global metric 256 unicast fe80::/64 dev eth0 proto kernel scope global metric 256 With wireguard up, if I try to see the route taken to my lan ping I see it's trying to go thru mullvad-us1 which logically is incorrect: # ip -s route get fd00::XXXX:ebff:feeb:XXXX fd00::XXXX:ebff:feeb:XXXX from :: dev mullvad-us1 table 51820 src fc00:bbbb:bbbb:bb01::XXXX metric 0 cache users 1 used 1 No problems pinging google though: # ping -6 google.com PING google.com(lga25s56-in-x0e.1e100.net (2607:f8b0:4006:800::200e)) 56 data bytes 64 bytes from lga25s56-in-x0e.1e100.net (2607:f8b0:4006:800::200e): icmp_seq=1 ttl=54 time=41.1 ms 64 bytes from lga25s56-in-x0e.1e100.net (2607:f8b0:4006:800::200e): icmp_seq=2 ttl=54 time=41.1 ms ^C --- google.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 41.144/41.153/41.162/0.009 ms _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
