Routing ipv6 ipset via vpn interface doesn't work

AmbientSummer · March 1, 2019, 10:57am

I want to route two ipsets (filled by dnsmasq) through vpn interface. With ipv4 ipset everything works, with ipv6 ipset doesn't.

# cat /etc/openwrt_release 
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='SNAPSHOT'
DISTRIB_REVISION='r9480-994428f395'
DISTRIB_TARGET='ramips/mt7620'
DISTRIB_ARCH='mipsel_24kc'
DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r9480-994428f395'
DISTRIB_TAINTS='no-all'

Partial /etc/config/dhcp

config dnsmasq
	list ipset '/whatismyip.akamai.com/dns-ipv4,dns-ipv6'

Partial /etc/config/network

config interface 'wg0'
	option proto 'wireguard'
	list addresses '192.168.11.2/24'
	list addresses 'fd22:2715:93c1:10::2/60'
	option private_key '[REDACTED]'

config wireguard_wg0
	option public_key '[REDACTED]
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host '[REDACTED]'	

config route
	option interface 'wg0'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '100'

config route6
	option interface 'wg0'
	option target '::/0'
	option table '100'

config rule
	option lookup '100'
	option mark '0x1'

config rule6
	option lookup '100'
	option mark '0x1'

Partial /etc/config/firewall

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wg0'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config ipset
	option name 'dns-ipv4'
	option storage 'hash'
	option match 'dest_ip'
	option family 'ipv4'

config ipset
	option name 'dns-ipv6'
	option storage 'hash'
	option match 'dest_ip'
	option family 'ipv6'

config rule
	option proto 'all'
	option ipset 'dns-ipv4'
	option set_mark '0x1'
	option family 'ipv4'
	option target 'MARK'

config rule
	option proto 'all'
	option ipset 'dns-ipv6'
	option set_mark '0x1'
	option family 'ipv6'
	option target 'MARK'

# dig +short A ipv4.whatismyip.akamai.com
ipv4.whatismyip.akamai.com.edgesuite.net.
a1524.g.akamai.net.
95.101.142.34
95.101.142.8

# dig +short AAAA ipv6.whatismyip.akamai.com
ipv6.whatismyip.akamai.com.edgesuite.net.
a1524.i6g1.akamai.net.
2a02:26f0:18::212:a10
2a02:26f0:18::212:a18

# ipset list
Name: dns-ipv4
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 136
References: 1
Number of entries: 2
Members:
95.101.142.34
95.101.142.8

Name: dns-ipv6
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 244
References: 1
Number of entries: 2
Members:
2a02:26f0:18::212:a18
2a02:26f0:18::212:a10

# ip -4 address show dev wg0
13: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.11.2/24 brd 192.168.11.255 scope global wg0
       valid_lft forever preferred_lft forever

# ip -6 address show dev wg0
13: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fd22:2715:93c1:10::2/60 scope global 
       valid_lft forever preferred_lft forever

# ip -4 route show table 100
default dev wg0 proto static scope link

# ip -6 route show table 100
default dev wg0 proto static metric 1024 pref medium

# ip -4 rule list fwmark 0x1
1:      from all fwmark 0x1 lookup 100

# ip -6 rule list fwmark 0x1
1:      from all fwmark 0x1 lookup 100

# fw3 -4 print | grep MARK
Warning: Section @rule[5] has neither a source nor a destination zone assigned - assuming an output r
Warning: Section @rule[6] has neither a source nor a destination zone assigned - assuming an output r
iptables -t mangle -A OUTPUT -m set --match-set dns-ipv4 dst -m comment --comment "!fw3: @rule[5]" -j MARK --set-xmark 0x1/0xffffffff

# fw3 -6 print | grep MARK
Warning: Section @rule[5] has neither a source nor a destination zone assigned - assuming an output r
Warning: Section @rule[6] has neither a source nor a destination zone assigned - assuming an output r
ip6tables -t mangle -A OUTPUT -m set --match-set dns-ipv6 dst -m comment --comment "!fw3: @rule[6]" -j MARK --set-xmark 0x1/0xffffffff

# curl -4 ipv4.whatismyip.akamai.com
178.62.122.230

178.62.122.230 is ip of vpn server.

# curl -6 ipv6.whatismyip.akamai.com
curl: (7) Failed to connect to ipv6.whatismyip.akamai.com port 80: Operation timed out

trendy · March 1, 2019, 11:04am

Are you translating the ULA ipv6 address somehow at the exit point of the wireguard tunnel?

AmbientSummer · March 1, 2019, 11:13am

Not sure if i completely unserstand question. I use one of ULA subnet inside tunnel. It's all.
Remote peer (vpn server) routes:

$ ip -6 address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a03:b0c0:1:d0::bff:8001/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::c76:b8ff:fefd:9e71/64 scope link 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fd22:2715:93c1:10::1/60 scope global 
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP 
    inet6 fe80::42:bcff:fe13:e91e/64 scope link 
       valid_lft forever preferred_lft forever
6: vethc1100e3@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP 
    inet6 fe80::bc4a:baff:fe20:9fda/64 scope link 
       valid_lft forever preferred_lft forever

trendy · March 1, 2019, 11:17am

Your fd22... ipv6 address is private, just like 192.168.11.X, and not routable in Internet.
To make packets with private source ip address routable, you need to do NAT.
So I am asking you if you have NAT6 in place at the vpn server, just like you have for ipv4.

AmbientSummer · March 1, 2019, 11:21am

Vpn server have ipv6 and and all the necessary settings. Tested on windows and android clients as default route.

trendy · March 1, 2019, 11:23am

Alrighty then, show us here the NAT6 configuration you have on vpn server.

AmbientSummer · March 1, 2019, 11:35am

Everything fine on server.
Linux peer which use vpn server as default route:

$ ip -4 address show dev wg0
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.11.6/24 scope global wg0
       valid_lft forever preferred_lft forever

$ ip -6 address show dev wg0 
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fd22:2715:93c1:10::6/60 scope global 
       valid_lft forever preferred_lft forever

$ ip -4 route show dev wg0
192.168.11.0/24 proto kernel scope link src 192.168.11.6

$ ip -6 route show dev wg0 
fd22:2715:93c1:10::/60 proto kernel metric 256 pref medium

$ curl -4 ipv4.whatismyip.akamai.com
178.62.122.230

$ curl -6 ipv6.whatismyip.akamai.com
2a03:b0c0:1:d0::bff:8001

trendy · March 1, 2019, 11:37am

If you want to get a solution, you should reply what you are being asked, not irrelevant things.

mikma · March 1, 2019, 11:52am

I would run tcpdump on Openwrt and on the server, on both the WAN interfaces on the wireguard interfaces.
If you know how far the packets are sent then you can focus on the machine which isn't forwarding the traffic.