AllowedIPs = ::/0 routes IPv4 - on Android?

AllowedIPs = ::/0 routes IPv4 - on Android?

[Valentijn Sessink]

Hi List,

I have a WG endpoint configured with
AllowedIPs = ::/0
... on an Android phone.

To my surprise, I found out that this also tries to route IPv4 addresses 
to the other WG side.

I was able to change that with a single "bogus" IPv4 address,
"AllowedIPs = ::/0, 192.0.2.99/32"

Is this a known feature? Android 13, WireGuard for Android 
v1.0.20230707, (from AOSP).

Best regards,

Valentijn

Re: AllowedIPs = ::/0 routes IPv4 - on Android?

[Marek Küthe]

[-- Attachment #1: Type: text/plain, Size: 929 bytes --]

Hello Valentijn,

::/0 does not describe no IPv4 address, but all IP addresses. So when
you write ::/0, all IPv4 addresses are routed through the tunnel. If
you don't want IPv4 routes, you can simply omit them in AllowedIPs (so
only put IPv6 addresses there, or only address which should go through
the tunnel).

Greetings
Marek Küthe

On Tue, 5 Sep 2023 16:04:34 +0200
Valentijn Sessink <v@sess.ink> wrote:

> Hi List,
> 
> I have a WG endpoint configured with
> AllowedIPs = ::/0
> ... on an Android phone.
> 
> To my surprise, I found out that this also tries to route IPv4 addresses 
> to the other WG side.
> 
> I was able to change that with a single "bogus" IPv4 address,
> "AllowedIPs = ::/0, 192.0.2.99/32"
> 
> Is this a known feature? Android 13, WireGuard for Android 
> v1.0.20230707, (from AOSP).
> 
> Best regards,
> 
> Valentijn


-- 
Marek Küthe
m.k@mk16.de
er/ihm he/him

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: AllowedIPs = ::/0 routes IPv4 - on Android?

[Nico Schottelius]

Hello Marek,

since when does ::/0 refer to IPv4 addresses? To my knowledge,
::/0 is the IPv6 all route and does not include any IPv4.

Best regards,

Nico

Marek Küthe <m-k-mailling-list@mk16.de> writes:

> [[PGP Signed Part:Undecided]]
> Hello Valentijn,
>
> ::/0 does not describe no IPv4 address, but all IP addresses. So when
> you write ::/0, all IPv4 addresses are routed through the tunnel. If
> you don't want IPv4 routes, you can simply omit them in AllowedIPs (so
> only put IPv6 addresses there, or only address which should go through
> the tunnel).
>
> Greetings
> Marek Küthe
>
> On Tue, 5 Sep 2023 16:04:34 +0200
> Valentijn Sessink <v@sess.ink> wrote:
>
>> Hi List,
>>
>> I have a WG endpoint configured with
>> AllowedIPs = ::/0
>> ... on an Android phone.
>>
>> To my surprise, I found out that this also tries to route IPv4 addresses
>> to the other WG side.
>>
>> I was able to change that with a single "bogus" IPv4 address,
>> "AllowedIPs = ::/0, 192.0.2.99/32"
>>
>> Is this a known feature? Android 13, WireGuard for Android
>> v1.0.20230707, (from AOSP).
>>
>> Best regards,
>>
>> Valentijn


--
Sustainable and modern Infrastructures by ungleich.ch

Re: AllowedIPs = ::/0 routes IPv4 - on Android?

[Valentijn Sessink]

Hi Marek,

Do you have any sources for that? AFAIK, ::/0 is a convenient way to 
describe "any IPv6 address".

Still, if you are correct and should ::/0 include IPv4, then the exact 
same setup under Linux operates differently, because here ::/0 only 
routes IPv6, not IPv4. Note the empty result for the ipv4 routing table:

# AllowedIPs = ::/0
v@lnx:~$ ip ro li ta 51820
v@lnx:~$ ip -6 ro li ta 51820
default dev wgip6 metric 1024 pref medium

# AllowedIPs = ::/0, 0.0.0.0/0
v@lnx:~$ ip ro li ta 51820
default dev wgip6 scope link
v@lnx:~$ ip -6 ro li ta 51820
default dev wgip6 metric 1024 pref medium

So the question remains: ::/0 under Android routes all IPv4 traffic to 
the WG interface, while under Linux, it will only route IPv6.
Is this known behaviour?

The wg-quick manpage is ambiguous, saying that "if one of those routes 
is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to 
handle overriding of the default gateway." No information on routing 
IPv4 or IPv6 differently.

A rephrase could be something like "if one of those routes is 0.0.0.0/0, 
or ::/0, it uses ip-rule(8) to handle overriding the default route for 
IPv4 or IPv6 respectivally."

Best regards,

Valentijn

On 24-10-2023 11:37, Marek Küthe wrote:
> ::/0 does not describe no IPv4 address, but all IP addresses. So when
[...]
> On Tue, 5 Sep 2023 16:04:34 +0200
> Valentijn Sessink <v@sess.ink> wrote:
>> AllowedIPs = ::/0
[...]
>> To my surprise, I found out that this also tries to route IPv4 addresses
>> to the other WG side.
>> Is this a known feature? Android 13, WireGuard for Android
>> v1.0.20230707, (from AOSP).-- 
http://www.openoffice.nl/   Open Office - Linux Office Solutions
Valentijn Sessink  v.sessink@openoffice.nl  +31(0)20-4214059