Development discussion of WireGuard
 help / color / Atom feed
* MacOS IPv6 not functioning without custom static route
@ 2020-07-15 12:14 Adam Cooper
  2020-07-21 13:12 ` Hasan Berkay Çağır
  0 siblings, 1 reply; 7+ messages in thread
From: Adam Cooper @ 2020-07-15 12:14 UTC (permalink / raw)
  To: wireguard

I'm using the latest MacOS client and have all the appropriate stuff
setup on my server (Ubuntu 18.04) to use NAT IPv6. This works for all
my other devices (android, ios, windows) in that I can access IPv6
only sites just fine.

But on my Mac I'm unable to reach IPv6 destinations that are not on
the VPN IPv6 network.

AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4,
32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6,
172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9,
173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11,
192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14,
192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6,
200.0.0.0/5, 208.0.0.0/4, ::/0, fd82:88::1/128

Should push all traffic correctly (the final local IPv6 route being
redundant I know).

What I'm finding is that the Wireguard client is creating a new tunnel
(utun1) and using that for all the defined routes in IPv4 but it is
not setting a default route for IPv6.

My system (and I don't really know why) has a preexisting tunnel
(utun0) which is set as default

default                          fe80::%utun0                 UGcI
     utun0

Wireguard is not creating a new default route pointing at utun1. If I
do that manually

sudo route add -inet6 ::/0 fe80::%utun1

Then everything works as expected.

The only thing I can think of is that Wireguard is seeing the existing
tunnel and that it is default and assuming it does not need to create
a route, even though that route is for a tunnel that Wireguard is not
responsible for. Is this a bug? What can I do?

Probably worth mentioning that I tried to replace ::/0 with ::/1,
8000::/1 but that just results in completely broken connectivity in
IPv6 and IPv4 - which may be another issue in and of itself.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: MacOS IPv6 not functioning without custom static route
  2020-07-15 12:14 MacOS IPv6 not functioning without custom static route Adam Cooper
@ 2020-07-21 13:12 ` Hasan Berkay Çağır
  2020-07-21 13:29   ` Adam Cooper
  0 siblings, 1 reply; 7+ messages in thread
From: Hasan Berkay Çağır @ 2020-07-21 13:12 UTC (permalink / raw)
  To: Adam Cooper; +Cc: wireguard

On 15/07/2020 14:14, Adam Cooper wrote:
> ...
> Probably worth mentioning that I tried to replace ::/0 with ::/1,
> 8000::/1 but that just results in completely broken connectivity in
> IPv6 and IPv4 - which may be another issue in and of itself.

Did you try only having "::/1, 8000::/1" in the AllowedIPs option? I had 
a default route creation issue myself where I'm only trying to tunnel 
IPv6 through; and having this actually solved it.

$ netstat -nr
Routing tables
Internet:
...
Internet6:
Destination                             Gateway                         
Flags         Netif Expire
::/1                                    link#14                         
UCS           utun2
default                                 fe80::%utun0                    
UGcI          utun0
default                                 fe80::%utun1                    
UGcI          utun1
default                                 fe80::%utun3                    
UGcI          utun3
default                                 [ public IPv6 ]                 
UGcI          utun2

If just "::/1, 8000::/1" solves the IPv6 issue, I guess you can give it 
a try with "0.0.0.0/0, ::/1, 8000::/1" to see if both routes are created 
properly?

Best,
Berkay

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: MacOS IPv6 not functioning without custom static route
  2020-07-21 13:12 ` Hasan Berkay Çağır
@ 2020-07-21 13:29   ` Adam Cooper
  2020-07-21 13:49     ` Hasan Berkay Çağır
  2020-07-21 13:50     ` Adam Cooper
  0 siblings, 2 replies; 7+ messages in thread
From: Adam Cooper @ 2020-07-21 13:29 UTC (permalink / raw)
  To: Hasan Berkay Çağır; +Cc: wireguard

Mmm. It looks like unticking "Exclude Private IPs" and entering
"0.0.0.0/0, ::/1, 8000::/1" gives me a functional setup. Trouble is I
don't want to route the private IPs and ticking the box (whilst
retaining '::/1, 8000::/1') allows no traffic at all. There's
something odd about the way the client is configuring routes but I've
not got the expertise to figure it out :(

On Tue, 21 Jul 2020 at 14:12, Hasan Berkay Çağır <berkay@cagir.me> wrote:
>
> On 15/07/2020 14:14, Adam Cooper wrote:
> > ...
> > Probably worth mentioning that I tried to replace ::/0 with ::/1,
> > 8000::/1 but that just results in completely broken connectivity in
> > IPv6 and IPv4 - which may be another issue in and of itself.
>
> Did you try only having "::/1, 8000::/1" in the AllowedIPs option? I had
> a default route creation issue myself where I'm only trying to tunnel
> IPv6 through; and having this actually solved it.
>
> $ netstat -nr
> Routing tables
> Internet:
> ...
> Internet6:
> Destination                             Gateway
> Flags         Netif Expire
> ::/1                                    link#14
> UCS           utun2
> default                                 fe80::%utun0
> UGcI          utun0
> default                                 fe80::%utun1
> UGcI          utun1
> default                                 fe80::%utun3
> UGcI          utun3
> default                                 [ public IPv6 ]
> UGcI          utun2
>
> If just "::/1, 8000::/1" solves the IPv6 issue, I guess you can give it
> a try with "0.0.0.0/0, ::/1, 8000::/1" to see if both routes are created
> properly?
>
> Best,
> Berkay

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: MacOS IPv6 not functioning without custom static route
  2020-07-21 13:29   ` Adam Cooper
@ 2020-07-21 13:49     ` Hasan Berkay Çağır
  2020-07-21 13:58       ` Adam Cooper
  2020-07-21 13:50     ` Adam Cooper
  1 sibling, 1 reply; 7+ messages in thread
From: Hasan Berkay Çağır @ 2020-07-21 13:49 UTC (permalink / raw)
  To: Adam Cooper; +Cc: wireguard

Are you sure that private IPs get routed through WG while AllowedIPs is 
"0.0.0.0/0, ::/1, 8000::/1"? I have just tried to ping my local router 
whilst connected to a tunnel with "0.0.0.0/0, ::/1, 8000::/1" and didn't 
have a problem.

I mean, the way which makes sense is that AllowedIPs should work with 
your configuration and we wouldn't even have this conversation, however 
there are some things awkwardly different on the MacOS version from the 
GNU/Linux versions of WG client(s), so I think it might help to try 
every variation.

Best,
Berkay

On 21.07.20 15:29, Adam Cooper wrote:
> Mmm. It looks like unticking "Exclude Private IPs" and entering
> "0.0.0.0/0, ::/1, 8000::/1" gives me a functional setup. Trouble is I
> don't want to route the private IPs and ticking the box (whilst
> retaining '::/1, 8000::/1') allows no traffic at all. There's
> something odd about the way the client is configuring routes but I've
> not got the expertise to figure it out :(
> 
> On Tue, 21 Jul 2020 at 14:12, Hasan Berkay Çağır <berkay@cagir.me> wrote:
>>
>> On 15/07/2020 14:14, Adam Cooper wrote:
>>> ...
>>> Probably worth mentioning that I tried to replace ::/0 with ::/1,
>>> 8000::/1 but that just results in completely broken connectivity in
>>> IPv6 and IPv4 - which may be another issue in and of itself.
>>
>> Did you try only having "::/1, 8000::/1" in the AllowedIPs option? I had
>> a default route creation issue myself where I'm only trying to tunnel
>> IPv6 through; and having this actually solved it.
>>
>> $ netstat -nr
>> Routing tables
>> Internet:
>> ...
>> Internet6:
>> Destination                             Gateway
>> Flags         Netif Expire
>> ::/1                                    link#14
>> UCS           utun2
>> default                                 fe80::%utun0
>> UGcI          utun0
>> default                                 fe80::%utun1
>> UGcI          utun1
>> default                                 fe80::%utun3
>> UGcI          utun3
>> default                                 [ public IPv6 ]
>> UGcI          utun2
>>
>> If just "::/1, 8000::/1" solves the IPv6 issue, I guess you can give it
>> a try with "0.0.0.0/0, ::/1, 8000::/1" to see if both routes are created
>> properly?
>>
>> Best,
>> Berkay

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: MacOS IPv6 not functioning without custom static route
  2020-07-21 13:29   ` Adam Cooper
  2020-07-21 13:49     ` Hasan Berkay Çağır
@ 2020-07-21 13:50     ` Adam Cooper
  1 sibling, 0 replies; 7+ messages in thread
From: Adam Cooper @ 2020-07-21 13:50 UTC (permalink / raw)
  To: Hasan Berkay Çağır; +Cc: wireguard

As an additional datapoint it looks like if I remove '::/0' at all
(either replaced with the ::/1 8000:/1 rules or just removed outright)
I appear to lose outbound traffic UNLESS I'm allowing 0.0.0.0/0. Which
doesn't make much sense as one is an IPv4 rule and the other isn't.
This is what it currently look like (pseudocode for brevity)

$IPV4_IPS = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4,
32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6,
172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9,
173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11,
192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14,
192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6,
200.0.0.0/5, 208.0.0.0/4

AllowedIPs = $IPV4_IPS, ::/0, fd82:88::1/128 -- IPv4 WORKS, IPv6 ONLY
ROUTES fd82:88::1
AllowedIPs = $IPV4_IPS, fd82:88::1/128 -- IPv4 AND IPv6 DO NOT WORK
AllowedIPs = $IPV4_IPS, ::/1, 8000::/1, fd82:88::1/128 --  IPv4 AND
IPv6 DO NOT WORK
AllowedIPs = 0.0.0.0/0, ::/1, 8000::/1 --  IPv4 AND IPv6 WORK

On Tue, 21 Jul 2020 at 14:29, Adam Cooper <adam@acpr.dev> wrote:
>
> Mmm. It looks like unticking "Exclude Private IPs" and entering
> "0.0.0.0/0, ::/1, 8000::/1" gives me a functional setup. Trouble is I
> don't want to route the private IPs and ticking the box (whilst
> retaining '::/1, 8000::/1') allows no traffic at all. There's
> something odd about the way the client is configuring routes but I've
> not got the expertise to figure it out :(
>
> On Tue, 21 Jul 2020 at 14:12, Hasan Berkay Çağır <berkay@cagir.me> wrote:
> >
> > On 15/07/2020 14:14, Adam Cooper wrote:
> > > ...
> > > Probably worth mentioning that I tried to replace ::/0 with ::/1,
> > > 8000::/1 but that just results in completely broken connectivity in
> > > IPv6 and IPv4 - which may be another issue in and of itself.
> >
> > Did you try only having "::/1, 8000::/1" in the AllowedIPs option? I had
> > a default route creation issue myself where I'm only trying to tunnel
> > IPv6 through; and having this actually solved it.
> >
> > $ netstat -nr
> > Routing tables
> > Internet:
> > ...
> > Internet6:
> > Destination                             Gateway
> > Flags         Netif Expire
> > ::/1                                    link#14
> > UCS           utun2
> > default                                 fe80::%utun0
> > UGcI          utun0
> > default                                 fe80::%utun1
> > UGcI          utun1
> > default                                 fe80::%utun3
> > UGcI          utun3
> > default                                 [ public IPv6 ]
> > UGcI          utun2
> >
> > If just "::/1, 8000::/1" solves the IPv6 issue, I guess you can give it
> > a try with "0.0.0.0/0, ::/1, 8000::/1" to see if both routes are created
> > properly?
> >
> > Best,
> > Berkay

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: MacOS IPv6 not functioning without custom static route
  2020-07-21 13:49     ` Hasan Berkay Çağır
@ 2020-07-21 13:58       ` Adam Cooper
  2020-07-21 14:03         ` Hasan Berkay Çağır
  0 siblings, 1 reply; 7+ messages in thread
From: Adam Cooper @ 2020-07-21 13:58 UTC (permalink / raw)
  To: Hasan Berkay Çağır; +Cc: wireguard

Wow. So I'd made the assumption that this is just what I needed to do
to access lan resources.

Turns out "0.0.0.0/0, ::/1, 8000::/1" will allow that just fine on
OSX. I still get a broken system if I specify ::/0 as the default
route doesn't appear to get created but with using ::/1 8000::/1 it
seems to work around that.

Problem solved! Thank you.

Though it's not at all intuitive or expected. Is there some issue
queue or something this can be added to for the OSX client
application?

Thanks
Adam

On Tue, 21 Jul 2020 at 14:49, Hasan Berkay Çağır <berkay@cagir.me> wrote:
>
> Are you sure that private IPs get routed through WG while AllowedIPs is
> "0.0.0.0/0, ::/1, 8000::/1"? I have just tried to ping my local router
> whilst connected to a tunnel with "0.0.0.0/0, ::/1, 8000::/1" and didn't
> have a problem.
>
> I mean, the way which makes sense is that AllowedIPs should work with
> your configuration and we wouldn't even have this conversation, however
> there are some things awkwardly different on the MacOS version from the
> GNU/Linux versions of WG client(s), so I think it might help to try
> every variation.
>
> Best,
> Berkay
>
> On 21.07.20 15:29, Adam Cooper wrote:
> > Mmm. It looks like unticking "Exclude Private IPs" and entering
> > "0.0.0.0/0, ::/1, 8000::/1" gives me a functional setup. Trouble is I
> > don't want to route the private IPs and ticking the box (whilst
> > retaining '::/1, 8000::/1') allows no traffic at all. There's
> > something odd about the way the client is configuring routes but I've
> > not got the expertise to figure it out :(
> >
> > On Tue, 21 Jul 2020 at 14:12, Hasan Berkay Çağır <berkay@cagir.me> wrote:
> >>
> >> On 15/07/2020 14:14, Adam Cooper wrote:
> >>> ...
> >>> Probably worth mentioning that I tried to replace ::/0 with ::/1,
> >>> 8000::/1 but that just results in completely broken connectivity in
> >>> IPv6 and IPv4 - which may be another issue in and of itself.
> >>
> >> Did you try only having "::/1, 8000::/1" in the AllowedIPs option? I had
> >> a default route creation issue myself where I'm only trying to tunnel
> >> IPv6 through; and having this actually solved it.
> >>
> >> $ netstat -nr
> >> Routing tables
> >> Internet:
> >> ...
> >> Internet6:
> >> Destination                             Gateway
> >> Flags         Netif Expire
> >> ::/1                                    link#14
> >> UCS           utun2
> >> default                                 fe80::%utun0
> >> UGcI          utun0
> >> default                                 fe80::%utun1
> >> UGcI          utun1
> >> default                                 fe80::%utun3
> >> UGcI          utun3
> >> default                                 [ public IPv6 ]
> >> UGcI          utun2
> >>
> >> If just "::/1, 8000::/1" solves the IPv6 issue, I guess you can give it
> >> a try with "0.0.0.0/0, ::/1, 8000::/1" to see if both routes are created
> >> properly?
> >>
> >> Best,
> >> Berkay

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: MacOS IPv6 not functioning without custom static route
  2020-07-21 13:58       ` Adam Cooper
@ 2020-07-21 14:03         ` Hasan Berkay Çağır
  0 siblings, 0 replies; 7+ messages in thread
From: Hasan Berkay Çağır @ 2020-07-21 14:03 UTC (permalink / raw)
  To: Adam Cooper; +Cc: wireguard

Glad to hear that, you’re welcome.

There is definitely something weird happening with having ::/0 in AllowedIPs on MacOS. In my situation too that the client were generating a default IPv4 route and I had to tunnel my IPv4 too until I discovered the “::/1, 8000::/1“ trick.

Best,
Berkay

> On 21. Jul 2020, at 15:58, Adam Cooper <adam@acpr.dev> wrote:
> 
> Wow. So I'd made the assumption that this is just what I needed to do
> to access lan resources.
> 
> Turns out "0.0.0.0/0, ::/1, 8000::/1" will allow that just fine on
> OSX. I still get a broken system if I specify ::/0 as the default
> route doesn't appear to get created but with using ::/1 8000::/1 it
> seems to work around that.
> 
> Problem solved! Thank you.
> 
> Though it's not at all intuitive or expected. Is there some issue
> queue or something this can be added to for the OSX client
> application?
> 
> Thanks
> Adam
> 
>> On Tue, 21 Jul 2020 at 14:49, Hasan Berkay Çağır <berkay@cagir.me> wrote:
>> 
>> Are you sure that private IPs get routed through WG while AllowedIPs is
>> "0.0.0.0/0, ::/1, 8000::/1"? I have just tried to ping my local router
>> whilst connected to a tunnel with "0.0.0.0/0, ::/1, 8000::/1" and didn't
>> have a problem.
>> 
>> I mean, the way which makes sense is that AllowedIPs should work with
>> your configuration and we wouldn't even have this conversation, however
>> there are some things awkwardly different on the MacOS version from the
>> GNU/Linux versions of WG client(s), so I think it might help to try
>> every variation.
>> 
>> Best,
>> Berkay
>> 
>>> On 21.07.20 15:29, Adam Cooper wrote:
>>> Mmm. It looks like unticking "Exclude Private IPs" and entering
>>> "0.0.0.0/0, ::/1, 8000::/1" gives me a functional setup. Trouble is I
>>> don't want to route the private IPs and ticking the box (whilst
>>> retaining '::/1, 8000::/1') allows no traffic at all. There's
>>> something odd about the way the client is configuring routes but I've
>>> not got the expertise to figure it out :(
>>> 
>>> On Tue, 21 Jul 2020 at 14:12, Hasan Berkay Çağır <berkay@cagir.me> wrote:
>>>> 
>>>> On 15/07/2020 14:14, Adam Cooper wrote:
>>>>> ...
>>>>> Probably worth mentioning that I tried to replace ::/0 with ::/1,
>>>>> 8000::/1 but that just results in completely broken connectivity in
>>>>> IPv6 and IPv4 - which may be another issue in and of itself.
>>>> 
>>>> Did you try only having "::/1, 8000::/1" in the AllowedIPs option? I had
>>>> a default route creation issue myself where I'm only trying to tunnel
>>>> IPv6 through; and having this actually solved it.
>>>> 
>>>> $ netstat -nr
>>>> Routing tables
>>>> Internet:
>>>> ...
>>>> Internet6:
>>>> Destination                             Gateway
>>>> Flags         Netif Expire
>>>> ::/1                                    link#14
>>>> UCS           utun2
>>>> default                                 fe80::%utun0
>>>> UGcI          utun0
>>>> default                                 fe80::%utun1
>>>> UGcI          utun1
>>>> default                                 fe80::%utun3
>>>> UGcI          utun3
>>>> default                                 [ public IPv6 ]
>>>> UGcI          utun2
>>>> 
>>>> If just "::/1, 8000::/1" solves the IPv6 issue, I guess you can give it
>>>> a try with "0.0.0.0/0, ::/1, 8000::/1" to see if both routes are created
>>>> properly?
>>>> 
>>>> Best,
>>>> Berkay


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-15 12:14 MacOS IPv6 not functioning without custom static route Adam Cooper
2020-07-21 13:12 ` Hasan Berkay Çağır
2020-07-21 13:29   ` Adam Cooper
2020-07-21 13:49     ` Hasan Berkay Çağır
2020-07-21 13:58       ` Adam Cooper
2020-07-21 14:03         ` Hasan Berkay Çağır
2020-07-21 13:50     ` Adam Cooper

Development discussion of WireGuard

Archives are clonable: git clone --mirror http://inbox.vuxu.org/wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git