On Thu, Sep 6, 2018 at 11:01 PM Adam Mizerski <adam@mizerski.pl> wrote:
Hi,
I have the following situation: I have a VPS with openSUSE 15 Leap on it. It has a public IPv6 address and connectivity with outside world works correctly. I also have a whole /64 subnet to use (public address is not in this subnet).
I want to configure WireGuard so that devices connected to it would have addresses from my subnet (for now set by hand, I'll play with autoconfiguration later) and connectivity to outside world.
My VSP operator requires that all IPv6 traffic should come out of my public address.
Here's what I've got:
# ip -6 a [...] 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 {PUBLIC_IP}/64 scope global valid_lft forever preferred_lft forever [...] 3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000 inet6 {SUBNET}::1/64 scope global deprecated valid_lft forever preferred_lft 0sec
# ip -6 r local ::1 dev lo proto kernel metric 256 pref medium {SUBNET}::/64 dev wg0 proto kernel metric 256 pref medium {PUBLIC_IP_SUBNET}::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium default via {GATEWAY} dev eth0 src {PUBLIC_IP} metric 1024 pref medium
# sysctl -a | grep ipv6 | grep forwarding | grep -v mc_forwarding net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.eth0.forwarding = 1 net.ipv6.conf.lo.forwarding = 0 net.ipv6.conf.wg0.forwarding = 1
# ping6 -c1 sixxs.net -I eth0 PING sixxs.net(nlams01.paphosting.net (2a02:898:146::2)) from {PUBLIC_IP} eth0: 56 data bytes 64 bytes from nlams01.paphosting.net (2a02:898:146::2): icmp_seq=1 ttl=58 time=28.1 ms
--- sixxs.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 28.109/28.109/28.109/0.000 ms
# ping6 -c1 sixxs.net -I wg0 ping6: Warning: source address might be selected on device other than wg0. PING sixxs.net(nlams01.paphosting.net (2a02:898:146::2)) from {PUBLIC_IP} wg0: 56 data bytes From {PUBLIC_IP} icmp_seq=1 Destination unreachable: Address unreachable ping: sendmsg: Destination address required
--- sixxs.net ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
# ping6 -c1 {PUBLIC_IP} -I wg0 ping6: Warning: source address might be selected on device other than wg0. PING {PUBLIC_IP}({PUBLIC_IP}) from {PUBLIC_IP} wg0: 56 data bytes From {PUBLIC_IP} icmp_seq=1 Destination unreachable: Address unreachable ping: sendmsg: Destination address required
--- {PUBLIC_IP} ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
Address at wg0 has status "deprecated", because from what I've read, command # ip a change {SUBNET}::1 dev wg0 preferred_lft 0 should make connections not come out of this address. But it seems it's not working,
According to commands output you provided it *is* working - deprecated address is not used. All your examples show PUBLIC_IP as source address.
because if I run ping6 without "-I" option, it works the same if I use "-I wg0".
You forgot to show command you used and its output and explain what is wrong with it from your point of view.
iptables is managed by firewalld and wg0 interface is in "trusted" zone. As I understand output of "ip6tables -L -nv" command, from this interface all traffic (including FORWARD) is allowed.
Am I doing something wrong? Or is there something I'm not aware of? Because my understanding is that packets from wg0 interface should be forwarded to eth0 and from it further to the world. But that's not happening and I don't even know how to find out what's really going on.
Any help is appreciated, no question is dumb, and don't assume anything to be obvious.
-- Adam Mizerski
-- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org