Hi,
I have the following situation: I have a VPS with openSUSE 15 Leap on
it. It has a public IPv6 address and connectivity with outside world
works correctly. I also have a whole /64 subnet to use (public address
is not in this subnet).
I want to configure WireGuard so that devices connected to it would have
addresses from my subnet (for now set by hand, I'll play with
autoconfiguration later) and connectivity to outside world.
My VSP operator requires that all IPv6 traffic should come out of my
public address.
Here's what I've got:
# ip -6 a
[...]
2: eth0: mtu 1500 state UP qlen 1000
inet6 {PUBLIC_IP}/64 scope global
valid_lft forever preferred_lft forever
[...]
3: wg0: mtu 1420 state UNKNOWN qlen 1000
inet6 {SUBNET}::1/64 scope global deprecated
valid_lft forever preferred_lft 0sec
# ip -6 r
local ::1 dev lo proto kernel metric 256 pref medium
{SUBNET}::/64 dev wg0 proto kernel metric 256 pref medium
{PUBLIC_IP_SUBNET}::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via {GATEWAY} dev eth0 src {PUBLIC_IP} metric 1024 pref medium
# sysctl -a | grep ipv6 | grep forwarding | grep -v mc_forwarding
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.wg0.forwarding = 1
# ping6 -c1 sixxs.net -I eth0
PING sixxs.net(nlams01.paphosting.net (2a02:898:146::2)) from
{PUBLIC_IP} eth0: 56 data bytes
64 bytes from nlams01.paphosting.net (2a02:898:146::2): icmp_seq=1
ttl=58 time=28.1 ms
--- sixxs.net ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 28.109/28.109/28.109/0.000 ms
# ping6 -c1 sixxs.net -I wg0
ping6: Warning: source address might be selected on device other than wg0.
PING sixxs.net(nlams01.paphosting.net (2a02:898:146::2)) from
{PUBLIC_IP} wg0: 56 data bytes
From {PUBLIC_IP} icmp_seq=1 Destination unreachable: Address unreachable
ping: sendmsg: Destination address required
--- sixxs.net ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
# ping6 -c1 {PUBLIC_IP} -I wg0
ping6: Warning: source address might be selected on device other than wg0.
PING {PUBLIC_IP}({PUBLIC_IP}) from {PUBLIC_IP} wg0: 56 data bytes
From {PUBLIC_IP} icmp_seq=1 Destination unreachable: Address unreachable
ping: sendmsg: Destination address required
--- {PUBLIC_IP} ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
Address at wg0 has status "deprecated", because from what I've read, command
# ip a change {SUBNET}::1 dev wg0 preferred_lft 0
should make connections not come out of this address.
But it seems it's not working, because if I run ping6 without "-I"
option, it works the same if I use "-I wg0".
iptables is managed by firewalld and wg0 interface is in "trusted" zone.
As I understand output of "ip6tables -L -nv" command, from this
interface all traffic (including FORWARD) is allowed.
Am I doing something wrong? Or is there something I'm not aware of?
Because my understanding is that packets from wg0 interface should be
forwarded to eth0 and from it further to the world. But that's not
happening and I don't even know how to find out what's really going on.
Any help is appreciated, no question is dumb, and don't assume anything
to be obvious.
--
Adam Mizerski