Giter VIP home page Giter VIP logo

Comments (9)

angristan avatar angristan commented on May 24, 2024 1

I already noticed it on angristan/openvpn-install#295.

Hetzner set the preferred_lft of the IPv6 block as 0 second, causing it to be deprecated right when you add another inet6.

I describe the temporary and permanent fix in the issue.

I was able to reproduce it again:

root@debian-2gb-nbg1-1:~# ip -6 -c a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:4f8:c2c:8ebe::1/64 scope global deprecated
       valid_lft forever preferred_lft 0sec
    inet6 fe80::9400:ff:fe2d:532c/64 scope link
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fd42:42:42::1/64 scope global
       valid_lft forever preferred_lft forever
root@debian-2gb-nbg1-1:~# ip -6 addr change 2a01:4f8:c2c:8ebe::1/64 dev eth0 preferred_lft forever
root@debian-2gb-nbg1-1:~# ip -6 -c a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:4f8:c2c:8ebe::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::9400:ff:fe2d:532c/64 scope link
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fd42:42:42::1/64 scope global
       valid_lft forever preferred_lft forever

After changing the preferred_lft to forever, the inet6 is not deprecated and the server and clients regain IPv6 connectivity.

from wireguard-install.

quexten avatar quexten commented on May 24, 2024

Yeah this fixes it for me aswell. Would it make sense to add an automated fix for this to the installer?

from wireguard-install.

angristan avatar angristan commented on May 24, 2024

I'm not sure if it's worth bloating the script of this.

from wireguard-install.

angristan avatar angristan commented on May 24, 2024

Actually just issuing ip -6 addr change <ipv6>/64 dev eth0 works

from wireguard-install.

angristan avatar angristan commented on May 24, 2024

So running a ping6 + tcpdump, here is what I found:

When wg is up the source is wg0's IP (which is not correct - this is the issue)

17:27:22.851776 IP6 (flowlabel 0x1e23e, hlim 64, next-header ICMPv6 (58) payload length: 64) fd42:42:42::1 > fra16s25-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 17

When wg is down (OR when wg is up + ip -6 addr...), the source IP is correct:

17:27:23.855798 IP6 (flowlabel 0xbdb1d, hlim 64, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:c010:1031::1 > fra16s25-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 18
17:27:23.860748 IP6 (flowlabel 0xbdb1d, hlim 54, next-header ICMPv6 (58) payload length: 64) fra16s25-in-x0e.1e100.net > 2a01:4f8:c010:1031::1: [icmp6 sum ok] ICMP6, echo reply, seq 18

from wireguard-install.

angristan avatar angristan commented on May 24, 2024

See src here:

root@debian-2gb-fsn1-1:~# ip route get 2a00:1450:4001:820::200e
2a00:1450:4001:820::200e from :: via fe80::1 dev eth0 src fd42:42:42::1 metric 1024 pref medium

Now I have to figure out why it's using this one.

The route don't seem bad:

root@debian-2gb-fsn1-1:~# ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2a01:4f8:c010:1031::/64 dev eth0 proto kernel metric 256 pref medium
fd42:42:42::/64 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 metric 1024 onlink pref medium

from wireguard-install.

angristan avatar angristan commented on May 24, 2024

From: http://www.davidc.net/networking/ipv6-source-address-selection-linux

non-deprecated address(es) will be favored

So I think this really is the issue here, by default a clean Hetzner VM will have a single deprecated inet6, so all traffic will still go trough it, but once you add another inet6, the new one will be favored.

from wireguard-install.

angristan avatar angristan commented on May 24, 2024

In the end, the issue was that the inet6 was assigned to the eth0:0 virtual interface: https://serverfault.com/questions/978664/how-is-preferred-lft-set-by-default-for-an-ipv6/

from wireguard-install.

angristan avatar angristan commented on May 24, 2024

https://angristan.xyz/fix-ipv6-hetzner-cloud/

from wireguard-install.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.