Comments (9)
I already noticed it on angristan/openvpn-install#295.
Hetzner set the preferred_lft
of the IPv6 block as 0 second, causing it to be deprecated right when you add another inet6.
I describe the temporary and permanent fix in the issue.
I was able to reproduce it again:
root@debian-2gb-nbg1-1:~# ip -6 -c a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a01:4f8:c2c:8ebe::1/64 scope global deprecated
valid_lft forever preferred_lft 0sec
inet6 fe80::9400:ff:fe2d:532c/64 scope link
valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
inet6 fd42:42:42::1/64 scope global
valid_lft forever preferred_lft forever
root@debian-2gb-nbg1-1:~# ip -6 addr change 2a01:4f8:c2c:8ebe::1/64 dev eth0 preferred_lft forever
root@debian-2gb-nbg1-1:~# ip -6 -c a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a01:4f8:c2c:8ebe::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::9400:ff:fe2d:532c/64 scope link
valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
inet6 fd42:42:42::1/64 scope global
valid_lft forever preferred_lft forever
After changing the preferred_lft
to forever
, the inet6 is not deprecated and the server and clients regain IPv6 connectivity.
from wireguard-install.
Yeah this fixes it for me aswell. Would it make sense to add an automated fix for this to the installer?
from wireguard-install.
I'm not sure if it's worth bloating the script of this.
from wireguard-install.
Actually just issuing ip -6 addr change <ipv6>/64 dev eth0
works
from wireguard-install.
So running a ping6 + tcpdump, here is what I found:
When wg is up the source is wg0's IP (which is not correct - this is the issue)
17:27:22.851776 IP6 (flowlabel 0x1e23e, hlim 64, next-header ICMPv6 (58) payload length: 64) fd42:42:42::1 > fra16s25-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 17
When wg is down (OR when wg is up + ip -6 addr...
), the source IP is correct:
17:27:23.855798 IP6 (flowlabel 0xbdb1d, hlim 64, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:c010:1031::1 > fra16s25-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 18
17:27:23.860748 IP6 (flowlabel 0xbdb1d, hlim 54, next-header ICMPv6 (58) payload length: 64) fra16s25-in-x0e.1e100.net > 2a01:4f8:c010:1031::1: [icmp6 sum ok] ICMP6, echo reply, seq 18
from wireguard-install.
See src
here:
root@debian-2gb-fsn1-1:~# ip route get 2a00:1450:4001:820::200e
2a00:1450:4001:820::200e from :: via fe80::1 dev eth0 src fd42:42:42::1 metric 1024 pref medium
Now I have to figure out why it's using this one.
The route don't seem bad:
root@debian-2gb-fsn1-1:~# ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2a01:4f8:c010:1031::/64 dev eth0 proto kernel metric 256 pref medium
fd42:42:42::/64 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 metric 1024 onlink pref medium
from wireguard-install.
From: http://www.davidc.net/networking/ipv6-source-address-selection-linux
non-deprecated address(es) will be favored
So I think this really is the issue here, by default a clean Hetzner VM will have a single deprecated inet6, so all traffic will still go trough it, but once you add another inet6, the new one will be favored.
from wireguard-install.
In the end, the issue was that the inet6
was assigned to the eth0:0
virtual interface: https://serverfault.com/questions/978664/how-is-preferred-lft-set-by-default-for-an-ipv6/
from wireguard-install.
https://angristan.xyz/fix-ipv6-hetzner-cloud/
from wireguard-install.
Related Issues (20)
- WireGuard
- I can not connect to internet HOT 7
- Improve config file permissions
- I hope you can even consider making a script for feebsd
- Stopped working for no reason HOT 3
- No DNS resolving on Debian after installed resolvconf HOT 4
- Error bringing up tunnel: Bad address HOT 1
- Support different public interface for ipv6 traffic
- No time and traffic restrictions
- Vpn
- Add option not to use IPv6
- [feature request] check if systemd-resolved in installed
- failed to installed systemd service
- Wrong IP when installing, better to use "dig" than "ip"
- script generates invalid key? HOT 4
- Error Happens in Oracle Linux 9 HOT 1
- Command deprecated HOT 1
- Vpn
- script blindly assumes packages will be installed HOT 1
- multiple ipv4 missing in .sh
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wireguard-install.