NDP Proxy - how to verify its working?

[TheLinuxGuy]

I appreciate the work in putting together a quick script that can turn a VPS into an easy dual-stack wireguard gateway. I'm trying to get IPv6 from my VPS to be reachable from the internet through the wireguard tunnel.

The script seems to set this up correctly - but I am not sure how to validate that my client is receiving the NDP packets. VPS is debian 10 and the client is windows 10 using the official wireguard client.

root@straw:~# sysctl net.ipv6.conf.all.proxy_ndp
net.ipv6.conf.all.proxy_ndp = 1
root@straw:~# sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1
root@straw:~# ping 2607:f1c0:1801:195:40::10
PING 2607:f1c0:1801:195:40::10(2607:f1c0:1801:195:40::10) 56 data bytes
64 bytes from 2607:f1c0:1801:195:40::10: icmp_seq=1 ttl=128 time=87.3 ms
64 bytes from 2607:f1c0:1801:195:40::10: icmp_seq=2 ttl=128 time=93.0 ms
64 bytes from 2607:f1c0:1801:195:40::10: icmp_seq=3 ttl=128 time=84.8 ms

The VPS itself can ping the client thru the tunnel - but when I try to access the IPv6 unicast from anywhere else like https://tools.keycdn.com/ipv6-ping - it fails. Other websites that should be working are indicating I don't have an IPv6 address http://test-ipv6.com/ and https://ipv6-test.com/

I carried out a simple install on a dummy VPS with throwaway IPv6 addresses just to test and learn, here's the exact steps done after wireguard was installed.

   18  wget https://raw.githubusercontent.com/burghardt/easy-wg-quick/master/easy-wg-quick
   19  chmod +x easy-wg-quick
   20  echo proxy_ndp > ipv6mode.txt
   21  ip a
   22  echo 2607:f1c0:1801:195:40:: > intnet6address.txt
   23  echo /112 > intnet6mask.txt

The windows NDP table shows "Probe" on it but never changes.

Interface 38: ionos

Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
::                                                               Permanent
2001:478:65::53                                                  Stale
2001:4860:4860::8888                                             Stale
2600:1407:21:281::2c1a                                           Stale
2600:1407:21:298::2c1a                                           Unreachable
2606:4700::6812:1ad3                                             Stale
2606:4700::6812:1bd3                                             Unreachable
2606:4700:4700::1111                                             Unreachable
2607:f1c0:1801:195:40::1                                         Probe
...
ff02::2                                                          Permanent
ff02::16                                                         Permanent
ff02::fb                                                         Permanent
ff02::1:3                                                        Permanent
ff02::1:ff00:10                                                  Permanent
ff02::1:ff2f:9883                                                Permanent

Any pointers on what I may have missed or what else to check to make this work?

[TheLinuxGuy]

Adding some additional stuff I have tried in case anyone has any suggestions. Apparently KVM VPS providers have some kind of arp spoofing protection called 'ebtables' - I asked my provider who has disabled this - I reset my VPS and started again from scratch. Results are the same. IPv6 address assigned to wg-client10 is not pingable from the internet to the client.

When doing a tcpdump on the 'wghub' interface on the server, I see wg-client making ICMPv6 neighbor solicitation but getting no responses from upstream.

This may explain the unreachable ip6 neigh show table. If I look at eth0 (wan) on the VPS, every time I try to ping the wgclient IPv6 address - a request comes in 'who has' and a response is provided. Yet still the IPv6 on wgclient remains to be unreachable outside of the VPS itself and the internet. I'm not sure what else to check?

[burghardt]

Did your VPS provider assign a network of /64 to your VPS? Are you able to use more than one unicast IPv6 address with this VPS?

[TheLinuxGuy]

Did your VPS provider assign a network of /64 to your VPS? Are you able to use more than one unicast IPv6 address with this VPS?

Yes, I have a routable /64 and can assign IPv6 within the /64 segment to the eth0 and its pingable outside the wg tunnel.

Looks like my KVM VPS provider may have not reset ebtables correctly the first time I requested them to do it, after I asked them to do it a second time now my IPv6 is working and pingable via anywhere (https://tools.keycdn.com/ipv6-ping) and traffic is going thru wireguard. Hope this helps someone - your script makes it very easy to setup.

[burghardt]

When the hosting provider did the ebtables setup, the configuration created by easy-wg-quick script just worked, right? Was the ping command enough to test (i.e., ping tunnel endpoint from the Internet)?

[TheLinuxGuy]

When the hosting provider did the ebtables setup, the configuration created by easy-wg-quick script just worked, right? Was the ping command enough to test (i.e., ping tunnel endpoint from the Internet)?

ping tests to the single IPv6 assigned to the WG peer did work and respond from the internet with ebtables disabled.

NDP proxy is not needed if you can get a routed IPv6 allocation from the ISP provider. I had two different kinds of VMs that i tested against. buyvm.net provides routed IPv6 /48 to a $2 VM if someone wants to try that and they wanted to grant a full /64 IPv6 to a peer it works without NDP proxy.

[burghardt]

Thank you for sharing your experience. I'm closing this ticket.