IPv6 doesn't works by default

[paulcarroty]

Interface is up and get address 2a09:bac0::/32, but Linux ignore it and prefer ipv4. More info

[maple3142]

I don't have ipv6 connection to test, so this needs others to investigate and fix.

[paulcarroty]

You don't need to have ipv6, you'll get it from CF warp.

[paulcarroty]

It works (ugly hack, scroll below). Modify cf-warp.conf to

Address = 'replace `fd01:5ca1` to `2001:db8` in local ipv6 address, it will be 3rd address'
PostUp = ip6tables -t nat -I POSTROUTING 1 -o %i -j SNAT --to-source ipv6_local_address
PreDown = ip6tables -t nat -D POSTROUTING 1 

Tests:

$ ping -c1 google.com PING google.com(waw02s14-in-x0e.1e100.net (2a00:1450:401b:805::200e)) 56 data bytes 64 bytes from waw02s14-in-x0e.1e100.net (2a00:1450:401b:805::200e): icmp_seq=1 ttl=58 time=38.3 ms

$ curl -v google.com
*   Trying 2a00:1450:401b:804::200e:80...
* TCP_NODELAY set
* Connected to google.com (2a00:1450:401b:804::200e) port 80 (#0)
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.68.0
> Accept: */*
> 

credits @oskar456

[maple3142]

Using that will only work on linux though.

[paulcarroty]

Yeah, routing will be different for Windows & MacOS, so platform-specific configs needed. Also we need more testing on non-Linux OS.

[maple3142]

I think the config should be platform-independent. Maybe Wireguard have some config to let you do that easily? But I am not familiar with Wireguard, so I don't even know if it is possible to do that.

[paulcarroty]

As much I checked - no. I can write a patch to generate Linux config, or you can add the note to Readme.

[syphyr]

You may also want to consider nftables support for ipv6 on linux.

Nftables rules (disable if iptables is used)

PostUp = nft add table ip6 nat PostUp = nft add chain ip6 nat prerouting { type nat hook prerouting priority 0\; } PostUp = nft add chain ip6 nat postrouting { type nat hook postrouting priority 100\; } PostUp = nft insert rule ip6 nat postrouting oifname %i counter snat to ipv6_local_address PreDown = nft delete table ip6 nat

[paulcarroty]

Doesn't iptables use nftables on backend now?

[syphyr]

I believe iptables is currently deprecated and being replaced by nftables in the 5.x kernel.

[oskar456]

It works. Modify cf-warp.conf to

Address = 'replace `fd01:5ca1` to `2001:db8` in local ipv6 address, it will be 3rd address'
PostUp = ip6tables -t nat -I POSTROUTING 1 -o %i -j SNAT --to-source ipv6_local_address
PreDown = ip6tables -t nat -D POSTROUTING 1 

This is actually an ugly hack - IPv6 NAT in order to get globally routable IPv6 address instead of ULA address. This indeed only works with Linux and iptables. So it's certainly unsafe to put in into default config file (maybe only as a commented-out default)

Instead I hope Cloudflare will eventually change IPv6 prefix to some globally unique address.

Doesn't iptables use nftables on backend now?

It depends on linux distribution. Classical iptables still work but it is not recommended to combine nftables and iptables rules, although it is technically possible.

[paulcarroty]

Got it working without NAT&iptables.

[abbyck]

Got it working without NAT&iptables. @paulcarroty could you explain how?

[paulcarroty]

@abbyck when tunnel connects to endpoint the network interface gets ip from fd01::/16 subnet and Linux ignore it 'cause it's private address. You can fix it by editing precedences in /etc/gai.conf:

label  ::1/128       0
label  ::/0          1
label  2002::/16     2
label  fd01::/16     1
label ::/96          3
label ::ffff:0:0/96  4
precedence  ::1/128       50
precedence  ::/0          40
precedence  fd01::/16     40
precedence  2002::/16     30
precedence ::/96          20
precedence ::ffff:0:0/96  10