chromeos blackholes IPv6 in VPN overlays

[kgersen]

What is the issue?

Chromeos machine with dual stack native ipv4 & ipv6 connectivity Everything working fine ( https://ipv6-test.com/ green light both protocol) Install and launch the Android client of Tailscale. Register and activate the client. ipv6 not working anymore for Chrome ( https://ipv6-test.com/ = no ipv6) ipv6 not working anymore for Linux apps too. ipv6 is still working for Android apps (tested using Firefox focus android app).

Desactivating tailscale (using the toggle on the client ui) reactivate IPv6 for Chrome and Linux apps. no exit point configured or used.

Steps to reproduce

just install, launch and activate the Tailscale Android client.

using the chromeos terminal (ctrl-alt-t then shell, not Linux apps(crositini)) to diagnose further: getting route for google public dns (2001:4860:4860::8888) with tailscale inactive:

chronos@localhost / $ ip route get 2001:4860:4860::8888
2001:4860:4860::8888 via fe80::xxxx:xxx:xxxx dev wlan0 table 1002 proto ra src 2a05:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx metric 10 pref medium

with tailscale active:

chronos@localhost / $ ip route get 2001:4860:4860::8888
RTNETLINK answers: Invalid argument

Are there any recent changes that introduced the issue?

not that I know of

OS

Other

OS version

chromeos v98 (dev)

Tailscale version

Android 1.18.0

Bug report

No response

[DentonGentry]

Could this be: https://support.google.com/chrome/a/answer/9211990?hl=en#:~:text=Chrome%20devices%20use%20multiple%20IPv6,be%20used%20with%20Chrome%20devices.

"Chrome devices use multiple IPv6 addresses so that each embedded container (Android) and VM (Linux) has its own publicly routable IPv6 address. Most DHCPv6 implementations don’t support multiple IPv6 addresses per host. Therefore, DHCPv6 cannot be used with Chrome devices. You must use SLAAC instead."

[kgersen]

@DentonGentry We use SLAAC otherwise we wouldn't have an IPv6 in the Android container...

[kgersen]

I think the issue is here: https://issuetracker.google.com/issues/172224891#comment8 if your a googler: https://issuetracker.google.com/issues/171090287

it's rather old... I just don't understand why this is so low priority at Google...

[DentonGentry]

https://issuetracker.google.com/issues/172224891 in 11/2020 said: "We are aiming at adding support for IPv6 overlay created by Android VPN apps in Q1 next year. We have solved some of the issues described in #8 for the routing layer but we still have some non-trivial plumbing migration to do for the control plane."

I haven't found anything about what that is. Inside the Mountain View Chocolate Factory one can access b/171090287 to get more information. Alas.

---

June 2023: no updates to https://issuetracker.google.com/issues/172224891

[noseshimself]

I don't see this changing fast/in the near future. Running VPN software in Android apps is seemingly a last desperate attempt anyway and should be replaced by a Chrome extension using the chrome.vpnProvider API inside an extension with the appropriate Manifest (i. e. requiring the appropriate permissions), see https://developer.chrome.com/docs/extensions/reference/vpnProvider/ . That way you would be in the correct position in the food chain without rerouting packets through a container inside a VM (with limited IPv6 connectivity on top). Anything running on ChromeOS including Linux containers or a Steam VM would "just work". Tailscale could even get waya with "just" provisioning the built-in Wireguard service.

Or take the easier route: Ask Google why they are not including the completely open source tailscaled in their OS; it't can't be that difficult to include a configuration UI just like they did it for Wireguard.