Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-79975

WireGuard IPv6 endpoint address doesn't connect when AllowedIPs includes ::/0

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • NetworkManager-1.53.3-1.el10
    • No
    • Moderate
    • 1
    • rhel-net-mgmt
    • ssg_networking
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • NMT SST - 2025Q2
    • Hide

      Definition of Done:

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      The acceptance criteria defined below are met.

      When a user sets up a WireGuard connection,
      Then NetworkManager adds nftables rules to mark the incoming packets, so that they pass the rp_filter checks
      Then the IPv6 endpoint address is reachable

      ( ) Code changes are included in a downstream build attached to an errata.

      ( ) All required testing (manual and/or automated) passes successfully.

      ( ) All necessary backports to the related RHEL streams (linked as 'relates' in this issue) have been completed and verified.

      ( ) Related documentation updates (if applicable) have been completed.

      Show
      Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: The acceptance criteria defined below are met. When a user sets up a WireGuard connection, Then NetworkManager adds nftables rules to mark the incoming packets, so that they pass the rp_filter checks Then the IPv6 endpoint address is reachable ( ) Code changes are included in a downstream build attached to an errata. ( ) All required testing (manual and/or automated) passes successfully. ( ) All necessary backports to the related RHEL streams (linked as 'relates' in this issue) have been completed and verified. ( ) Related documentation updates (if applicable) have been completed.
    • Pass
    • Automated
    • Unspecified
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Description imported from upstream issue: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1521

      What were you trying to do that didn't work?

      I have a known good WireGuard profile that can connect to either an IPv4 or IPv6 endpoint on my WireGuard server. My VPN connection is dual stack and can route both IPv4 and IPv6 traffic through my WireGuard tunnel.

      When using the WG-Quick CLI tool like normal, I can connect to the IPv4 or IPv6 endpoint on the WireGuard server, and in either case the connection works as expected.

      When connecting to WireGuard through the NetworkManager instead, I am only able to successfully connect to the IPv4 endpoint. Connecting to the IPv6 endpoint results in no handshake and no connectivity through the tunnel.

      When removing ::/0 from AllowedIPs, I can connect to the IPv6 endpoint and route IPv4 traffic through it.

      The problem seems to be that the IPv6 address of the endpoint tries to route through the tunnel when the tunnel is connected with AllowedIPs including ::/0, resulting in an impossible situation.

      In the case of an IPv4 endpoint, something is added to the routing table allowing the IPv4 endpoint address to still route through the network's normal default gateway. This behavior doesn't seem to happen for an IPv6 endpoint.

      How reproducible is this bug?:

      100%

      Steps to reproduce

      Set up a WireGuard server on a server somewhere with a dual stack connection. Create a WireGuard peer assocation and assign an IPv4 and IPv6 address to your client machine. Try to connect to the server's IPv4 address as the endpoint, then try the IPv6 address, and you can observe the broken IPv6 behavior. You will be unable to connect to the IPv6 endpoint while the AllowedIPs for the tunnel includes ::/0.

      Expected results

      WireGuard should connect and pass traffic with AllowedIPs as "0.0.0.0/0, ::/0" and an IPv6 endpoint address, just like it does when the endpoint address is IPv4.

      When running a traceroute to the IPv6 endpoint address of the VPN server while the VPN is connected, it should try to route through the normal default gateway for the network your client is on, it should not try to route through the WireGuard tunnel.

      Actual results

      • With AllowedIPs as "0.0.0.0/0, ::/0" and an IPv4 endpoint address, WireGuard tunnel connects and passes both IPv4 and IPv6 traffic through the tunnel.
      • With AllowedIPs as "0.0.0.0/0" and an IPv6 endpoint address, WireGuard handshakes and passes IPv4 traffic successfully.
      • With AllowedIPs as "0.0.0.0/0, ::/0" and an IPv6 endpoint address, WireGuard doesn't handshake and passes no traffic.

              rhn-engineering-vbenes Vladimir Benes
              rh-ee-jvaclav Ján Václav
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: