Noticed a bug in 6.11.5 that apparently prevents Wireguard tunnels from working with IPv6 only.
How to reproduce:
Go to Settings -> VPN Manager, enter local name, generate keys, enter endpoint, click "apply".
Toggle "Advanced" mode, set "Network protocol" to "IPv6 only", click "apply".
Click "add peer", enter name, generate keypair, click "apply".
Try to set the "inactive" toggle to "active", notice it jumps right back to "inactive".
The log file at /var/log/wg-quick.log will contain the following error:
# cat /var/log/wg-quick.log [#] logger -t wireguard 'Tunnel WireGuard-wg0 started' [#] ip6tables -t nat -A POSTROUTING -s fc00:253:0:0::/64 -o br0 -j MASQUERADE [#] ip -4 route flush table 200 [#] ip -4 route add default via dev wg0 table 200 Error: inet address is expected rather than "dev". [#] ip link delete dev wg0 wg-quick down wg0 wg-quick: `wg0' is not a WireGuard interface
That's because in the generated Wireguard config ...
# cat /etc/wireguard/wg0.conf [Interface] #random PrivateKey=x Address=fc00:253:0:0::1 ListenPort=51820 PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started' PostUp=ip6tables -t nat -A POSTROUTING -s fc00:253:0:0::/64 -o br0 -j MASQUERADE PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped' PostDown=ip6tables -t nat -D POSTROUTING -s fc00:253:0:0::/64 -o br0 -j MASQUERADE PostUp=ip -4 route flush table 200 PostUp=ip -4 route add default via dev wg0 table 200 PostUp=ip -4 route add 10.0.0.0/16 via 10.0.1.1 dev br0 table 200 PostDown=ip -4 route flush table 200 PostDown=ip -4 route add unreachable default table 200 PostDown=ip -4 route add 10.0.0.0/16 via 10.0.1.1 dev br0 table 200 [Peer] #random PublicKey=y AllowedIPs=fc00:253:0:0::2
I censored the keys, obviously. 10.0.0.0/16 is my local IPv4 network while 10.0.1.1 is my Gateway.
Notice in the "PostUp" line it says "ip -4 route add default via dev wg0 table 200". That's not a valid route, there's supposed to be an IPv4 address between "via" and "dev", but there isn't, so Wireguard fails to start. If I switch from "IPv6 only" to "IPv4 + IPv6", that line turns into a valid route: "PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200".
EDIT: The code that adds these PostUp lines to the config file explicitly mentions it's only working for IPv4, so why is that UnRAID code executed when I select "IPv6 only" for Wireguard?
Also, the logging is somewhat wrong. The PostUp commands are executed in order, so it first says "Tunnel started" despite the tunnel not actually being up yet. It'd be better to have the 1st PostUp be something like "Starting tunnel ..." and then the last PostUp to be "Tunnel started.", that way if the tunnel fails to start due to bugs like this, the log won't claim it was successful.
Is there a possibility, in a future release, to add something like an "ultra-advanced" mode where people can just upload their own wg0.conf and use that instead of having to click together a tunnel through the UI? EDIT: Looks like that already exists with the "Import Tunnel" button, haven't tested yet if my use-case would work with that, though.
I did search through the forum for existing bug reports but didn't find any - probably nobody is using an IPv6-only wireguard tunnel. I can post diagnostics if necessary, but this doesn't look like a bug that's unique to my setup.
Recommended Comments
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.