055n Wireguard VPN proxy won't work over IPv6

[zod076]

I have 2 VPN profiles of the same provider, one is IPv4-only and one is IPv6-only. During tests, the IPv4-only profile works. IPv6-only however doesn't. In the IPv6-only profile, I have 'Addresses' and 'DNS" set to IPv6 addresses only.

I also have IP version set to 'Auto' in the app.

When the VPN proxy is active, opening any sites will fail with connection timeout and throw out DNS resolution errors.

So not sure if this is a bug or by design. Is there anything else to try ?

[ignoramous]

Is there anything else to try ?

If both IPv4-only and IPv6-only WireGuard is enabled, then IPv4-only takes precedence. No routes for IPv6 are added to any other tunnel. This is setup the way it is (that is, IPv4 is preferred) because of connectivity issues due to the nature of dual-stack (supporting both IPv4 + IPv6) / Happy Eyeballs.

[zod076]

Is there anything else to try ?

If both IPv4-only and IPv6-only WireGuard is enabled, then IPv4-only takes precedence. No routes for IPv6 are added to any other tunnel. This is setup the way it is (that is, IPv4 is preferred) because of connectivity issues due to the nature of dual-stack (supporting both IPv4 + IPv6) / Happy Eyeballs.

Hello there, thanks for replying. Yes that's the case when both IPv4-only and IPv6-only Wireguard profiles are active. However, with just IPv6-only enabled(single-stack), nothing gets out and I'm faced with connection timeouts mentioned in my initial post.

[ignoramous]

However, with just IPv6-only enabled(single-stack), nothing gets out and I'm faced with connection timeouts mentioned in my initial post

Check if the underlying network can transport IPv6? If you're technical enough, can yon do that by installing Termux, then "Exclude" it from Rethink, then open Termux and run ping -6 ip6-only.me and see if it works?

Also, enable Perform connectivity checks in Configure -> Network, if it isn't already.

Orthogonal to this issue, Rethink doesn't detect IPv4 on IPv6-only networks that support tunneling IPv4 via 464Xlat (we've fixed this in v055o, the upcoming version due in a few days / weeks. #554

[zod076]

However, with just IPv6-only enabled(single-stack), nothing gets out and I'm faced with connection timeouts mentioned in my initial post

Check if the underlying network can transport IPv6? If you're technical enough, can yon do that by installing Termux, then "Exclude" it from Rethink, then open Termux and run ping -6 ip6-only.me and see if it works?

Also, enable Perform connectivity checks in Configure -> Network, if it isn't already.

Orthogonal to this issue, Rethink doesn't detect IPv4 on IPv6-only networks that support tunneling IPv4 via 464Xlat (we've fixed this in v055o, the upcoming version due in a few days / weeks. #554

Ok I've done this test from Termux while VPN proxy is enabled using an IPv6-only VPN config. Here's the results..

So far so good, now the bad news...

That's basically what happens. Also I notice, when doing nslookup in Termux, why does it use google dns to resolve ? Shouldn't it be using what I set under DNS in the app ?

Btw, when I repeat just the browser tests but with an IPv4-only VPN profile, browsing works. If I go to whatsmyip test sites, it shows my VPN IPv4 address + DNS servers. This VPN server is actually my home router.

I also notice when this VPN proxy(IPv4-only) is active, I can't browse resources on my home network.
Using the same VPN config with the official Wireguard app, I can browse my home network and IPv4/6 connectivity works.

[ignoramous]

Also I notice, when doing nslookup in Termux, why does it use google dns to resolve ?

Isn't Termux "Excluded"? If so, it uses OS/network DNS.

If not, make sure Fallback DNS is NOT set to None in Configure -> Network.

I can't browse resources on my home network

Ideally, you should be able to. But we've not tested this scenario at all and don't know why services private to the WireGuard tunnel aren't accessible. There's a few open issues on it.

• Wireguard cannot access other wireguard peers, despite Network settings #1633
• Samsung Wear not Syncing music #1461

Using the same VPN config with the official Wireguard app, I can browse my home network and IPv4/6 connectivity works

The official WireGuard app (and possibly all other WireGuard apps) is implemented very differently. For instance, those apps will never be able to connect to two different WireGuard upstreams like Rethink can. In exchange, their implementations are simpler and work in almost all scenarios you'd expect them to. In our case, everything has to be tested one by one and coded up if missing, provided Android has APIs to support the missing cases.

Note that, in the current versions, WireGuard does not handle DNS when in Advanced mode. This is changing in v055o the upcoming version.

• Are those internal services reliant on WireGuard-provided DNS?
• Are those internal services accessible over IPv4?

[zod076]

Also I notice, when doing nslookup in Termux, why does it use google dns to resolve ?

Isn't Termux "Excluded"? If so, it uses OS/network DNS.

If not, make sure Fallback DNS is NOT set to None in Configure -> Network.

I can't browse resources on my home network

Ideally, you should be able to. But we've not tested this scenario at all and don't know why services private to the WireGuard tunnel aren't accessible. There's a few open issues on it.

• Wireguard cannot access other wireguard peers, despite Network settings #1633
• Samsung Wear not Syncing music #1461

Using the same VPN config with the official Wireguard app, I can browse my home network and IPv4/6 connectivity works

The official WireGuard app (and possibly all other WireGuard apps) is implemented very differently. For instance, those apps will never be able to connect to two different WireGuard upstreams like Rethink can. In exchange, their implementations are simpler and work in almost all scenarios you'd expect them to. In our case, everything has to be tested one by one and coded up if missing, provided Android has APIs to support the missing cases.

Note that, in the current versions, WireGuard does not handle DNS when in Advanced mode. This is changing in v055o the upcoming version.

This might be why DNS resolution doesn't work in Wireguard proxy mode, but only when using IPv6 DNS servers, IPv4 DNS servers work.

• Are those internal services reliant on WireGuard-provided DNS?
• Are those internal services accessible over IPv4?

Not entirely. I usually access my CIFS share over IPv6 IP address and it works fine just not with RethinkDNS for reasons unknown.

[ignoramous]

I usually access my CIFS share over IPv6 IP address and it works fine just not with RethinkDNS for reasons unknown.

Will you please test if accessing it works when using WireGuard in Simple mode (I am presuming you're currently using it in Advanced mode)?

If not (while still in Simple mode), tap on the "down arrow" next to the STOP / START button in Rethink's homescreen, and see if the footer of the bottomsheet that comes up shows "IPv6" for "protos".

[zod076]

Will you please test if accessing it works when using WireGuard in Simple mode (I am presuming you're currently using it in Advanced mode)?

Ok, did both test in Simple Mode, here's the IPv4 test:-

If not (while still in Simple mode), tap on the "down arrow" next to the STOP / START button in Rethink's homescreen, and see if the footer of the bottomsheet that comes up shows "IPv6" for "protos".

When testing IPv4, it shows protos: IPv4, when testing with IPv6, it shows IPv6. Here's the IPv6 tests:-

As you can see, with IPv6, bottom of the Start/Stop shows 'No internet with Wireguard'. With IPv4, it shows Connected and I can browse the net. Yet I can't browse my Local LAN over the VPN tunnel.

I'm not running 2 VPN's at the same time. I ran them one by one. IPv6 first, then IPv4. So something is surely blocking IPv6 requests.

[ignoramous]

I suspect 464Xlat gets in the way #554 (it is kind of "misreported" by Android's Networking APIs). We've made a workaround for it in the upcoming version v055o, due in a few weeks from now.