Arch Linux

dkazantzas

Member

Registered: 2018-08-04

Posts: 5

IPv6 connectivity problems with SurfShark VPN

Hey, I realise that this is not Surfshark's support, but since they couldn't solve my issue, I thought that maybe someone here had any idea.

When I connect to Surfshark (currently via Wireguard, but I tried via OpenVPN as well with the same outcome), the client tries to setup a new IPv6 connection and fails.
I get messages such as the following in the NetworkManager logs (I removed the address from the pasted text):

platform-linux: do-add-ip6-address[...]: failure 13 (Permission denied)

I should note that when I stop iptables the connection works properly, but I, obviously, don't wish to stop iptables. 
Here are the iptables rules:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.0.0/16 -j ACCEPT

# ACCEPT SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# ACCEPT HTTPS TRAFFIC
-A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# STEAM 
-A INPUT -p udp --dport 27000:27036 -j ACCEPT
-A INPUT -p tcp --dport 27036:27037 -j ACCEPT
-A INPUT -p tcp --dport 27015 -j ACCEPT
-A INPUT -p udp --dport 4380 -j ACCEPT
-A INPUT -p udp --dport 3478 -j ACCEPT
-A INPUT -p udp --dport 4379:4380 -j ACCEPT

# REJECT PING
-A INPUT -p icmp -j REJECT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -j REJECT --reject-with icmp-proto-unreachable 
COMMIT

Any idea will be more than helpful

Last edited by dkazantzas (2022-05-13 10:06:07)

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: IPv6 connectivity problems with SurfShark VPN

You have a working IPv6 setup or will IPv6 only run through the tunnel? Post your output of

ip a

How did you setup WireGuard? As a native NetworkManager connection managed through nmcli? Can you post the anonymized contents of the file "/etc/NetworkManager/system-connections/connection_name.nmconnection"?

dkazantzas

Member

Registered: 2018-08-04

Posts: 5

Re: IPv6 connectivity problems with SurfShark VPN

I didn't do any additional setup. As I said, I used the Surfshark client to connect, both via WireGuard and via OpenVPN and both protocols fail to connect.
I assume that I need to do additional configuration for IPv^, but as I said, the connection works properly when iptables is down.

Raynman

Member

Registered: 2011-10-22

Posts: 1,539

Re: IPv6 connectivity problems with SurfShark VPN

Don't ask me about iptables (when I relearn Linux firewalling, it will be with nftables), but I see what looks like  unconditional icmp REJECTion. That's not good, especially for IPv6: https://serverfault.com/a/783854

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: IPv6 connectivity problems with SurfShark VPN

O.K. - I thought you used WireGuard natively.

Because Surfshark is proprietary software and the iptables ruleset seems to interfere, I would analyze the traffic (without iptabes) via wireshark and look for incoming connections from the surfshark servers.

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: IPv6 connectivity problems with SurfShark VPN

Don't ask me about iptables (when I relearn Linux firewalling, it will be with nftables), but I see what looks like  unconditional icmp REJECTion. That's not good, especially for IPv6: https://serverfault.com/a/783854

True, but iptables for IPv6 has its own ruleset (via ip6tables).

dkazantzas

Member

Registered: 2018-08-04

Posts: 5

Re: IPv6 connectivity problems with SurfShark VPN

O.K. - I thought you used WireGuard natively.

Because Surfshark is proprietary software and the iptables ruleset seems to interfere, I would analyze the traffic (without iptabes) via wireshark and look for incoming connections from the surfshark servers.

The weird part of the story is that Surfshark was working properly up until recently. I haven't made any changes to the iptables configuration and the only thing that seems to have changed is that Surfshark's client now only works with
IPv6 (without any option to disable it).

I have to mention that I tried to make the connection with ip6tables having no rules at all and it still haven't worked.

Raynman

Member

Registered: 2011-10-22

Posts: 1,539

Re: IPv6 connectivity problems with SurfShark VPN

the only thing that seems to have changed is that Surfshark's client now only works with
IPv6 (without any option to disable it).

You seem to have been in contact with Surfshark; did they say anything to confirm that? Did you also update the client recently or could it be a server-side change (or something they pushed to the client)?

Have you tried connecting with openvpn (from [extra]) instead of the Surfshark client?

Last edited by Raynman (2022-05-13 12:24:41)

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: IPv6 connectivity problems with SurfShark VPN

I have to mention that I tried to make the connection with ip6tables having no rules at all and it still haven't worked.

That would have been nice to know - earlier. I naturally presumed (from the infos in your first post) that your ip6tables ruleset is empty.

So - to clarify: Does your Surfshark connection only work when the IPv4 iptables ruleset is empty?
If the connection works - do you have the same NetworkManager "do-add-ip6-address" messages?

Last edited by -thc (2022-05-13 14:34:48)

dkazantzas

Member

Registered: 2018-08-04

Posts: 5

Re: IPv6 connectivity problems with SurfShark VPN

So - to clarify: Does your Surfshark connection only work when the IPv4 iptables ruleset is empty?
If the connection works - do you have the same NetworkManager "do-add-ip6-address" messages?

When it's either empty or down. When it works there are no such messages

dkazantzas

Member

Registered: 2018-08-04

Posts: 5

Re: IPv6 connectivity problems with SurfShark VPN

Ok I fixed it. I added and it now works correctly:

-I OUTPUT -o surfshark_ipv6 -j ACCEPT
-I INPUT -i surfshark_ipv6 -j ACCEPT
-I INPUT -i surfshark_wg -j ACCEPT
-I OUTPUT -o surfshark_wg -j ACCEPT

Last edited by dkazantzas (2022-05-13 16:51:08)