You are not logged in.

#1 2022-05-13 10:05:25

dkazantzas
Member
Registered: 2018-08-04
Posts: 5

IPv6 connectivity problems with SurfShark VPN

Hey, I realise that this is not Surfshark's support, but since they couldn't solve my issue, I thought that maybe someone here had any idea.

When I connect to Surfshark (currently via Wireguard, but I tried via OpenVPN as well with the same outcome), the client tries to setup a new IPv6 connection and fails.
I get messages such as the following in the NetworkManager logs (I removed the address from the pasted text):

platform-linux: do-add-ip6-address[...]: failure 13 (Permission denied)

I should note that when I stop iptables the connection works properly, but I, obviously, don't wish to stop iptables. 
Here are the iptables rules:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.0.0/16 -j ACCEPT

# ACCEPT SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# ACCEPT HTTPS TRAFFIC
-A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# STEAM 
-A INPUT -p udp --dport 27000:27036 -j ACCEPT
-A INPUT -p tcp --dport 27036:27037 -j ACCEPT
-A INPUT -p tcp --dport 27015 -j ACCEPT
-A INPUT -p udp --dport 4380 -j ACCEPT
-A INPUT -p udp --dport 3478 -j ACCEPT
-A INPUT -p udp --dport 4379:4380 -j ACCEPT

# REJECT PING
-A INPUT -p icmp -j REJECT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -j REJECT --reject-with icmp-proto-unreachable 
COMMIT

Any idea will be more than helpful

Last edited by dkazantzas (2022-05-13 10:06:07)

Offline

#2 2022-05-13 10:34:18

-thc
Member
Registered: 2017-03-15
Posts: 200

Re: IPv6 connectivity problems with SurfShark VPN

You have a working IPv6 setup or will IPv6 only run through the tunnel? Post your output of

ip a

How did you setup WireGuard? As a native NetworkManager connection managed through nmcli? Can you post the anonymized contents of the file "/etc/NetworkManager/system-connections/connection_name.nmconnection"?

Offline

#3 2022-05-13 11:26:44

dkazantzas
Member
Registered: 2018-08-04
Posts: 5

Re: IPv6 connectivity problems with SurfShark VPN

I didn't do any additional setup. As I said, I used the Surfshark client to connect, both via WireGuard and via OpenVPN and both protocols fail to connect.
I assume that I need to do additional configuration for IPv^, but as I said, the connection works properly when iptables is down.

Offline

#4 2022-05-13 11:47:07

Raynman
Member
Registered: 2011-10-22
Posts: 1,417

Re: IPv6 connectivity problems with SurfShark VPN

Don't ask me about iptables (when I relearn Linux firewalling, it will be with nftables), but I see what looks like  unconditional icmp REJECTion. That's not good, especially for IPv6: https://serverfault.com/a/783854

Offline

#5 2022-05-13 11:49:18

-thc
Member
Registered: 2017-03-15
Posts: 200

Re: IPv6 connectivity problems with SurfShark VPN

O.K. - I thought you used WireGuard natively.

Because Surfshark is proprietary software and the iptables ruleset seems to interfere, I would analyze the traffic (without iptabes) via wireshark and look for incoming connections from the surfshark servers.

Offline

#6 2022-05-13 11:51:53

-thc
Member
Registered: 2017-03-15
Posts: 200

Re: IPv6 connectivity problems with SurfShark VPN

Raynman wrote:

Don't ask me about iptables (when I relearn Linux firewalling, it will be with nftables), but I see what looks like  unconditional icmp REJECTion. That's not good, especially for IPv6: https://serverfault.com/a/783854

True, but iptables for IPv6 has its own ruleset (via ip6tables).

Offline

#7 2022-05-13 12:17:29

dkazantzas
Member
Registered: 2018-08-04
Posts: 5

Re: IPv6 connectivity problems with SurfShark VPN

-thc wrote:

O.K. - I thought you used WireGuard natively.

Because Surfshark is proprietary software and the iptables ruleset seems to interfere, I would analyze the traffic (without iptabes) via wireshark and look for incoming connections from the surfshark servers.

The weird part of the story is that Surfshark was working properly up until recently. I haven't made any changes to the iptables configuration and the only thing that seems to have changed is that Surfshark's client now only works with
IPv6 (without any option to disable it).

I have to mention that I tried to make the connection with ip6tables having no rules at all and it still haven't worked.

Offline

#8 2022-05-13 12:23:41

Raynman
Member
Registered: 2011-10-22
Posts: 1,417

Re: IPv6 connectivity problems with SurfShark VPN

dkazantzas wrote:

the only thing that seems to have changed is that Surfshark's client now only works with
IPv6 (without any option to disable it).

You seem to have been in contact with Surfshark; did they say anything to confirm that? Did you also update the client recently or could it be a server-side change (or something they pushed to the client)?

Have you tried connecting with openvpn (from [extra]) instead of the Surfshark client?

Last edited by Raynman (2022-05-13 12:24:41)

Offline

#9 2022-05-13 14:34:18

-thc
Member
Registered: 2017-03-15
Posts: 200

Re: IPv6 connectivity problems with SurfShark VPN

dkazantzas wrote:

I have to mention that I tried to make the connection with ip6tables having no rules at all and it still haven't worked.

That would have been nice to know - earlier. I naturally presumed (from the infos in your first post) that your ip6tables ruleset is empty.

So - to clarify: Does your Surfshark connection only work when the IPv4 iptables ruleset is empty?
If the connection works - do you have the same NetworkManager "do-add-ip6-address" messages?

Last edited by -thc (2022-05-13 14:34:48)

Offline

#10 2022-05-13 15:54:10

dkazantzas
Member
Registered: 2018-08-04
Posts: 5

Re: IPv6 connectivity problems with SurfShark VPN

-thc wrote:

So - to clarify: Does your Surfshark connection only work when the IPv4 iptables ruleset is empty?
If the connection works - do you have the same NetworkManager "do-add-ip6-address" messages?

When it's either empty or down. When it works there are no such messages

Offline

#11 2022-05-13 16:49:53

dkazantzas
Member
Registered: 2018-08-04
Posts: 5

Re: IPv6 connectivity problems with SurfShark VPN

Ok I fixed it. I added and it now works correctly:

-I OUTPUT -o surfshark_ipv6 -j ACCEPT
-I INPUT -i surfshark_ipv6 -j ACCEPT
-I INPUT -i surfshark_wg -j ACCEPT
-I OUTPUT -o surfshark_wg -j ACCEPT

Last edited by dkazantzas (2022-05-13 16:51:08)

Offline

Board footer

Powered by FluxBB