-
-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPv6 tethering #6
Comments
Looks like a prob here too. My Xiaomi Mi6 has mobile IPv6 support. If I connect to IPv6 vpn-server my Android has the new default v6 route through tunnel. But all clients have an IPv6 leak even if "Disable IPv6 tethering" option is enabled. I 'll show all routes / routing tables if I 've more time. |
@githuborer That would certainly be helpful. You should check if your clients have an IPv6 address after checking "Disable IPv6 tethering". If you want to do a follow-up, feel free to open another issue as this one is reserved for handling IPv6 tethering better. |
Yes that's the point. Real IPv6 is leaking to connected clients. "Disable IPv6 tethering" option does nothing for my phone. |
Hey I have a OnePlus6 on TMobile which prefers IPv6 by default. I noticed some interesting things recently:
I am using rooted OnePlus Oxygen, but I think it is pretty close to vanilla Android -- the phone was bought unlocked...the TMobile version may have different tethering system. I could contribute and look into fixing this -- assume most of this is implemented through iptables and ip6tables, right? Would also love to add a TTL (IPv4) hop limit (IPv6) option to help people using the app to get around tethering restrictions... |
@glennbutler It would be great if you can look into this! I think this might be more than messing with |
I took an additional look at this and here are my thoughts. For now, I do not plan to support any kind of IPv6 NAT (because I think IPv4-only NAT should cover all the use cases). However, using a neighbor discovery proxy might be useful for local-only interfaces (portier might be useful but still in development) for advantages of IPv6 networks. No plan on implementing this any time soon yet. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I turned off the disable IPv6 tethering function, but I can't get an available IPv6 connection (I don't need IPv6 to connect through VPN), I know that disabling IPv6 can avoid VPN leakage. But sometimes I need to connect to the IPv6 network(Direct connection without VPN) through a relay, without ipv6 will cause problems to use. I don't know if this is a bug. |
I tried to configure the default gateway of the client device to the IPV6 address used by the P2P interface. This address can be pinged normally. But unable to access other URLs, suggesting no route |
Seems like my kernel is not built with ipv6 nat support, so even running a transparent proxy is out of the question. Still have hope bridging might work. VPN clients can be configured to offer a local subnet rather than just a single local ip, or a least I know the Android WireGuard client can, so that might actually be a workable solution. How far were you able to get in experimenting with this, Mygod? |
I did not try very hard to get this going because honestly the benefits are minimal. Feel free to submit a PR if you get it going though. ;) |
Quickly found that bridging is also not possible, not without compiling tap support into the kernel and using native clients. Just going to post my test script that I used to manually configure tethering, I couldn't find this elsewhere. Took an embarrassing amount of iteration to get this to work.
|
I have not looked into this extensively but I am not sure why you say it is impossible. I think Android supports IPv6 tethering natively? Do they use something else? |
It supports IPV6 tethering the correct way, each tethered device receives a unique address from the provider. This is clearly undesirable as any traffic through those addresses is defacto tethering and will be treated as such by the provider. Tethering through a VPN gets around this, but to be possible, it needs a layer 2 TAP interface to use with bridging(similar to how it works with the provider) or support natting(to simply route traffic rather than hide topology). These features are not at all standard in Android, even with custom kernels/roms, so it doesn't make sense to support them here IMO. |
Think I answered poorly. AFAICT public ipv6 addresses for tethered clients are configured via slaac server on the provider side, not anything on the client side. Guess this would be testable by blocking icmp6 between rndis0 and the ipv6 mobile interface and reconnecting. I had some recent success getting tethering with ipv6 working. I grabbed Lineage sources for my phone and rebuilt my kernel with CONFIG_NF_NAT_IPV6 and CONFIG_IP6_NF_TARGET_MASQUERADE enabled. Also cross-compiled radvd for ipv6 provisioning. radvd.conf defines interface rndis0, prefix fd00::/64, and ipv6 dns servers.
Here I set the ipv6 address and route, mark traffic for the global ipv6 subnet, and add the missing ip6tables rules to match. Found I needed to call dnsmasq directly as ndc tether seemed to interfere. |
While I definitely applaud the efforts, I do not think we can implement anything close to recompiling the kernel within the app though. 😅 I think the worst we can do is to do everything in user space, which might not be super efficient. I currently do not have the luxury to investigate personally but please do keep me posted. 👍 |
Ideally rom and kernel maintainers will pick up on this use case and start building with these options. At the very least it could save advanced users a bunch of time. I imagine two device setups will ultimately be more popular since it's easier and doesn't require root(ex. run a transparent proxy like squid on the phone and configure a router to redirect all outgoing traffic to it). Do tell if you can think of an entry point for a software solution. The obvious place to look is tunnels, which are widely supported, but only the layer 3 variants that are not useful here. This would also be a herculean task to implement. |
Finally stumbled on how this can be done, I feel really dumb for not landing on this sooner. Turns out we can use TPROXY mangle rules to capture and redirect outbound IPv6 traffic to a local transparent proxy. transocks-wong and microsocks (for example) would be enough for TCP support, but I'm unsure about UDP atm. The kernel module to achieve this is very widely supported on Android: |
Sounds great. Did you get it working? |
Could you set up a broute to accomplish this? I use this command on my router to enable ipv6 on my network from a tethered phone. wan (the android phone to router connection) and lan is local network
Could you bridge the vpn connection for IPv6 and then do normal NAT tethering for IPv4? The biggest issue I can think of is kernel module support. |
Nevermind. I just tried ebtables on my phone. Command not found. Leaving that failed idea up for the next person's info. |
does disabling ipv6 tethering slow speed? |
@Poorav165 IPv6 tethering will not be routed through VPNs. You should disable that if you want everything to go through VPN. |
Ok ,thx. But what if I am not using vpn? Will turning ipv6 on improve speed? |
This is supported on the Pixel 4 XL stock source, how did you get it to work though? |
Sorry for the extremely late reply. The last line in Android.mk for hev-socks5-tproxy is set to 'BUILD_SHARED_LIBRARY', change to 'BUILD_EXECUTABLE'. Both projects crash on localtime calls for me, so I disabled logging in hev-socks5-logger.c and hev-logger.c, example:
Then build. Configs are located under conf/main.yml. Enable the auth block for hev-socks5-server and set the username/password. Then run them(from /data/local/tmp):
And the iptables rules I used:
Replace AAAA:BBBB:CCCC:DDDD with the first half of your public IPv6 address(the one assigned by your carrier). Wireguard in kernel mode breaks this configuration, but other VPNs work fine. |
That's a lot to have just figured out, very nice and thank you for coming back with the well written instructions. I'm not setup for compiling NDK binaries currently but I will certainly try this as soon as I can pull down the compiler, I used to write Android apps but lost interest in it several years ago |
Thanks for this! I modified the script to setup a wifi hotspot on my Pixel 6:
|
@worstperson So it seems like your POC uses ULA? Is there any advantage of doing this compared to simply using a 6to4 tunnel/IPv6 VPN? (Ideally I would like to support global scope IPv6 tethering.) |
@Mygod It's GUA because it uses the address provided by the upstream provider. Without bypassing android's RA server, the device must connect to an IPv6 network for IPv6 traffic to flow, even if your using a dual stack vpn on the phone. It would probably make more sense to use ULA in the context of VPNHotspot given that the socks server is limited to TCP/UDP. An interesting novelty to be sure, but I'm less sure it's worth implementing tbh. |
Is it GUA provided by local mobile carrier or by VPN? It sounds like the former, in which case how would it work? Outgoing packets go through the VPN but the incoming packets bypass the VPN? |
The rules take TCP/UDP traffic destined for a public address that would otherwise be forwarded and redirects them through a local transparent proxy. This proxy will use Android's primary internet source, which will be the VPN you have running. Doing this for IPv4 is only good for masking the TTL of traffic without a VPN. I only included it for completeness. The address is provided by the mobile carrier in this case, controlling addresses Android gives out would have made the POC too complicated. You can use this command to drop RA packets from processes that are not root: The big difference is the POC allows traffic to leak. This allows incoming traffic and raw sockets, while still rewriting TTL for the vast majority of traffic, something of a compromise. To prevent leaking, you can use a rule like this: I wrote up a prototype app one weekend to try an work out the details as best I could. The default server configurations bind to all addresses, we need to bind to the tether interface or localhost. I used localhost and that worked well in my tests. If you bind to the tether interface for greater compatibility, you have to be sure to kill the servers after as they do not handle their interface being removed. hev-socks5-tproxy can only be configured to one address at a time currently so I had to run two instances to cover both IPv4 and IPv6.
This was wrong. You actually take the prefix from the non-link-local address assigned to the tether interface. |
Okay that's cool and all, but ideally we want IPv6 addresses from the VPN provider so that things would work properly? 🤔 |
It acts exactly like a NAT, the address/range is only needed locally for communication between the phone and clients tethered to it. An address being GUA/ULA only effects which protocol the tethered devices will default to. Once traffic gets redirected to the proxy, the packets get recreated on the phone, so it's like the traffic originated from the phone. You could also configure the proxy to only send outgoing traffic through the desired interface. I think it would be most useful to use a ULA range so clients default to IPv4. Most traffic will travel as normal, but instead of failing if a client tries to access an IPv6 resource, the connection will instead be made through the proxy. Traffic will still exit through the VPN in both cases. |
Yeah but it sounds like maybe it is probably easier to just use a 6to4 tunnel instead, don't you think? 🤣 (Genuine question: do you have a concrete use case for IPv6 tethering?) |
I had read that the standard 6in4 tunneling protocol breaks when behind CGNAT and if I were to set it up on a phone IPv6 traffic would not go through the VPN, count as tethered traffic, and have high latency. (As far as I can tell from how brokers work and how that would need to be set up) It is very rare that'd I find a host that's not dual-stack or IPv4-only, and the vast majority of users will never know or care. I honestly don't know why I'm still bothered by this. I use NAT6 on my devices, and when I do use VPNHotspot, the lack of IPv6 has really not been an issue. I posted this information because another user had requested it. I would have held on to it otherwise, until I could add the feature myself or find a better solution. |
I'm not the original person this was asked to, but also am looking for IPv6 tethering. Reason why - gaming. I was always under the impression IPv6 has a much lower latency (ping) than IPv4. Especially on networks like T-Mobiles which is natively IPv6. So all IPv4 addresses have an additional step for converting to IPv6 and reverse. |
This is sort of true on T-Mobile since they do not CGNAT IPv6. As long as you don't do any sort of NAT6 setup, tethered clients receive an IP and can forward ports and my tests show a bit more throughput and reliability over time versus IPv4. But it is unlikely to be your issue. Not everyone has IPv6 and the game and platform must support it, so the vast majority of games are played over IPv4. If you were to host a game through that IPv6 connection, you'd probably have trouble enough finding other players that can connect. What's more likely is that mobile internet just isn't the best, especially for gamers. The best solution I've found is to pipe all traffic though Google One VPN. Google has really good peering with mobile carriers and no other VPN I've tested came close to it's latency and throughput. It had also worked flawlessly with every game, console, and streaming platform I tried. But YMMV. |
Ah. Thanks for the awesome explanation! I did not realize games had to support the IPv6 protocol. I thought that was basically server/router dependent of the ISP. In the long run, my gaming experience has not been that bad with my mobile hotspot. My ping in most games is 50-100. Rarely getting to the 100ms range. I truly don't physically notice any difference when on hotspot vs friends wifi despite seeing the ping numbers change. I was more so thinking IPv6 would keep the ping closer to the 50ms region if not lower, but from what you are saying, may not even be the case. I also am unsure of if IPv6 is working when I remove all my mods, when I run a ping from my computer, it does not fetch the IPv6 address of the destination (google). Thanks again for all the info. This has been a fun learning experience trying to bypass all the bs carriers do. I just don't understand how 40GB of hotspot data is any different than 40GB of cellular data lol |
Currently AOSP only has support for IPv6 tethering when using mobile networks under supported carriers since Android 7.0.
It's unclear how to do this for IPv6-capable VPN or even Wi-Fi. The main issue is configuring a valid IPv6 address for clients. This is further complicated by the fact that sometimes
dnsmasq
(actually I'm not 100% sure yet) will configure another valid IPv6 address using Router Advertisement.Update: It might be possible to create a bridge. [1, 2]
The text was updated successfully, but these errors were encountered: