[Bug] can clash.meta transfer IPv6 traffic?

[Azadzadeh]

Verify steps

• 确保你使用的是本仓库最新的的 clash 或 clash Alpha 版本 Ensure you are using the latest version of Clash or Clash Premium from this repository.
• 如果你可以自己 debug 并解决的话，提交 PR 吧 Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.
• 我已经在 Issue Tracker 中找过我要提出的问题 I have searched on the issue tracker for a related issue.
• 我已经使用 Alpha 分支版本测试过，问题依旧存在 I have tested using the dev branch, and the issue still exists.
• 我已经仔细看过 Documentation 并无法自行解决问题 I have read the documentation and was unable to solve the issue.
• 这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题 This is an issue of the Clash core per se, not to the derivatives of Clash, like OpenClash or KoolClash.

Clash version

Clash Meta v1.16.0

What OS are you seeing the problem on?

Linux

Clash config

port: 8080
socks-port: 1080 

mode: rule
log-level: debug
ipv6: true

dns:
  enable: true
  listen: 0.0.0.0:53
  ipv6: true

tun:
  enable: true
  stack: system
  dns-hijack:
    - any:53
  auto-route: true
  auto-detect-interface: true

Clash log

No response

Description

does clash.meta have ability to pass ipv6 traffic?
my proxy server is dual-stack. inside it, i can ping6 an ipv6 or ssh to a ipv6 address.
but, at client side, network is only ipv4.

I thought if i activate a proxy to that server in TUN mode , i'd be able to ping6 at client side but this doesn't work:

$ ping 2001:4860:4860::8888
connect: Network is unreachable

no trace about this query is shown on the logs.
i do netstat -lntup, no tcp6 or udp6 connections are listening on 1080 or 8080.

However, nslookup ipv6.google.com works and i see a line in logs related to it.

In short, i want to ping6 or ssh -6 at an ipv4-only client side using the dual-stack proxy server.

[xishang0128]

@Azadzadeh Pure ipv6 domain name/ip should be used for non-ICMP testing. Clash will not proxy ICMP.

[Azadzadeh]

@xishang0128
shouldn't this work?

$ curl -vvv -s ipv6.icanhazip.com
* Rebuilt URL to: ipv6.icanhazip.com/
*   Trying 2606:4700::6812:7261...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700::6812:7261: Network is unreachable
*   Trying 2606:4700::6812:7361...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700::6812:7361: Network is unreachable
* Closing connection 0

[xishang0128]

@Azadzadeh Does your node server provide aaaa resolve and ipv6 outbound?

[Azadzadeh]

@xishang0128

node server provide aaaa resolve

on server, nslookup ipv6.google.com outputs google IPv6s correctly

ipv6 outbound

not sure how to test this but curl -vvv ipv6.icanhazip.com on server outputs server IPv6.

At client side, with current config, using browser, I get 10/10 in IPv6 site https://test-ipv6.com/ and in site https://ipv6-test.com/ , DNS4 + IP6, DNS6 + IP4, DNS6 + IP6 are reachable and IPv6 connectivity tests are green

if i should do any other tests, please advise

[closehandle]

You need to configure Fake IP mode for DNS. As far as I know, it doesn't do any additional configuration for IPv6 routing. What this means is that it will not handle IPv6 traffic on TUN. If you use the regular HTTP/Socks5 proxy you'll find it works fine!

[Azadzadeh]

@closehandle so that's why when i do ipv6 test with my browser https://test-ipv6.com/ , it shows v6 connection (since it's socks5 proxy) but when i do it from terminal it doesn't work.
This works curl -x socks5://localhost:1080 -vvv ipv6.icanhazip.com in terminal with the config in topic post.
And it doesn't require setting the enhaced-mode to fake-ip.

Overall, it would have been neat if this could be implemented in TUN...

[xishang0128]

@closehandle The tun of clash.meta handles and routes ipv6 traffic and does not need to be set to fakeip

[xishang0128]

@Azadzadeh You can try setting dns.enhaced-mode to redir-host

[Azadzadeh]

@xishang0128 set it to redir-host, tried it, doesn't work (doesn't even print a line in debug log except DNS queries):

$ curl -vvv  ipv6.icanhazip.com
* Rebuilt URL to: ipv6.icanhazip.com/
*   Trying 2606:4700::6812:7261...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700::6812:7261: Network is unreachable
*   Trying 2606:4700::6812:7361...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700::6812:7361: Network is unreachable
* Closing connection 0
curl: (7) Couldn't connect to server

But with this same config, socks5 works correctly $ curl -x socks5://localhost:1080 -vvv ipv6.icanhazip.com

[xishang0128]

@Azadzadeh Use ip a or ifconfig to check whether the tun device has an ipv6 address

[Azadzadeh]

@xishang0128
there is a Meta TUN device and ip a shows it has both an inet IPv4 (/30) and inet6 IPv6 (/64)

[xishang0128]

@Azadzadeh Then tun should receive ipv6 traffic

[Azadzadeh]

@xishang0128 sudo tcpdump -i Meta shows only DNS activity (AAAA and NXDomain) when I run that curl command.

[lux5am]

try tun gvisor

[Azadzadeh]

try tun gvisor

same results as above, socks5 works, tun doesn't

[xishang0128]

@xishang0128 sudo tcpdump -i Meta shows only DNS activity (AAAA and NXDomain) when I run that curl command.

Sorry, my test is normal

[xishang0128]

@xishang0128 sudo tcpdump -i Meta shows only DNS activity (AAAA and NXDomain) when I run that curl command.

Maybe you should try fakeip to test whether dns hijack works.

[Azadzadeh]

@xishang0128
Thanks for testing this and taking screenshots ❤️
I found one of my problems when i restarted my computer. when i changed clash configs and restarted it, somehow some parameters in my network interface where not getting updated (some kind of cache?) . so after a config change, i also turned off and on my NetworkManager. Now it works in TUN mode for this:

mode: rule
log-level: debug
ipv6: true

tun:
  enable: true
  stack: system
  dns-hijack:
    - any:53
  auto-route: true
  auto-detect-interface: true

dns:
  enable: true
  ipv6: true
  enhanced-mode: fake-ip

This works now: curl ipv6.google.com
Also, it looks like general ipv6: true and dns.ipv6:true are irrelevant for this to work. however, enhanced-mode must be set to fake-ip. otherwise it won't work.

• Is there a reason that fake-ip is necessary for this? it doesn't return true IPs in this mode so it would be a bit problematic for development

• Also, unfortunately, it still can't connect to direct IPv6 addresses:
  $ curl -vvv ipv6.google.com => works
  $ curl -x socks5://localhost:1080 -vvv http://[2001:4860:4860::8888]/ => works
  $ curl -vvv http://[2001:4860:4860::8888]/ => Immediate connect fail for 2001:4860:4860::8888: Network is unreachable
  This was for above config and after restarting my network card.

[Skyxim]

@Azadzadeh If you use REDIR-HOST, you must ensure that there is IPv6 locally, otherwise the proxy application cannot initiate a request.

[Azadzadeh]

@Skyxim by 'locally', you mean the ISP should support IPv6 at client side or do you mean the local computer setup and network interface should have an assigned IPv6 (ip addr)?

[Skyxim]

@Azadzadeh In your case, it should be the local computer, specifically it should be applied to meta by the proxy.

[Azadzadeh]

@Skyxim yeah, when i run ip addr, there are inet6 IPv6s assigned to both my main network device and to Meta TUN device (it starts with fe80::)

[Skyxim]

@Azadzadeh fe80:: just like 169.254.x.x of IPv4, it will not be used in practice. It is used for host communication.

[arkxfly]

支持 ipv6的，只是可能某些上游代理不支持。如果在 dashboard 那，请求一个纯 ipv6 的地址，检测一下就好了。

[arkxfly]

面板增加了个检测代理是否支持 ipv6 的功能

MetaCubeX/metacubexd#403

[Azadzadeh]

@arkxfly thanks, however in my case, i know a certain proxy can pass ipv6. my problem is more related to the TUN mode.

[closehandle]

The machine on which you deployed the TUN does not support access to an IPv6 network, so there is no IPv6 default route, and Clash Meta has not configured an IPv6 address and route for the TUN device, so it rejected your connection at the routing decision stage

That's why you'll get an error if you try to access the IPv6 address directly. The routing decision takes precedence over iptables, and the connection will be rejected before it is processed by iptables!

Fake IP only provides A record resolution, so it works, but you'll still fail when accessing IPv6 addresses directly

You can configure a default route yourself so that the kernel doesn't reject your connection during the routing decision phase
eg.

ip -6 route add default dev tun0

@xishang0128 Thanks for testing this and taking screenshots ❤️ I found one of my problems when i restarted my computer. when i changed clash configs and restarted it, somehow some parameters in my network interface where not getting updated (some kind of cache?) . so after a config change, i also turned off and on my NetworkManager. Now it works in TUN mode for this:

mode: rule
log-level: debug
ipv6: true

tun:
  enable: true
  stack: system
  dns-hijack:
    - any:53
  auto-route: true
  auto-detect-interface: true

dns:
  enable: true
  ipv6: true
  enhanced-mode: fake-ip

This works now: curl ipv6.google.com Also, it looks like general ipv6: true and dns.ipv6:true are irrelevant for this to work. however, enhanced-mode must be set to fake-ip. otherwise it won't work.

* Is there a reason that fake-ip is necessary for this? it doesn't return true IPs in this mode so it would be a bit problematic for development

* Also, unfortunately, it still can't connect to direct IPv6 addresses:
  `$ curl -vvv ipv6.google.com` => works
  `$ curl -x socks5://localhost:1080 -vvv http://[2001:4860:4860::8888]/` => works
  `$ curl -vvv http://[2001:4860:4860::8888]/` => `Immediate connect fail for 2001:4860:4860::8888: Network is unreachable`
  This was for above config and after restarting my network card.

[stevejohnson7]

This problem seems to be solved. Can I close it? or change to a discussion?