connlib: fix ipv6 (#1855)

Fixes some of the ipv6 handling. Making this PR I also realized we need to update checksums on UDP and TCP too, since we're mangling packets.
2026-01-27 10:18:54 +00:00 · 2023-08-04 00:17:35 -03:00
parent a552e695f7
commit b563c7ad5a
8 changed files with 90 additions and 210 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -160,6 +160,8 @@ services:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv6.conf.all.forwarding=1
+      - net.ipv6.conf.default.forwarding=1
    devices:
      - "/dev/net/tun:/dev/net/tun"
    depends_on:
--- a/rust/Cargo.lock
+++ b/rust/Cargo.lock
@@ -43,7 +43,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b613b8e1e3cf911a086f53f03bf286f52fd7a7258e4fa606f0ef220d39d8877"
 dependencies = [
 "generic-array",
- "rand_core 0.6.4",
+ "rand_core",
 ]

 [[package]]
@@ -369,7 +369,7 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b62ddb9cb1ec0a098ad4bbf9344d0713fa193ae1a80af55febcff2627b6a00c1"
 dependencies = [
- "getrandom 0.2.10",
+ "getrandom",
 "instant",
 "rand",
 ]
@@ -455,7 +455,7 @@ version = "0.10.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe"
 dependencies = [
- "digest 0.10.7",
+ "digest",
 ]

 [[package]]
@@ -500,7 +500,7 @@ dependencies = [
 "libc",
 "nix 0.25.1",
 "parking_lot",
- "rand_core 0.6.4",
+ "rand_core",
 "ring",
 "tracing",
 "tracing-subscriber",
@@ -787,7 +787,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ef2b4b23cddf68b89b8f8069890e8c270d54e2d5fe1b143820234805e4cb17ef"
 dependencies = [
 "generic-array",
- "rand_core 0.6.4",
+ "rand_core",
 "subtle",
 "zeroize",
 ]
@@ -799,7 +799,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
 dependencies = [
 "generic-array",
- "rand_core 0.6.4",
+ "rand_core",
 "typenum",
 ]

@@ -821,19 +821,6 @@ dependencies = [
 "cipher 0.4.4",
 ]

-[[package]]
-name = "curve25519-dalek"
-version = "3.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b9fdf9972b2bd6af2d913799d9ebc165ea4d2e65878e329d9c6b372c4491b61"
-dependencies = [
- "byteorder",
- "digest 0.9.0",
- "rand_core 0.5.1",
- "subtle",
- "zeroize",
-]
-
 [[package]]
 name = "curve25519-dalek"
 version = "4.0.0-rc.3"
@@ -861,41 +848,6 @@ dependencies = [
 "syn 2.0.25",
 ]

-[[package]]
-name = "darling"
-version = "0.14.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b750cb3417fd1b327431a470f388520309479ab0bf5e323505daf0290cd3850"
-dependencies = [
- "darling_core",
- "darling_macro",
-]
-
-[[package]]
-name = "darling_core"
-version = "0.14.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "109c1ca6e6b7f82cc233a97004ea8ed7ca123a9af07a8230878fcfda9b158bf0"
-dependencies = [
- "fnv",
- "ident_case",
- "proc-macro2",
- "quote",
- "strsim",
- "syn 1.0.109",
-]
-
-[[package]]
-name = "darling_macro"
-version = "0.14.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4aab4dbc9f7611d8b55048a3a16d2d010c2c8334e46304b40ac1cc14bf3b48e"
-dependencies = [
- "darling_core",
- "quote",
- "syn 1.0.109",
-]
-
 [[package]]
 name = "data-encoding"
 version = "2.4.0"
@@ -941,37 +893,6 @@ dependencies = [
 "rusticata-macros",
 ]

-[[package]]
-name = "derive_builder"
-version = "0.11.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d07adf7be193b71cc36b193d0f5fe60b918a3a9db4dad0449f57bcfd519704a3"
-dependencies = [
- "derive_builder_macro",
-]
-
-[[package]]
-name = "derive_builder_core"
-version = "0.11.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f91d4cfa921f1c05904dc3c57b4a32c38aed3340cce209f3a6fd1478babafc4"
-dependencies = [
- "darling",
- "proc-macro2",
- "quote",
- "syn 1.0.109",
-]
-
-[[package]]
-name = "derive_builder_macro"
-version = "0.11.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f0314b72bed045f3a68671b3c86328386762c93f82d98c65c3cb5e5f573dd68"
-dependencies = [
- "derive_builder_core",
- "syn 1.0.109",
-]
-
 [[package]]
 name = "derive_more"
 version = "0.99.17"
@@ -991,15 +912,6 @@ version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "524cbf6897b527295dff137cec09ecf3a05f4fddffd7dfcd1585403449e74198"

-[[package]]
-name = "digest"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
-dependencies = [
- "generic-array",
-]
-
 [[package]]
 name = "digest"
 version = "0.10.7"
@@ -1077,14 +989,14 @@ dependencies = [
 "base16ct",
 "crypto-bigint",
 "der",
- "digest 0.10.7",
+ "digest",
 "ff",
 "generic-array",
 "group",
 "hkdf",
 "pem-rfc7468",
 "pkcs8",
- "rand_core 0.6.4",
+ "rand_core",
 "sec1",
 "subtle",
 "zeroize",
@@ -1139,7 +1051,7 @@ version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d013fc25338cc558c5c2cfbad646908fb23591e2404481826742b651c9af7160"
 dependencies = [
- "rand_core 0.6.4",
+ "rand_core",
 "subtle",
 ]

@@ -1201,7 +1113,7 @@ dependencies = [
 "netlink-packet-route",
 "parking_lot",
 "pnet_packet",
- "rand_core 0.6.4",
+ "rand_core",
 "rtnetlink",
 "serde",
 "serde_json",
@@ -1337,17 +1249,6 @@ dependencies = [
 "version_check",
 ]

-[[package]]
-name = "getrandom"
-version = "0.1.16"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8fc3cb4d91f53b50155bdcfd23f6a4c39ae1969c2ae85982b135750cccaf5fce"
-dependencies = [
- "cfg-if 1.0.0",
- "libc",
- "wasi 0.9.0+wasi-snapshot-preview1",
-]
-
 [[package]]
 name = "getrandom"
 version = "0.2.10"
@@ -1388,7 +1289,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5dfbfb3a6cfbd390d5c9564ab283a0349b9b9fcd46a706c1eb10e0db70bfbac7"
 dependencies = [
 "ff",
- "rand_core 0.6.4",
+ "rand_core",
 "subtle",
 ]

@@ -1443,7 +1344,7 @@ version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
 dependencies = [
- "digest 0.10.7",
+ "digest",
 ]

 [[package]]
@@ -1541,12 +1442,6 @@ dependencies = [
 "cc 1.0.79 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

-[[package]]
-name = "ident_case"
-version = "1.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
-
 [[package]]
 name = "idna"
 version = "0.4.0"
@@ -1578,8 +1473,7 @@ dependencies = [
 [[package]]
 name = "interceptor"
 version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c142385498b53584546abbfa50188b2677af8e4f879da1ee5d905cb7de5b97a"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "async-trait",
 "bytes",
@@ -1771,7 +1665,7 @@ dependencies = [
 "os_info",
 "parking_lot",
 "rand",
- "rand_core 0.6.4",
+ "rand_core",
 "rtnetlink",
 "serde",
 "serde_json",
@@ -1834,7 +1728,7 @@ version = "0.10.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6365506850d44bff6e2fbcb5176cf63650e48bd45ef2fe2665ae1570e0f4b9ca"
 dependencies = [
- "digest 0.10.7",
+ "digest",
 ]

 [[package]]
@@ -1851,9 +1745,9 @@ checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"

 [[package]]
 name = "memoffset"
-version = "0.6.5"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5aa361d4faea93603064a027415f07bd8e1d5c88c9fbf68bf56a285428fd79ce"
+checksum = "5de893c32cde5f383baa4c04c5d6dbdd735cfd4a794b0debdb2bb1b421da5ff4"
 dependencies = [
 "autocfg",
 ]
@@ -1956,18 +1850,6 @@ dependencies = [
 "tokio",
 ]

-[[package]]
-name = "nix"
-version = "0.24.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa52e972a9a719cecb6864fb88568781eb706bac2cd1d4f04a648542dbf78069"
-dependencies = [
- "bitflags 1.3.2",
- "cfg-if 1.0.0",
- "libc",
- "memoffset",
-]
-
 [[package]]
 name = "nix"
 version = "0.25.1"
@@ -1989,6 +1871,8 @@ dependencies = [
 "bitflags 1.3.2",
 "cfg-if 1.0.0",
 "libc",
+ "memoffset",
+ "pin-utils",
 "static_assertions",
 ]

@@ -2207,7 +2091,7 @@ version = "0.1.0"
 dependencies = [
 "base64 0.21.2",
 "futures",
- "rand_core 0.6.4",
+ "rand_core",
 "serde",
 "serde_json",
 "thiserror",
@@ -2411,7 +2295,7 @@ checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
 dependencies = [
 "libc",
 "rand_chacha",
- "rand_core 0.6.4",
+ "rand_core",
 ]

 [[package]]
@@ -2421,16 +2305,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
 dependencies = [
 "ppv-lite86",
- "rand_core 0.6.4",
-]
-
-[[package]]
-name = "rand_core"
-version = "0.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19"
-dependencies = [
- "getrandom 0.1.16",
+ "rand_core",
 ]

 [[package]]
@@ -2439,7 +2314,7 @@ version = "0.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
 dependencies = [
- "getrandom 0.2.10",
+ "getrandom",
 ]

 [[package]]
@@ -2448,7 +2323,7 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d25bf25ec5ae4a3f1b92f929810509a2f53d7dca2f50b794ff57e3face536c8f"
 dependencies = [
- "rand_core 0.6.4",
+ "rand_core",
 ]

 [[package]]
@@ -2589,8 +2464,7 @@ dependencies = [
 [[package]]
 name = "rtcp"
 version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6423493804221c276d27f3cc383cd5cbe1a1f10f210909fd4951b579b01293cd"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "bytes",
 "thiserror",
@@ -2618,8 +2492,7 @@ dependencies = [
 [[package]]
 name = "rtp"
 version = "0.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b728adb99b88d932f2f0622b540bf7ccb196f81e9823b5b0eeb166526c88138c"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "bytes",
 "rand",
@@ -2806,8 +2679,7 @@ dependencies = [
 [[package]]
 name = "sdp"
 version = "0.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d22a5ef407871893fd72b4562ee15e4742269b173959db4b8df6f538c414e13"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "rand",
 "substring",
@@ -2903,7 +2775,7 @@ checksum = "f04293dc80c3993519f2d7f6f511707ee7094fe0c6d3406feb330cdb3540eba3"
 dependencies = [
 "cfg-if 1.0.0",
 "cpufeatures",
- "digest 0.10.7",
+ "digest",
 ]

 [[package]]
@@ -2914,7 +2786,7 @@ checksum = "479fb9d862239e610720565ca91403019f2f00410f1864c5aa7479b950a76ed8"
 dependencies = [
 "cfg-if 1.0.0",
 "cpufeatures",
- "digest 0.10.7",
+ "digest",
 ]

 [[package]]
@@ -2941,8 +2813,8 @@ version = "1.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "74233d3b3b2f6d4b006dc19dee745e73e2a6bfb6f93607cd3b02bd5b00797d7c"
 dependencies = [
- "digest 0.10.7",
- "rand_core 0.6.4",
+ "digest",
+ "rand_core",
 ]

 [[package]]
@@ -3043,10 +2915,9 @@ dependencies = [
 [[package]]
 name = "stun"
 version = "0.4.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a7e94b1ec00bad60e6410e058b52f1c66de3dc5fe4d62d09b3e52bb7d3b73e25"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
- "base64 0.13.1",
+ "base64 0.21.2",
 "crc",
 "lazy_static",
 "md-5",
@@ -3538,11 +3409,10 @@ dependencies = [
 [[package]]
 name = "turn"
 version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4712ee30d123ec7ae26d1e1b218395a16c87cdbaf4b3925d170d684af62ea5e8"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "async-trait",
- "base64 0.13.1",
+ "base64 0.21.2",
 "futures",
 "log",
 "md-5",
@@ -3644,7 +3514,7 @@ version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "79daa5ed5740825c40b389c5e50312b9c86df53fccd33f281df655642b43869d"
 dependencies = [
- "getrandom 0.2.10",
+ "getrandom",
 "serde",
 ]

@@ -3698,12 +3568,6 @@ dependencies = [
 "try-lock",
 ]

-[[package]]
-name = "wasi"
-version = "0.9.0+wasi-snapshot-preview1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519"
-
 [[package]]
 name = "wasi"
 version = "0.10.0+wasi-snapshot-preview1"
@@ -3803,8 +3667,7 @@ dependencies = [
 [[package]]
 name = "webrtc"
 version = "0.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f60dde9fd592872bc371b3842e4616bc4c6984242e3cd2a7d7cb771db278601b"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "arc-swap",
 "async-trait",
@@ -3846,11 +3709,9 @@ dependencies = [
 [[package]]
 name = "webrtc-data"
 version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c3c7ba7d11733e448d8d2d054814e97c558f52293f0e0a2eb05840f28b3be12"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "bytes",
- "derive_builder",
 "log",
 "thiserror",
 "tokio",
@@ -3861,8 +3722,7 @@ dependencies = [
 [[package]]
 name = "webrtc-dtls"
 version = "0.7.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4a00f4242f2db33307347bd5be53263c52a0331c96c14292118c9a6bb48d267"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "aes 0.6.0",
 "aes-gcm",
@@ -3871,16 +3731,14 @@ dependencies = [
 "block-modes",
 "byteorder",
 "ccm",
- "curve25519-dalek 3.2.0",
 "der-parser 8.2.0",
- "elliptic-curve",
 "hkdf",
 "hmac",
 "log",
 "p256",
 "p384",
 "rand",
- "rand_core 0.6.4",
+ "rand_core",
 "rcgen",
 "ring",
 "rustls 0.19.1",
@@ -3888,7 +3746,6 @@ dependencies = [
 "serde",
 "sha1 0.10.5",
 "sha2",
- "signature",
 "subtle",
 "thiserror",
 "tokio",
@@ -3901,8 +3758,7 @@ dependencies = [
 [[package]]
 name = "webrtc-ice"
 version = "0.9.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "465a03cc11e9a7d7b4f9f99870558fe37a102b65b93f8045392fef7c67b39e80"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "arc-swap",
 "async-trait",
@@ -3925,8 +3781,7 @@ dependencies = [
 [[package]]
 name = "webrtc-mdns"
 version = "0.5.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f08dfd7a6e3987e255c4dbe710dde5d94d0f0574f8a21afa95d171376c143106"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "log",
 "socket2 0.4.9",
@@ -3938,8 +3793,7 @@ dependencies = [
 [[package]]
 name = "webrtc-media"
 version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd8e3711a321f6a375973144f48065cf705316ab6709672954aace020c668eb6"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "byteorder",
 "bytes",
@@ -3951,8 +3805,7 @@ dependencies = [
 [[package]]
 name = "webrtc-sctp"
 version = "0.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7df742d91cfbd982f6ab2bfd45a7c3ddfce5b2f55913b2f63877404d1b3259db"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "arc-swap",
 "async-trait",
@@ -3968,8 +3821,7 @@ dependencies = [
 [[package]]
 name = "webrtc-srtp"
 version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5683b597b3c6af47ff11e695697f881bc42acfd8feeb0d4eb20a5ae9caaee6ae"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "aead 0.4.3",
 "aes 0.7.5",
@@ -3991,8 +3843,7 @@ dependencies = [
 [[package]]
 name = "webrtc-util"
 version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93f1db1727772c05cf7a2cfece52c3aca8045ca1e176cd517d323489aa3c6d87"
+source = "git+https://github.com/firezone/webrtc?rev=85bf9c8#85bf9c80028af2a6a0970c44d2fbab8c97aaf85d"
 dependencies = [
 "async-trait",
 "bitflags 1.3.2",
@@ -4002,7 +3853,7 @@ dependencies = [
 "lazy_static",
 "libc",
 "log",
- "nix 0.24.3",
+ "nix 0.26.2",
 "rand",
 "thiserror",
 "tokio",
@@ -4208,8 +4059,8 @@ version = "2.0.0-rc.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ec7fae07da688e17059d5886712c933bb0520f15eff2e09cfa18e30968f4e63a"
 dependencies = [
- "curve25519-dalek 4.0.0-rc.3",
- "rand_core 0.6.4",
+ "curve25519-dalek",
+ "rand_core",
 "serde",
 "zeroize",
 ]
--- a/rust/Cargo.toml
+++ b/rust/Cargo.toml
@@ -21,3 +21,4 @@ swift-bridge = "0.1.52"
 # (the `patch` section can't be used for build deps...)
 [patch.crates-io]
 ring = { git = "https://github.com/firezone/ring", branch = "v0.16.20-cc-fix" }
+webrtc = { git = "https://github.com/firezone/webrtc", rev = "85bf9c8" }
--- a/rust/connlib/libs/tunnel/src/ip_packet.rs
+++ b/rust/connlib/libs/tunnel/src/ip_packet.rs
@@ -2,6 +2,7 @@ use std::net::IpAddr;

 use domain::base::message::Message;
 use pnet_packet::{
+    icmpv6::{self, MutableIcmpv6Packet},
    ip::{IpNextHeaderProtocol, IpNextHeaderProtocols},
    ipv4::{checksum, Ipv4Packet, MutableIpv4Packet},
    ipv6::{Ipv6Packet, MutableIpv6Packet},
@@ -56,6 +57,24 @@ impl<'a> MutableIpPacket<'a> {
            .flatten()
    }

+    pub fn set_icmpv6_checksum(&mut self) {
+        let (src_addr, dst_addr) = match self {
+            MutableIpPacket::MutableIpv4Packet(_) => return,
+            MutableIpPacket::MutableIpv6Packet(p) => (p.get_source(), p.get_destination()),
+        };
+        if let Some(mut pkt) = self.as_icmpv6() {
+            let checksum = icmpv6::checksum(&pkt.to_immutable(), &src_addr, &dst_addr);
+            pkt.set_checksum(checksum);
+        }
+    }
+
+    fn as_icmpv6(&mut self) -> Option<MutableIcmpv6Packet> {
+        self.to_immutable()
+            .is_icmpv6()
+            .then(|| MutableIcmpv6Packet::new(self.payload_mut()))
+            .flatten()
+    }
+
    pub(crate) fn as_immutable_udp(&self) -> Option<UdpPacket> {
        self.to_immutable()
            .is_udp()
@@ -118,6 +137,10 @@ impl<'a> IpPacket<'a> {
        }
    }

+    pub(crate) fn is_icmpv6(&self) -> bool {
+        self.next_header() == IpNextHeaderProtocols::Icmpv6
+    }
+
    pub(crate) fn next_header(&self) -> IpNextHeaderProtocol {
        match self {
            Self::Ipv4Packet(p) => p.get_next_level_protocol(),
--- a/rust/connlib/libs/tunnel/src/lib.rs
+++ b/rust/connlib/libs/tunnel/src/lib.rs
@@ -540,6 +540,7 @@ where
                                }

                                packet.set_checksum();
+                                packet.set_icmpv6_checksum();
                            }
                            (
                                peer.tunnel.lock().encapsulate(&src[..res], &mut dst[..]),
--- a/rust/connlib/libs/tunnel/src/resource_sender.rs
+++ b/rust/connlib/libs/tunnel/src/resource_sender.rs
@@ -3,11 +3,10 @@ use std::{
    sync::Arc,
 };

+use crate::{ip_packet::MutableIpPacket, peer::Peer, ControlSignal, Tunnel};
 use boringtun::noise::Tunn;
 use libs_common::{messages::ResourceDescription, Callbacks, Error};

-use crate::{ip_packet::MutableIpPacket, peer::Peer, ControlSignal, Tunnel};
-
 impl<C, CB> Tunnel<C, CB>
 where
    C: ControlSignal + Send + Sync + 'static,
@@ -21,12 +20,15 @@ where
        let Some(mut pkt) = MutableIpPacket::new(packet) else { return };
        pkt.set_dst(dst_addr);
        pkt.set_checksum();
+        pkt.set_icmpv6_checksum();

        match dst_addr {
-            IpAddr::V4(_) => {
+            IpAddr::V4(addr) => {
+                tracing::trace!("Sending to packet to {addr}");
                self.write4_device_infallible(packet).await;
            }
-            IpAddr::V6(_) => {
+            IpAddr::V6(addr) => {
+                tracing::trace!("Sending to packet to {addr}");
                self.write6_device_infallible(packet).await;
            }
        }
@@ -38,7 +40,7 @@ where
                // If there's no associated resource it means that we are in a client, then the packet comes from a gateway
                // and we just trust gateways.
                // In gateways this should never happen.
-                tracing::trace!("Writing to interface");
+                tracing::trace!("Writing to interface with addr: {addr}");
                match addr {
                    IpAddr::V4(_) => self.write4_device_infallible(packet).await,
                    IpAddr::V6(_) => self.write6_device_infallible(packet).await,
--- a/rust/connlib/libs/tunnel/src/tun_linux.rs
+++ b/rust/connlib/libs/tunnel/src/tun_linux.rs
@@ -5,7 +5,7 @@ use libc::{
    IFF_MULTI_QUEUE, IFF_NO_PI, IFF_TUN, IFNAMSIZ, O_NONBLOCK, O_RDWR,
 };
 use libs_common::{Callbacks, Error, Result};
-use netlink_packet_route::rtnl::link::nlas::Nla;
+use netlink_packet_route::{rtnl::link::nlas::Nla, RT_SCOPE_UNIVERSE};
 use rtnetlink::{new_connection, Handle};
 use std::{
    ffi::{c_int, c_short, c_uchar},
@@ -21,8 +21,7 @@ pub(crate) struct IfaceConfig(pub(crate) Arc<IfaceDevice>);

 const TUNSETIFF: u64 = 0x4004_54ca;
 const TUN_FILE: &[u8] = b"/dev/net/tun\0";
-const RT_SCOPE_LINK: u8 = 253;
-const RT_PROT_UNSPEC: u8 = 0;
+const RT_PROT_STATIC: u8 = 4;

 #[repr(C)]
 union IfrIfru {
@@ -188,19 +187,17 @@ impl IfaceConfig {
            .route()
            .add()
            .output_interface(self.0.interface_index)
-            .protocol(RT_PROT_UNSPEC)
-            .scope(RT_SCOPE_LINK);
+            .protocol(RT_PROT_STATIC)
+            .scope(RT_SCOPE_UNIVERSE);
        match route {
            IpNetwork::V4(ipnet) => {
                req.v4()
-                    .source_prefix(ipnet.network_address(), ipnet.netmask())
                    .destination_prefix(ipnet.network_address(), ipnet.netmask())
                    .execute()
                    .await?
            }
            IpNetwork::V6(ipnet) => {
                req.v6()
-                    .source_prefix(ipnet.network_address(), ipnet.netmask())
                    .destination_prefix(ipnet.network_address(), ipnet.netmask())
                    .execute()
                    .await?
--- a/rust/docker-init.sh
+++ b/rust/docker-init.sh
@@ -4,4 +4,7 @@ if [ $ENABLE_MASQUERADE = "1" ]; then
  iptables -A FORWARD -i $IFACE -j ACCEPT
  iptables -A FORWARD -o $IFACE -j ACCEPT
  iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
+  ip6tables -A FORWARD -i $IFACE -j ACCEPT
+  ip6tables -A FORWARD -o $IFACE -j ACCEPT
+  ip6tables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
 fi