Skip to content

Support different ipv6 network device in network-tunnel-manager.sh #6255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
+64 −52
Open

Support different ipv6 network device in network-tunnel-manager.sh #6255

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1ed0de7
Support different ipv6 network device in network-tunnel-manager.sh
heri16 Nov 29, 2025
86f1307
Fine tune network-tunnel-manager.sh
heri16 Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 64 additions & 52 deletions scripts/nym-node-setup/network-tunnel-manager.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,10 +89,12 @@ WG_INTERFACE="${WG_INTERFACE:-nymwg}"

# Function to detect and validate uplink interface
detect_uplink_interface() {
local cmd="$1"
local host="$2"
local ip
local dev

dev="$(eval "$cmd" 2>/dev/null | awk '{print $5}' | head -n1 || true)"
ip="$(getent ahosts${1//-/v} "$host" 2>/dev/null | awk '$2=="STREAM" {print $1}' | head -n1 || true)"
dev="$(ip $1 route get "$ip" 2>/dev/null | awk '{print $5}' | head -n1 || true)"

if [[ -n "$dev" && "$dev" =~ ^[a-zA-Z0-9._-]+$ ]]; then
echo "$dev"
Expand All @@ -102,15 +104,20 @@ detect_uplink_interface() {
}

# uplink device detection, can be overridden
NETWORK_DEVICE="${NETWORK_DEVICE:-}"
if [[ -z "$NETWORK_DEVICE" ]]; then
NETWORK_DEVICE="$(detect_uplink_interface "ip -o route show default")"
NET4_DEVICE="${NET4_DEVICE:-}"
if [[ -z "$NET4_DEVICE" ]]; then
NET4_DEVICE="$(detect_uplink_interface -4 "ifconfig.co")"
fi
if [[ -z "$NETWORK_DEVICE" ]]; then
NETWORK_DEVICE="$(detect_uplink_interface "ip -o route show default table all")"
if [[ -z "$NET4_DEVICE" ]]; then
error "cannot determine ipv4 uplink interface. set NET4_DEVICE or UPLINK_DEV"
exit 1
fi
NET6_DEVICE="${NET6_DEVICE:-}"
if [[ -z "$NET6_DEVICE" ]]; then
NET6_DEVICE="$(detect_uplink_interface -6 "ifconfig.co")"
fi
if [[ -z "$NETWORK_DEVICE" ]]; then
error "cannot determine uplink interface. set NETWORK_DEVICE or UPLINK_DEV"
if [[ -z "$NET6_DEVICE" ]]; then
error "cannot determine ipv6 uplink interface. set NET6_DEVICE or UPLINK_DEV"
exit 1
fi

Expand Down Expand Up @@ -194,11 +201,11 @@ fetch_ipv6_address() {

fetch_and_display_ipv6() {
local ipv6_address
ipv6_address=$(ip -6 addr show "$NETWORK_DEVICE" scope global | awk '/inet6/ {print $2}')
ipv6_address=$(ip -6 addr show "$NET6_DEVICE" scope global | awk '/inet6/ {print $2}')
if [[ -z "$ipv6_address" ]]; then
error "no global ipv6 address found on $NETWORK_DEVICE"
error "no global ipv6 address found on $NET6_DEVICE"
else
ok "ipv6 address on $NETWORK_DEVICE: $ipv6_address"
ok "ipv6 address on $NET6_DEVICE: $ipv6_address"
fi
}

Expand Down Expand Up @@ -343,28 +350,29 @@ remove_duplicate_rules() {

apply_iptables_rules() {
local interface=$1
info "applying iptables rules for $interface using uplink $NETWORK_DEVICE"
info "applying iptables rules for $interface using uplink $NET4_DEVICE"
info "applying ip6tables rules for $interface using uplink $NET6_DEVICE"
sleep 1

# ipv4 nat and forwarding
iptables -t nat -C POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE 2>/dev/null || \
iptables -t nat -A POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE
iptables -t nat -C POSTROUTING -o "$NET4_DEVICE" -j MASQUERADE 2>/dev/null || \
iptables -t nat -A POSTROUTING -o "$NET4_DEVICE" -j MASQUERADE

iptables -C FORWARD -i "$interface" -o "$NETWORK_DEVICE" -j ACCEPT 2>/dev/null || \
iptables -I FORWARD 1 -i "$interface" -o "$NETWORK_DEVICE" -j ACCEPT
iptables -C FORWARD -i "$interface" -o "$NET4_DEVICE" -j ACCEPT 2>/dev/null || \
iptables -I FORWARD 1 -i "$interface" -o "$NET4_DEVICE" -j ACCEPT

iptables -C FORWARD -i "$NETWORK_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
iptables -I FORWARD 2 -i "$NETWORK_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -C FORWARD -i "$NET4_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
iptables -I FORWARD 2 -i "$NET4_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT

# ipv6 nat and forwarding
ip6tables -t nat -C POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE 2>/dev/null || \
ip6tables -t nat -A POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE
ip6tables -t nat -C POSTROUTING -o "$NET6_DEVICE" -j MASQUERADE 2>/dev/null || \
ip6tables -t nat -A POSTROUTING -o "$NET6_DEVICE" -j MASQUERADE

ip6tables -C FORWARD -i "$interface" -o "$NETWORK_DEVICE" -j ACCEPT 2>/dev/null || \
ip6tables -I FORWARD 1 -i "$interface" -o "$NETWORK_DEVICE" -j ACCEPT
ip6tables -C FORWARD -i "$interface" -o "$NET6_DEVICE" -j ACCEPT 2>/dev/null || \
ip6tables -I FORWARD 1 -i "$interface" -o "$NET6_DEVICE" -j ACCEPT

ip6tables -C FORWARD -i "$NETWORK_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
ip6tables -I FORWARD 2 -i "$NETWORK_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -C FORWARD -i "$NET6_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
ip6tables -I FORWARD 2 -i "$NET6_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT

save_iptables_rules
}
Expand Down Expand Up @@ -539,37 +547,38 @@ create_nym_chain() {
ip6tables -N "$NYM_CHAIN"
fi

if ! iptables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
if ! iptables -C FORWARD -i "$WG_INTERFACE" -o "$NET4_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NET4_DEVICE" -j "$NYM_CHAIN"
fi

if ! ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
if ! ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NET6_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NET6_DEVICE" -j "$NYM_CHAIN"
fi
}

setup_nat_rules() {
info "setting up nat and forwarding rules for $WG_INTERFACE via $NETWORK_DEVICE"
info "setting up ipv4 nat and forwarding rules for $WG_INTERFACE via $NET4_DEVICE"
info "setting up ipv6 nat and forwarding rules for $WG_INTERFACE via $NET6_DEVICE"

if ! iptables -t nat -C POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE 2>/dev/null; then
iptables -t nat -A POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE
if ! iptables -t nat -C POSTROUTING -o "$NET4_DEVICE" -j MASQUERADE 2>/dev/null; then
iptables -t nat -A POSTROUTING -o "$NET4_DEVICE" -j MASQUERADE
fi
if ! ip6tables -t nat -C POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE 2>/dev/null; then
ip6tables -t nat -A POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE
if ! ip6tables -t nat -C POSTROUTING -o "$NET6_DEVICE" -j MASQUERADE 2>/dev/null; then
ip6tables -t nat -A POSTROUTING -o "$NET6_DEVICE" -j MASQUERADE
fi

if ! iptables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j ACCEPT 2>/dev/null; then
iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j ACCEPT
if ! iptables -C FORWARD -i "$WG_INTERFACE" -o "$NET4_DEVICE" -j ACCEPT 2>/dev/null; then
iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NET4_DEVICE" -j ACCEPT
fi
if ! iptables -C FORWARD -i "$NETWORK_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null; then
iptables -I FORWARD 2 -i "$NETWORK_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT
if ! iptables -C FORWARD -i "$NET4_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null; then
iptables -I FORWARD 2 -i "$NET4_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT
fi

if ! ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j ACCEPT 2>/dev/null; then
ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j ACCEPT
if ! ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NET6_DEVICE" -j ACCEPT 2>/dev/null; then
ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NET6_DEVICE" -j ACCEPT
fi
if ! ip6tables -C FORWARD -i "$NETWORK_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null; then
ip6tables -I FORWARD 2 -i "$NETWORK_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT
if ! ip6tables -C FORWARD -i "$NET6_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null; then
ip6tables -I FORWARD 2 -i "$NET6_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
}

Expand Down Expand Up @@ -772,16 +781,17 @@ clear_exit_policy_rules() {
iptables -F "$NYM_CHAIN" 2>/dev/null || true
ip6tables -F "$NYM_CHAIN" 2>/dev/null || true

iptables -D FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null || true
ip6tables -D FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null || true
iptables -D FORWARD -i "$WG_INTERFACE" -o "$NET4_DEVICE" -j "$NYM_CHAIN" 2>/dev/null || true
ip6tables -D FORWARD -i "$WG_INTERFACE" -o "$NET6_DEVICE" -j "$NYM_CHAIN" 2>/dev/null || true

iptables -X "$NYM_CHAIN" 2>/dev/null || true
ip6tables -X "$NYM_CHAIN" 2>/dev/null || true
}

show_exit_policy_status() {
info "nym exit policy status"
info "network device: $NETWORK_DEVICE"
info "ipv4 network device: $NET4_DEVICE"
info "ipv6 network device: $NET6_DEVICE"
info "wireguard interface: $WG_INTERFACE"
echo

Expand Down Expand Up @@ -1063,15 +1073,15 @@ test_forward_chain_hook() {

local failures=0

if iptables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
ok "ipv4 forward hook ok: -i $WG_INTERFACE -o $NETWORK_DEVICE -> $NYM_CHAIN"
if iptables -C FORWARD -i "$WG_INTERFACE" -o "$NET4_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
ok "ipv4 forward hook ok: -i $WG_INTERFACE -o $NET4_DEVICE -> $NYM_CHAIN"
else
error "ipv4 forward hook missing or wrong"
((failures++))
fi

if ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
ok "ipv6 forward hook ok: -i $WG_INTERFACE -o $NETWORK_DEVICE -> $NYM_CHAIN"
if ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NET6_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
ok "ipv6 forward hook ok: -i $WG_INTERFACE -o $NET6_DEVICE -> $NYM_CHAIN"
else
error "ipv6 forward hook missing or wrong"
((failures++))
Expand Down Expand Up @@ -1167,7 +1177,8 @@ nym_tunnel_setup() {
}

exit_policy_install() {
info "installing nym wireguard exit policy for ${WG_INTERFACE} via ${NETWORK_DEVICE}"
info "installing nym wireguard ipv4 exit policy for ${WG_INTERFACE} via ${NET4_DEVICE}"
info "installing nym wireguard ipv6 exit policy for ${WG_INTERFACE} via ${NET6_DEVICE}"
exit_policy_install_deps
adjust_ip_forwarding
create_nym_chain
Expand Down Expand Up @@ -1309,7 +1320,7 @@ tunnel and nat helpers:
check_nym_wg_tun Inspect forward chain for ${WG_INTERFACE}
check_nymtun_iptables Inspect forward chain for ${TUNNEL_INTERFACE}
configure_dns_and_icmp_wg Allow ping and dns ports on this host
fetch_and_display_ipv6 Show ipv6 on uplink ${NETWORK_DEVICE}
fetch_and_display_ipv6 Show ipv6 on uplink ${NET6_DEVICE}
fetch_ipv6_address_nym_tun Show global ipv6 address on ${TUNNEL_INTERFACE}
joke_through_the_mixnet Test via ${TUNNEL_INTERFACE} with joke
joke_through_wg_tunnel Test via ${WG_INTERFACE} with joke
Expand All @@ -1326,7 +1337,8 @@ exit policy manager:
Run verification tests on exit policy (options: --skip-default-reject).

environment overrides:
NETWORK_DEVICE Auto-detected uplink (e.g., eth0). Set manually if detection fails.
NET4_DEVICE Auto-detected ipv4 uplink (e.g., eth0). Set manually if detection fails.
NET6_DEVICE Auto-detected ipv6 uplink (e.g., eth0). Set manually if detection fails.
TUNNEL_INTERFACE Default: nymtun0. Requires root privileges (sudo) to manage.
WG_INTERFACE Default: nymwg - Must match your WireGuard interface name.

Expand Down