🐛 ICMPv6 proxy selects loopback ::1 instead of interface GUA on IPv6-only host #1626
Description
Describe the bug
On an IPv6-only Linux host, the ICMP proxy always selects ::1 in zone lo as the IPv6 source address, ignoring the global unicast addresses on the network interface ens18. This makes ICMPv6 proxying non-functional for private network routing via WARP. TCP and UDP proxying work fine.
To Reproduce
Steps to reproduce the behavior:
- Configure an IPv6-only Linux host (no IPv4 on the interface, GUA assigned via SLAAC or static)
- Run
cloudflared tunnel runwithwarp-routing: enabled: true - Check logs:
journalctl -u cloudflared | grep ICMP - ICMP proxy binds to
::1instead of the interface GUA
If it's an issue with Cloudflare Tunnel:
4. Tunnel ID : 5f000cd6-96fa-41f4-86b2-c693002d572a
5. cloudflared config:
tunnel: 5f000cd6-96fa-41f4-86b2-c693002d572a
credentials-file: /root/.cloudflared/5f000cd6-96fa-41f4-86b2-c693002d572a.json
edge-ip-version: "6"
warp-routing:
enabled: true
Expected behavior
The ICMP proxy should select a GUA on ens18 as the IPv6 source.
Environment and versions
- OS: Debian 13 (Trixie)
- Architecture: AMD64
- Version: 2026.3.0
Logs and errors
INF ICMP proxy will use 0.0.0.0 as source for IPv4
INF ICMP proxy will use ::1 in zone lo as source for IPv6
Interface has a GUA available:
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet6 2a06:d1c1:80::xxxx:xxxx:xxxx:xxxx/64 scope global dynamic mngtmpaddr proto kernel_ra
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link proto kernel_ll
Additional context
Adding a static GUA (/64, scope global) to ens18 did not change the behavior either. The host has no IPv4 addresses on any interface other than loopback, which may be why the detection logic falls through to ::1.