From ea9fab4396fc5513f7c62e3465dd361dc8bb9e91 Mon Sep 17 00:00:00 2001
From: Viktor Liu <17948409+lixmal@users.noreply.github.com>
Date: Thu, 14 May 2026 23:05:33 +0900
Subject: [PATCH] [management] Allocate and preserve IPv6 overlay addresses for
 embedded proxy peers (#6132)

---
 management/server/account.go                | 12 +++++++++
 management/server/peer.go                   | 17 +++++++-----
 management/server/types/account.go          | 30 ++++++++++-----------
 management/server/types/group.go            |  5 +++-
 management/server/types/ipv6_groups_test.go | 30 +++++++++++++++++++++
 5 files changed, 70 insertions(+), 24 deletions(-)

diff --git a/management/server/account.go b/management/server/account.go
index 364c0c37b..77a46a069 100644
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -2487,6 +2487,18 @@ func (am *DefaultAccountManager) buildIPv6AllowedPeers(ctx context.Context, tran
 			allowedPeers[peerID] = struct{}{}
 		}
 	}
+
+	// Embedded proxy peers sit outside regular group membership but must
+	// participate in any v6-enabled overlay to reach v6-only peers.
+	peers, err := transaction.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, "", "")
+	if err != nil {
+		return nil, fmt.Errorf("get peers: %w", err)
+	}
+	for _, p := range peers {
+		if p.ProxyMeta.Embedded {
+			allowedPeers[p.ID] = struct{}{}
+		}
+	}
 	return allowedPeers, nil
 }
 
diff --git a/management/server/peer.go b/management/server/peer.go
index 8a39fbbb8..c3b130ba2 100644
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -762,16 +762,19 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		newPeer.IP = freeIP
 
 		if len(settings.IPv6EnabledGroups) > 0 && network.NetV6.IP != nil {
-			var allGroupID string
-			if !peer.ProxyMeta.Embedded {
-				allGroup, err := am.Store.GetGroupByName(ctx, store.LockingStrengthNone, accountID, "All")
-				if err != nil {
-					log.WithContext(ctx).Debugf("get All group for IPv6 allocation: %v", err)
-				} else {
+			// Embedded proxy peers are not group members but participate in any
+			// IPv6-enabled overlay so reverse-proxy traffic reaches v6-only peers.
+			allocate := peer.ProxyMeta.Embedded
+			if !allocate {
+				var allGroupID string
+				if allGroup, err := am.Store.GetGroupByName(ctx, store.LockingStrengthNone, accountID, types.GroupAllName); err == nil {
 					allGroupID = allGroup.ID
+				} else {
+					log.WithContext(ctx).Debugf("get All group for IPv6 allocation: %v", err)
 				}
+				allocate = peerWillHaveIPv6(settings, peerAddConfig.GroupsToAdd, allGroupID)
 			}
-			if peerWillHaveIPv6(settings, peerAddConfig.GroupsToAdd, allGroupID) {
+			if allocate {
 				v6Prefix, err := netip.ParsePrefix(network.NetV6.String())
 				if err != nil {
 					return nil, nil, nil, fmt.Errorf("parse IPv6 prefix: %w", err)
diff --git a/management/server/types/account.go b/management/server/types/account.go
index 49600163a..870333a60 100644
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -598,28 +598,21 @@ func (a *Account) GetPeerGroups(peerID string) LookupMap {
 	return groupList
 }
 
-// PeerIPv6Allowed reports whether the given peer is in any of the account's IPv6 enabled groups.
+// PeerIPv6Allowed reports whether the given peer participates in the IPv6 overlay.
 // Returns false if IPv6 is disabled or no groups are configured.
 func (a *Account) PeerIPv6Allowed(peerID string) bool {
-	if len(a.Settings.IPv6EnabledGroups) == 0 {
-		return false
-	}
-
-	for _, groupID := range a.Settings.IPv6EnabledGroups {
-		group, ok := a.Groups[groupID]
-		if !ok {
-			continue
-		}
-		if slices.Contains(group.Peers, peerID) {
-			return true
-		}
-	}
-	return false
+	_, ok := a.peerIPv6AllowedSet()[peerID]
+	return ok
 }
 
-// peerIPv6AllowedSet returns a set of peer IDs that belong to any IPv6-enabled group.
+// peerIPv6AllowedSet returns the set of peer IDs that participate in the IPv6 overlay:
+// members of any IPv6-enabled group, plus every embedded proxy peer (which sit outside
+// regular group membership but must reach v6-enabled peers).
 func (a *Account) peerIPv6AllowedSet() map[string]struct{} {
 	result := make(map[string]struct{})
+	if len(a.Settings.IPv6EnabledGroups) == 0 {
+		return result
+	}
 	for _, groupID := range a.Settings.IPv6EnabledGroups {
 		group, ok := a.Groups[groupID]
 		if !ok {
@@ -629,6 +622,11 @@ func (a *Account) peerIPv6AllowedSet() map[string]struct{} {
 			result[peerID] = struct{}{}
 		}
 	}
+	for id, p := range a.Peers {
+		if p != nil && p.ProxyMeta.Embedded {
+			result[id] = struct{}{}
+		}
+	}
 	return result
 }
 
diff --git a/management/server/types/group.go b/management/server/types/group.go
index 00fdf7a69..b4f50080a 100644
--- a/management/server/types/group.go
+++ b/management/server/types/group.go
@@ -92,9 +92,12 @@ func (g *Group) HasPeers() bool {
 	return len(g.Peers) > 0
 }
 
+// GroupAllName is the reserved name of the default group that contains every peer in an account.
+const GroupAllName = "All"
+
 // IsGroupAll checks if the group is a default "All" group.
 func (g *Group) IsGroupAll() bool {
-	return g.Name == "All"
+	return g.Name == GroupAllName
 }
 
 // AddPeer adds peerID to Peers if not present, returning true if added.
diff --git a/management/server/types/ipv6_groups_test.go b/management/server/types/ipv6_groups_test.go
index 5151e1b1f..766a9c92c 100644
--- a/management/server/types/ipv6_groups_test.go
+++ b/management/server/types/ipv6_groups_test.go
@@ -232,3 +232,33 @@ func TestIPv6RecalculationOnGroupChange(t *testing.T) {
 		assert.True(t, account.PeerIPv6Allowed("peer3"), "peer3 now in infra")
 	})
 }
+
+func TestPeerIPv6AllowedEmbeddedProxy(t *testing.T) {
+	account := &Account{
+		Peers: map[string]*nbpeer.Peer{
+			"peer1": {ID: "peer1"},
+			"proxy": {ID: "proxy", ProxyMeta: nbpeer.ProxyMeta{Embedded: true, Cluster: "netbird.test"}},
+		},
+		Groups: map[string]*Group{
+			"group-devs": {ID: "group-devs", Peers: []string{"peer1"}},
+		},
+		Settings: &Settings{},
+	}
+
+	t.Run("embedded proxy allowed when any v6 group exists, without group membership", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = []string{"group-devs"}
+		assert.True(t, account.PeerIPv6Allowed("proxy"), "embedded proxy participates in v6 overlay")
+		assert.True(t, account.PeerIPv6Allowed("peer1"), "regular peer in enabled group still allowed")
+	})
+
+	t.Run("embedded proxy denied when no v6 group enabled", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = nil
+		assert.False(t, account.PeerIPv6Allowed("proxy"), "v6 disabled account-wide denies embedded proxies too")
+	})
+
+	t.Run("non-embedded peer outside any enabled group is not pulled in", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = []string{"group-devs"}
+		account.Peers["lonely"] = &nbpeer.Peer{ID: "lonely"}
+		assert.False(t, account.PeerIPv6Allowed("lonely"), "embedded-proxy bypass must not leak to regular peers")
+	})
+}