Suport for IPv6 #1394
Replies: 42 comments 2 replies
-
We don't have that yet, but that's a really good question. For now: do the install, and then afterwards edit the config files as described in https://community.openvpn.net/openvpn/wiki/IPv6 @0-kaladin: this is something we will need to do |
Beta Was this translation helpful? Give feedback.
-
Change |
Beta Was this translation helpful? Give feedback.
-
@nellsavedra if you think this is mandatory, just make a pull request yourself! sorry if I am being quite rude, but there's no such thing as mandatory and priority around here. so if you think this is URGENT, well do it and make a pull request, otherwise, you will have to wait until we have time for that! I am sorry. |
Beta Was this translation helpful? Give feedback.
-
You only have to change one line in server.conf! If i find some time i create a pull request ... one little pull request is done ... that fixed the stats ... |
Beta Was this translation helpful? Give feedback.
-
Considering: #619 Shall we disable IPv6 until we support setup for it? |
Beta Was this translation helpful? Give feedback.
-
i actually just disabled ipv6 on my windows machine and everything works as it should. I know this isn't the preferred option but it works for me. My ISP is Comcast and the router hands out ipv6 by default but it will do ipv4 as a fallback. |
Beta Was this translation helpful? Give feedback.
-
That's the only doubt I have .. if disabling IPv6 on the server side will be enough to fix the issue ... but I expect that the client will eventually fall back to IPv6 if its enable on clientside thus bypassing the VPN and leaking the IPv6 |
Beta Was this translation helpful? Give feedback.
-
I honestly think it client depended as my Asus router && Android phone do not have this issue and neither leak ipv6 DNS to my knowledge. I have tested with all sorts dns leak testing sites. And seen 0 positive results in that area. |
Beta Was this translation helpful? Give feedback.
-
It's possible to enable ipv6 networking over VPN, correct? If that's the case then it wouldn't fallback as long as blocking outside dns still happened? Im not completely sure the commands to setup and test a dual stack config are or I would test them |
Beta Was this translation helpful? Give feedback.
-
Not 100% sure how OpenVPN handles it, but in WireGuard, if one does not enable IPv6 forwarding on the server, there are two possible issues if the client supports IPv6:
As said not sure how this is/can be handled with OpenVPN. If there is a way to force IPv6 to IPv4 fallback silently without any hang, then this is probably the easiest solution for now. Of course all this applies for DNS requests as well. |
Beta Was this translation helpful? Give feedback.
-
Is this explanation valid for openvpn or wireguard? If it is for openvpn, can you describe what I have to do in wireguard to enable the IPv6 support? Reason: I read that some hotels provide only IPv6 WLAN, then I assume the current configuration will not work? |
Beta Was this translation helpful? Give feedback.
-
This is for OpenVPN, although don't ask me about the details 😉. For WireGuard:
|
Beta Was this translation helpful? Give feedback.
-
Thanks for your fast answer!
Ok I have tired this on my raspberry pi, result: This 4 lines has to be added to iptables (this is installed on raspbian) and modified according to my eth0 interface?:
As far as I understand this was already added by pivpn during setup, I can see this in my client configuration details:
|
Beta Was this translation helpful? Give feedback.
-
The 4 lines have to be added to your WireGuard server config
Ah yes, I should have checked what PiVPN actually adds 😄. |
Beta Was this translation helpful? Give feedback.
-
@MichaIng Thanks again for your fast answer, fantastic support!
My RPi is connected with a ethernet cable and is using just ethernet connection, so I left |
Beta Was this translation helpful? Give feedback.
-
@btb23 thanks for sharing your solution. I have now found the time to try that on my pi. In my first trails I had no success.
Questions regarding your solution:
|
Beta Was this translation helpful? Give feedback.
-
is there any plans to add listening on IPv6 as a non-default? |
Beta Was this translation helpful? Give feedback.
-
I'm a (potential) user of PIVPN with Wireguard from germany. So far, I had no luck getting it to work, though. My ISP uses DS-Lite, so I can't connect via IPv4 without jumping through some hoops. This seems to be standard practice now, at least in germany. Realistically, this leaves only IPv6 for many if not most. Luckily, my mobile network provider already provides IPv6. This is not as common yet, but probably will be in the near future. Even so, using the aforementioned changes to the config files and the system, I was not able to get any form of connection to the VPN. I'll probably follow a tutorial to install Wireguard by hand now, instead of trying to change the pre-configured config files. This will most likely be educational, but I love PIVPNs goal of making the setup and management of VPNs more feasible for many. Seeing as I would consider mine a fairly standard scenario, I would like to cast my vote in favor of some form of official/optional IPv6 support. Thank you! |
Beta Was this translation helpful? Give feedback.
-
@Dunrar I would do that but I'm unable to test as I do not have access to (multiple) IPv6 networks, don't know about @4s3ti. If someone is willing to make changes and test, why not? We could add support. |
Beta Was this translation helpful? Give feedback.
-
unfortunately I have no reliable way to test IPv6 =/ |
Beta Was this translation helpful? Give feedback.
-
I would be able to run test. I could also open a related PR, but it could take a while until I find time, so would be great if someone else could do that, A working config for WireGuard has been posted above: #259 (comment) |
Beta Was this translation helpful? Give feedback.
-
I can't get this to work, but I'm fortunate enough to have true DualStack, so I atleast have IPv4 going for me. I don't even really understand why I can't use IPv6 through my IPv4 tunnel though. Do I really need two separate connections, one to my public IPv4 and one to my public IPv6 address, just to have support for both types? That's sounds kinda wasteful IMO but I guess that's just how it works. Hopefully PiVPN will sooner than later make this whole process as painless as possible since the world is heading to IPv6. |
Beta Was this translation helpful? Give feedback.
-
The connection to the VPN server is not relevant for the connections passed through the VPN server. So you can without problems connect via IPv4 to the VPN server and then have an IPv6 connection to a remote host tunnelled through it. If a client is in an environment with IPv6 support and has it not actively disabled, it likely has a GUA IPv6 address as well and will in most cases by default try to connect via IPv6 to hosts if an AAAA record is provided. In this case, you don't want to bypass your VPN ("IPv6 leak"), but want to have that IPv6 request tunnelled as well, and successful instead of hanging. The client VPN config needs to force all IPv6 requests through the tunnel (which is already the case with the default PiVPN client config, if I'm not mistaken) and the VPN server needs to support IPv6, have IPv6 forwarding and NATing enabled, which is covered by the |
Beta Was this translation helpful? Give feedback.
-
@MichaIng Okay good, I didn't really invest too much time because I couldn't even establish a connection to my public IPv6 address (port was open and firewall deactivated for the host) but if this can already work. I'll give it a try tomorrow.
|
Beta Was this translation helpful? Give feedback.
-
That is the VPN internal IPv6 address, so any address (range) within the I read again through the old posts above, and indeed there seem to be cases where the dedicated/additional IPv6 addresses on the WireGuard network seem to be required. At least worth to test when it's not working without, adding that to server and client configs shouldn't be so hard. I'll also play around with it when I find time. |
Beta Was this translation helpful? Give feedback.
-
I know that these are ULAs, but I didn't know that any device can just claim one (I though that only the DHCPv6 can). Anyway, I copied btb23's config exactly, but that didn't work for me (I couldn't even ping |
Beta Was this translation helpful? Give feedback.
-
Well, every device can apply itself any IP (or you can apply any IP to any device). If a DHCPv6 server is present, than the device can ask which ULA it shall apply and respect it, or keep looking for RAs to do SLAAC do something totally different. Not that it would make sense, but it's the devices which apply the IPs themselves and nothing external can strictly force them to do anything 😉. In case of the VPN, there is no DHCP-ish server, but the client indeed must create the network interface, apply the IP and the routes everything themselves, which is practically done by the I cope you kept your private and public key info when applying btb23's configs 😉. To debug, check the WireGuard server logs and whether IP and routes have been applied as expected: ip a s wg0
ip r l dev wg0
ip -6 r l dev wg0 |
Beta Was this translation helpful? Give feedback.
-
@MichaIng Appreciate the support, but I don't think just helping me to pull this off is gonna amount to much. Instead you should make it work on your setup first, create a PR and hope to get enough input from the PiVPN community (including me) to get something going that works for everyone :) |
Beta Was this translation helpful? Give feedback.
-
Well it might help to answer the last open questions before creating the PR. But yes, often having a PR is a more productive basis for testing and discussion. I'll see if I find time, as currently I'm very busy with own projects. |
Beta Was this translation helpful? Give feedback.
-
For the project "wg-easy" IPv6 is supported (https://github.com/WeeJeWel/wg-easy/pull/191) and we should be able also bring this to pivpn. |
Beta Was this translation helpful? Give feedback.
-
Any chance we could get support for IPv6 in the config process? My ISP only provides IPv6 and I haven't been able to get the VPN to work yet.
Beta Was this translation helpful? Give feedback.
All reactions