DietPi and PiVPN / OpenVPN server in IPv6

nickieemp · 27 December 2022 08:10

Hello to the community,

I have tried setting up PivPN with OpenVPN only for IPv6 (my ISP is putting my IPv4 behind a CGNAT, therefore no forwarding takes place…). However it seems to be a pain in the neck.

It cannot connect at all. Do I need port forwarding in my router in IPv6 (I guess not)? Could it be the firewall?
With the option udp6, the DynDNS gives back the IPv6 of the static public IP of the DietPi.

/etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

root@DietPi:~# ip6tables-save
# Generated by ip6tables-save v1.8.7 on Tue Dec 27 11:52:14 2022
*filter
:INPUT ACCEPT [515:166427]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [907:73414]
-A INPUT -i eth0 -p udp -m udp --dport 1194 -m comment --comment openvpn-input-rule -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -m comment --comment openvpn-input-rule -j ACCEPT
-A FORWARD -s fe80::/64 -i tun0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Dec 27 11:52:14 2022
# Generated by ip6tables-save v1.8.7 on Tue Dec 27 11:52:14 2022
*nat
:PREROUTING ACCEPT [29:6826]
:INPUT ACCEPT [2:278]
:OUTPUT ACCEPT [296:24858]
:POSTROUTING ACCEPT [294:24634]
-A POSTROUTING -s fd11:5ee:bad:c0de::/64 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE
-A POSTROUTING -s fd11:5ee:bad:c0de::/64 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE
-A POSTROUTING -s fe80::/64 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Dec 27 11:52:14 2022

root@DietPi:~# iptables-save
# Generated by iptables-save v1.8.7 on Tue Dec 27 09:48:24 2022
*filter
:INPUT ACCEPT [291727:39557120]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [229074:24222985]
-A INPUT -i eth0 -p udp -m udp --dport 1194 -m comment --comment openvpn-input-rule -j ACCEPT
-A INPUT -i tun0 -p udp -m udp --dport 53 -m comment --comment pihole-DNS-rule -j ACCEPT
-A INPUT -i wg0 -p udp -m udp --dport 53 -m comment --comment pihole-DNS-rule -j ACCEPT
-A INPUT -i tun0 -p udp -m udp --dport 53 -m comment --comment pihole-DNS-rule -j ACCEPT
-A FORWARD -s 10.248.14.0/24 -i tun0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Dec 27 09:48:24 2022
# Generated by iptables-save v1.8.7 on Tue Dec 27 09:48:24 2022
*nat
:PREROUTING ACCEPT [78238:5955290]
:INPUT ACCEPT [77750:5925698]
:OUTPUT ACCEPT [78537:5870316]
:POSTROUTING ACCEPT [78537:5870316]
-A POSTROUTING -s 10.248.14.0/24 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE
-A POSTROUTING -s 10.248.14.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Dec 27 09:48:24 2022

/etc/openvpn/server.conf

dev tun
proto udp6
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/%%%.crt
key /etc/openvpn/easy-rsa/pki/private/%%%.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.248.14.0 255.255.255.0
server fd11:5ee:bad:c0de::0/64
push "dhcp-option DNS 10.248.14.1"
#pi-hole's IPv6 address - albeit it might change in a reboot?
push "dhcp-option DNS fe80::e6eb:551d:261b:56c8"
push "block-outside-dns"
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3

Required Information

DietPi version | v8.12.1
Distro version | bullseye 0
Kernel version | armv6l GNU/Linux
SBC model | RPi Model B (armv6l)
Power supply used | 5V 2A
SD card used | Kingston 16GB

Additional Information (if applicable)

Software title | openvpn
Freshly installed
Can this issue be replicated on a fresh installation of DietPi? YES

nickieemp · 27 December 2022 08:17

A friend told me that if IPv4 does not work, it might not work with just IPv6… Could it be? Seems weird.

I included the configuration of the IPv4 in our config, but, being behind a CGNAt from the ISP (I get a public IP of 94.xxx.xxx.xxx whereas in the modem it shows 100.xxx.xxx.xxx) this will never work

MichaIng · 27 December 2022 08:47

PiVPN indeed does not support IPv6 yet, at least according to my last state of knowledge and this open feature request: Suport for IPv6 · Discussion #1394 · pivpn/pivpn · GitHub

But I see you use custom OpenVPN config, IP forwarding and NAT rules already. Your IPv6 is a static one?

nickieemp · 27 December 2022 09:14

Well, it is not, but the clients take it from a dyndns. And I have in cron.hourly set up a script that updates it every hour. The reply of the IP from the dyndns is correct, I see it in the log.

I guess the error is in the ip(6)tables, not sure if the port in IPv6 is open.

EDIT: Just tested it, it is not

nickieemp · 29 December 2022 21:09

Ok, so I have now added the below and it shows that it connects, but does not re-route the traffic to the net.

I wonder how many things I am doing wrong. The port is not open as far as I am testing from the outside world. So how does it connect within my network with the ipv6? Shouldn’t it be unique to the world and have the same behavior both from the outside and the inside?

dev tun
#tun-ipv6
proto udp6
port 1194
####....... a bunch of things here below
####.... but then this
#clients will be starting from  2a02:5879:855:xxx:4::1000/65
server-ipv6 2a02:5879:855:xxxx:4::/65
tun-ipv6
push tun-ipv6
ifconfig-ipv6 2a02:5879:855:xxxx:4::1 2a02:5879:855:xxxx:4::2
#server fd11:5ee:bad:c0de::0/64
push "route-ipv6 2a02:5879:855:xxxx:4::/65"
push "route-ipv6 2000::/3"
push "dhcp-option DNS fe80::d090:6f91:c831:e1ff"