Hello to the community,
I have tried setting up PivPN with OpenVPN only for IPv6 (my ISP is putting my IPv4 behind a CGNAT, therefore no forwarding takes place…). However it seems to be a pain in the neck.
It cannot connect at all. Do I need port forwarding in my router in IPv6 (I guess not)? Could it be the firewall?
With the option udp6, the DynDNS gives back the IPv6 of the static public IP of the DietPi.
/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
root@DietPi:~# ip6tables-save
# Generated by ip6tables-save v1.8.7 on Tue Dec 27 11:52:14 2022
*filter
:INPUT ACCEPT [515:166427]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [907:73414]
-A INPUT -i eth0 -p udp -m udp --dport 1194 -m comment --comment openvpn-input-rule -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -m comment --comment openvpn-input-rule -j ACCEPT
-A FORWARD -s fe80::/64 -i tun0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Dec 27 11:52:14 2022
# Generated by ip6tables-save v1.8.7 on Tue Dec 27 11:52:14 2022
*nat
:PREROUTING ACCEPT [29:6826]
:INPUT ACCEPT [2:278]
:OUTPUT ACCEPT [296:24858]
:POSTROUTING ACCEPT [294:24634]
-A POSTROUTING -s fd11:5ee:bad:c0de::/64 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE
-A POSTROUTING -s fd11:5ee:bad:c0de::/64 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE
-A POSTROUTING -s fe80::/64 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Dec 27 11:52:14 2022
root@DietPi:~# iptables-save
# Generated by iptables-save v1.8.7 on Tue Dec 27 09:48:24 2022
*filter
:INPUT ACCEPT [291727:39557120]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [229074:24222985]
-A INPUT -i eth0 -p udp -m udp --dport 1194 -m comment --comment openvpn-input-rule -j ACCEPT
-A INPUT -i tun0 -p udp -m udp --dport 53 -m comment --comment pihole-DNS-rule -j ACCEPT
-A INPUT -i wg0 -p udp -m udp --dport 53 -m comment --comment pihole-DNS-rule -j ACCEPT
-A INPUT -i tun0 -p udp -m udp --dport 53 -m comment --comment pihole-DNS-rule -j ACCEPT
-A FORWARD -s 10.248.14.0/24 -i tun0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Dec 27 09:48:24 2022
# Generated by iptables-save v1.8.7 on Tue Dec 27 09:48:24 2022
*nat
:PREROUTING ACCEPT [78238:5955290]
:INPUT ACCEPT [77750:5925698]
:OUTPUT ACCEPT [78537:5870316]
:POSTROUTING ACCEPT [78537:5870316]
-A POSTROUTING -s 10.248.14.0/24 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE
-A POSTROUTING -s 10.248.14.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Dec 27 09:48:24 2022
/etc/openvpn/server.conf
dev tun
proto udp6
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/%%%.crt
key /etc/openvpn/easy-rsa/pki/private/%%%.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.248.14.0 255.255.255.0
server fd11:5ee:bad:c0de::0/64
push "dhcp-option DNS 10.248.14.1"
#pi-hole's IPv6 address - albeit it might change in a reboot?
push "dhcp-option DNS fe80::e6eb:551d:261b:56c8"
push "block-outside-dns"
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
Required Information
DietPi version | v8.12.1
Distro version | bullseye 0
Kernel version | armv6l GNU/Linux
SBC model | RPi Model B (armv6l)
Power supply used | 5V 2A
SD card used | Kingston 16GB
Additional Information (if applicable)
Software title | openvpn
Freshly installed
Can this issue be replicated on a fresh installation of DietPi? YES