Dietpi + Wireguard + PiVPN -> IPv6?

Hallo,

I want to reach ipv6 addresses on the internet through my wireguard tunnel.

I use dietpi v8.2.2 on a Odroid C2 with PiVPN Setup for wireguard.

here’s what I did:

/etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1

editing the client settings for Client iptest:
/etc/wireguard/configs

PrivateKey = 4hide
Address = 10.6.0.4/24, fd06::4/64
DNS = 192.168.178.99

[Peer]
PublicKey = hide
PresharedKey = hide
Endpoint = mysuperdns.de:56505
AllowedIPs = 0.0.0.0/0, ::0/0

editing the server settings:
/etc/wireguard/wg0.conf

[Interface]
PrivateKey = hide
Address = 10.6.0.1/24, fd06::1/64
MTU = 1420
ListenPort = 56505

### begin iptest ###
[Peer]
PublicKey = hide
PresharedKey = hide
AllowedIPs = 10.6.0.4/32, fd06::4/64
### end iptest ###

With VPN Wireguard IPv6 doesn’t work

Without Wireguard IPv6 works

Can someone please tell me what I am doing wrong? I would like to be able to access servers on the internet with IPv6 via the VPN.

Best,
jeri

ip6tables-save -c ?

This command has no output.

Probably ipv6 does not working?

root@xxx:~# ping -c 1 heise.de
PING heise.de (193.99.144.80) 56(84) bytes of data.
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=1 ttl=248 time=12.6 ms

--- heise.de ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 12.602/12.602/12.602/0.000 ms
root@xxx:~# ping6 -c 1 heise.de
ping6: connect: Das Netzwerk ist nicht erreichbar

Das Netzwerk ist nicht erreichbar → translate → The network is unreachable

In the dietpi-config IPv6 is activated.

root@xxx:~# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.178.99  netmask 255.255.255.0  broadcast 192.168.178.255
        inet6 fe80::21e:xxx:xxx:xxx  prefixlen 64  scopeid 0x20<link>
        ether 00:xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 1969  bytes 319612 (312.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1290  bytes 156647 (152.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 30  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Lokale Schleife)
        RX packets 176  bytes 15914 (15.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 176  bytes 15914 (15.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.6.0.1  netmask 255.255.255.0  destination 10.6.0.1
        inet6 fd06::1  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

My router assigns an ipv6 via dhcp.

root@bkiste:~# /boot/dietpi/func/dietpi-set_hardware enableipv6 enable

 DietPi-Set_hardware
─────────────────────────────────────────────────────
 Mode: enableipv6 (enable)

[  OK  ] DietPi-Set_hardware | Desired setting in /etc/hosts was already set: ::1 localhost ip6-localhost ip6-loopback
[  OK  ] DietPi-Set_hardware | Desired setting in /etc/hosts was already set: ff02::1 ip6-allnodes
[  OK  ] DietPi-Set_hardware | Desired setting in /etc/hosts was already set: ff02::2 ip6-allrouters
[  OK  ] DietPi-Set_hardware | Desired setting in /boot/dietpi.txt was already set: CONFIG_ENABLE_IPV6=1
[  OK  ] enableipv6 enable | Completed

don’t use ifconfig anymore. it has been depreciated and was replaced by the new ip command.

What does ip shows?

root@xxx:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:1e:06:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.99/24 brd 192.168.178.255 scope global dynamic eth0
       valid_lft 169584sec preferred_lft 169584sec
    inet6 fe80::21e:xxx:xxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.6.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fd06::1/64 scope global 
       valid_lft forever preferred_lft forever

root@bkiste:~# ip r
default via 192.168.178.1 dev eth0 
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1 
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.99

looks like there is no public IPv6 address assigned. It seems to be a local fe80 only. However on the FritzBox you specify something like 2001. Are you sure your IPv6 network is working fine? Are you able to connect to any IPv6 address from the DietPi device themselves?

I haven’t read through everything, just note that the WireGuard install option in dietpi-software sets to everything for IPv6 access OOTB and on PiVPN this is an open request since years.

IPv6 routes can be checked via ip -6 r. If there is no public/GUA IPv6 address assigned to the adapter, it seems the router sends no router advertisements. You say it sends those via DHCP? Note that DHCPv6 is pretty uncommon and usually not required, in favour of SLAAC auto-configuration via router advertisements. Try to configure your router to send these instead or in addition to DHCPv6. I’m currently not 100% sure, but I think for the system to request DHCPv6, you need an additional interface block in /etc/network/interfaces with “inet6” instead of “inet”.

Even if there was an IPv6 assigned, which in your case is not evident from the output, you’d still need to NAT6 the private IPv6 of the WG to the public the dietpi has from the provider. So the ip6tables cannot be empty, or you need to handle the SNAT/Masquerade with another utility.

Yes, that is done by the DietPi WireGuard installation as well. As fast as an IPv6 address and route assigned, I can share the related ip6tables commands.

Ah and here is the topic about getting IPv6 support natively integrated into PiVPN: https://github.com/pivpn/pivpn/discussions/1394

 ~# ip -6 r
::1 dev lo proto kernel metric 256 pref medium
fd06::/64 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium

It this a public ipv6?

I have change some settings in my router (Fritz Box)
Heimnetz → Netzwerk → Netzwerkeinstellungen → IIPv6-Einstellungen → DHCPv6-Server im Heimnetz
[…]Geräte im Heimnetz bekommen eine IPv6-Adresse via DHCPv6 […] is now on → Devices in the home network get an IPv6 address via DHCPv6

Translate:
FRITZ!Box is announced as DNS server via DHCPv6. Parts of the IPv6 network assigned by the ISP are passed on to downstream routers. Devices in the home network are assigned an IPv6 address via DHCPv6.

On my MacBook I can ping a IPv6 Adress in the network

MBP ~ % ping6 heise.de
PING6(56=40+8+8 bytes) 2001:9e8:b1aa:c00:xxxx:baf9:xxxx:xxxx --> 2a02:2e0:3fe:1001:302::
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=0 hlim=55 time=16.881 ms

but it doesn’t work on the Odroid C2

# ping6 heise.de
ping6: connect: Das Netzwerk ist nicht erreichbar

“The network is not reachable”

If have try to use the setup guide for the IP address

# ip -o a | grep -E '(eth|wlan)[0-9]' | awk '{print $4}' | sed 's|/.*$||'
192.168.xxx.xx
fe80::21e:xxx:fe33:xxxx

It looks, that I have an IPv6 already

no your SBC did not got a public IPv6 address. fe80 is the local device address only. Usually it should looks like this

root@DietPiProd:~# ip -o a | grep -E '(eth|wlan)[0-9]' | awk '{print $4}' | sed 's|/.*$||'
192.168.x.x      # IPv4
2003:xxx         # IPv6 Global Unicast Address (GUA)
fdd4:xxx         # IPv6 Unique Local Address (LUA)
fe80:xxx         # IPv6 Link Local Address
root@DietPiProd:~#

A small German explanation what a fe80 address is https://www.ipv6-handbuch.de/IPv6-Facts/Was-ist-eine-fe80-Adresse-fuer-IPv6

And the Englisch Wiki https://en.wikipedia.org/wiki/Link-local_address

Have a look to AVM guide to configure IPv6 on your FritzBox https://avm.de/service/wissensdatenbank/dok/FRITZ-Box-7590/573_IPv6-in-FRITZ-Box-einrichten/
Section 3 (IPv6-Einstellungen für das Heimnetz anpassen). Probably use this settings, they are maybe different than yours.

There is no default route and no GUA address assigned indeed. So it seems when DHCPv6 is enabled, the Fritz!Box does not send any router advertisement for SLAAC auto-configuration anymore. Do you need DHCPv6 for a specific reason? Else I suggest to disable it. It is pretty uncommon to use DHCPv6 but leave IPv6 auto-configured via SLAAC. If you require DHCPv6, and there is no way to have the Fritz!Box sending RAs regardless, then you’d need to add a specific IPv6 entry for the interface, e.g.:

echo 'iface eth0 inet6 dhcp' > /etc/network/interfaces.d/eth0-dhcpv6.conf
ifup --force eth0

This should spawn another dhclient process which sends DHCPv6 requests explicitly.