Hey!
I'm hoping someone here can help me get any further with this problem. I've tried a lot myself, asked on various subreddits and tried some other forums. I did make progress but it's still not functioning, so I thought I'd try here.
I have Pi-hole setup with PiVPN, using the dual setup from the Pi-hole docs where it pushes my home network through when I am at home.
I have IPv6 acces at home on my network and it works flawless without the VPN, but I can't get IPv6 to work on the VPN.
I forwarded a /64 to my RPi from my router using a static route (like this). The route goes from 2001:xxx:xxxx:xxxx:: (my public IPv6 address with 4 characters added) to the link-local address from the RPi (the address that started with fe80).
Right now my laptop gets an IPv6 address from the range when it's on the VPN een IPv6, and I can ping6 the RPi from the laptop. I can also ping6 the laptop on that address from the RPi. But the laptop can't ping6 the router, and online tests tell me IPv6 is not working.
I didn't edit the client.conf files, because I followed these instructions: Using OpenVPN with IPv6 | APNIC Blog and edited my server.conf file. I believe it's not needed to edit the client.conf files for that. Please tell me if I'm mistaken.
Here's my server.conf:
dev tun
tun-ipv6
push tun-ipv6
proto tcp
port 443
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_alI.crt
key /etc/openvpn/easy-rsa/pki/private/server_alI.key
dh none
ecdh-curve secp384r1
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2001:xxx:xxxx:xxxx::/64
# Set your primary domain name server address for clients
push "route 192.168.178.0 255.255.255.0"
push "route-ipv6 2000::/3"
push "dhcp-option DNS 192.168.178.20"
ifconfig-ipv6 2001:xxx:xxxx:xxxx::1 2001:xxx:xxxx:xxxx::2
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
compress lz4
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
In /etc/sysctl.conf I added the following two lines:
net.ipv6.conf.eth0.forwarding=1
net.ipv6.conf.eth0.accept_ra=2
I tried different firewall rules but they don't seem to make any difference. Currently I don't have any firewall rules set up, but the PiVPN sets up iptables persistent like this:
# Generated by iptables-save v1.6.0 on Wed Aug 22 10:31:31 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:218]
:POSTROUTING ACCEPT [1:218]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Aug 22 10:31:31 2018
# Generated by iptables-save v1.6.0 on Wed Aug 22 10:31:31 2018
*filter
:INPUT ACCEPT [749:745386]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [855:85124]
COMMIT
The ip6tables are still empty:
# Generated by ip6tables-save v1.6.0 on Wed Aug 22 10:31:31 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
If anyone has anything that can help me out, please help me!
I think maybe it's the ip6 firewall settings or something in my server.conf.