Pi-hole combined with PiVPN IPv6 not working


#1

Hey!

I’m hoping someone here can help me get any further with this problem. I’ve tried a lot myself, asked on various subreddits and tried some other forums. I did make progress but it’s still not functioning, so I thought I’d try here.
I have Pi-hole setup with PiVPN, using the dual setup from the Pi-hole docs where it pushes my home network through when I am at home.
I have IPv6 acces at home on my network and it works flawless without the VPN, but I can’t get IPv6 to work on the VPN.
I forwarded a /64 to my RPi from my router using a static route (like this). The route goes from 2001:xxx:xxxx:xxxx:: (my public IPv6 address with 4 characters added) to the link-local address from the RPi (the address that started with fe80).

Right now my laptop gets an IPv6 address from the range when it’s on the VPN een IPv6, and I can ping6 the RPi from the laptop. I can also ping6 the laptop on that address from the RPi. But the laptop can’t ping6 the router, and online tests tell me IPv6 is not working.

I didn’t edit the client.conf files, because I followed these instructions: https://blog.apnic.net/2017/06/09/using-openvpn-ipv6/ and edited my server.conf file. I believe it’s not needed to edit the client.conf files for that. Please tell me if I’m mistaken.
Here’s my server.conf:

dev tun
tun-ipv6
push tun-ipv6
proto tcp
port 443
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_alI.crt
key /etc/openvpn/easy-rsa/pki/private/server_alI.key
dh none
ecdh-curve secp384r1
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2001:xxx:xxxx:xxxx::/64
# Set your primary domain name server address for clients
push "route 192.168.178.0 255.255.255.0"
push "route-ipv6 2000::/3"
push "dhcp-option DNS 192.168.178.20"
ifconfig-ipv6 2001:xxx:xxxx:xxxx::1 2001:xxx:xxxx:xxxx::2
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
compress lz4
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

In /etc/sysctl.conf I added the following two lines:

    net.ipv6.conf.eth0.forwarding=1
    net.ipv6.conf.eth0.accept_ra=2

I tried different firewall rules but they don’t seem to make any difference. Currently I don’t have any firewall rules set up, but the PiVPN sets up iptables persistent like this:

# Generated by iptables-save v1.6.0 on Wed Aug 22 10:31:31 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:218]
:POSTROUTING ACCEPT [1:218]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Aug 22 10:31:31 2018
# Generated by iptables-save v1.6.0 on Wed Aug 22 10:31:31 2018
*filter
:INPUT ACCEPT [749:745386]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [855:85124]
COMMIT

The ip6tables are still empty:

# Generated by ip6tables-save v1.6.0 on Wed Aug 22 10:31:31 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

If anyone has anything that can help me out, please help me!
I think maybe it’s the ip6 firewall settings or something in my server.conf.


#4

I think that your problem lies with your configuration within the router for the IPV6.

In your static IPV6 route settings you have a mixture of IPs (see http://www.gestioip.net/docu/ipv6_address_examples.html) for classes description and use.

Basically:

Unique local = private IPv4 addresses (starts with FD)
Link local = local to the link (starts with FE8, FE9, FEA, FE8)
Link local multicasts = (starts with FF02)
Global unicasts = (starts with 2 or 3)

Also you are pushing this:

Aggregatable global unicast address format for use in the Internet

Not too sure what your VPN server is trying to achieve with that.

Long story short:

Use https://www.pihomeserver.fr/en/2015/02/18/configurer-lipv6-sur-le-raspberry-pi/ to properly configure the IPV6 on the raspberry, enable IPV6 (avoid the routing from within the router if possible) within the router and let the Router manage the IPV6 rules, use IPV4 translatable IPV6 addresses and that shoult take care of the issue.

I personally don’t use IPV6 (yet), I am running everything on IPV4 and I have no issues.

You are also using the pure elliptic crypto setup in your vpn. Is it really necessary ?


#5

Hi,

I read up on the IPv6 protocol in the link you provided, and I removed all the IPv6 stuff from the open VPN server.conf. So I was back to a normal IPv4 installation. Now, on my home network IPv6 is still functioning properly like it always has, that was never the problem. The Pi can ping6 and I can get IPv6 connectivity even when I’m using Pi-hole and all my DNS traffic goes through the Pi.
I still followed the instructions you provided to set up IPv6 but it doesn’t change anything. IPv6 works at home, but not on the VPN.

How do I set up the VPN to also have acces to IPv6?
Also, the encryption is there from the PiVPN installation. It works for me so I haven’t changed it.


#6

There are several guides online on how to achieve that.

Give google a spin :wink:


#7

I gave google multiple spins and I read quite some articles, including these:
http://retiredtechie.fitchfamily.org/category/internet-access/ipv6/





https://community.openvpn.net/openvpn/wiki/IPv6

https://feeding.cloud.geek.nz/posts/ipv6-and-openvpn-on-linode/

But still I can’t figure out how to get it to work. :slightly_frowning_face:
I was hoping someone here did already have a setup like this configured correctly and they could tell me how they did it, but no luck I guess.


#8

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.