Pi-hole combined with PiVPN IPv6 not working



I’m hoping someone here can help me get any further with this problem. I’ve tried a lot myself, asked on various subreddits and tried some other forums. I did make progress but it’s still not functioning, so I thought I’d try here.
I have Pi-hole setup with PiVPN, using the dual setup from the Pi-hole docs where it pushes my home network through when I am at home.
I have IPv6 acces at home on my network and it works flawless without the VPN, but I can’t get IPv6 to work on the VPN.
I forwarded a /64 to my RPi from my router using a static route (like this). The route goes from 2001:xxx:xxxx:xxxx:: (my public IPv6 address with 4 characters added) to the link-local address from the RPi (the address that started with fe80).

Right now my laptop gets an IPv6 address from the range when it’s on the VPN een IPv6, and I can ping6 the RPi from the laptop. I can also ping6 the laptop on that address from the RPi. But the laptop can’t ping6 the router, and online tests tell me IPv6 is not working.

I didn’t edit the client.conf files, because I followed these instructions: https://blog.apnic.net/2017/06/09/using-openvpn-ipv6/ and edited my server.conf file. I believe it’s not needed to edit the client.conf files for that. Please tell me if I’m mistaken.
Here’s my server.conf:

dev tun
push tun-ipv6
proto tcp
port 443
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_alI.crt
key /etc/openvpn/easy-rsa/pki/private/server_alI.key
dh none
ecdh-curve secp384r1
topology subnet
server-ipv6 2001:xxx:xxxx:xxxx::/64
# Set your primary domain name server address for clients
push "route"
push "route-ipv6 2000::/3"
push "dhcp-option DNS"
ifconfig-ipv6 2001:xxx:xxxx:xxxx::1 2001:xxx:xxxx:xxxx::2
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using and
# rather than This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
compress lz4
user nobody
group nogroup
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
# Generated for use by PiVPN.io

In /etc/sysctl.conf I added the following two lines:


I tried different firewall rules but they don’t seem to make any difference. Currently I don’t have any firewall rules set up, but the PiVPN sets up iptables persistent like this:

# Generated by iptables-save v1.6.0 on Wed Aug 22 10:31:31 2018
# Completed on Wed Aug 22 10:31:31 2018
# Generated by iptables-save v1.6.0 on Wed Aug 22 10:31:31 2018
:INPUT ACCEPT [749:745386]
:OUTPUT ACCEPT [855:85124]

The ip6tables are still empty:

# Generated by ip6tables-save v1.6.0 on Wed Aug 22 10:31:31 2018

If anyone has anything that can help me out, please help me!
I think maybe it’s the ip6 firewall settings or something in my server.conf.


Nobody? There must be more people who solved this or are still struggeling?


I think that your problem lies with your configuration within the router for the IPV6.

In your static IPV6 route settings you have a mixture of IPs (see http://www.gestioip.net/docu/ipv6_address_examples.html) for classes description and use.


Unique local = private IPv4 addresses (starts with FD)
Link local = local to the link (starts with FE8, FE9, FEA, FE8)
Link local multicasts = (starts with FF02)
Global unicasts = (starts with 2 or 3)

Also you are pushing this:

Aggregatable global unicast address format for use in the Internet

Not too sure what your VPN server is trying to achieve with that.

Long story short:

Use https://www.pihomeserver.fr/en/2015/02/18/configurer-lipv6-sur-le-raspberry-pi/ to properly configure the IPV6 on the raspberry, enable IPV6 (avoid the routing from within the router if possible) within the router and let the Router manage the IPV6 rules, use IPV4 translatable IPV6 addresses and that shoult take care of the issue.

I personally don’t use IPV6 (yet), I am running everything on IPV4 and I have no issues.

You are also using the pure elliptic crypto setup in your vpn. Is it really necessary ?