In "interactive" mode, if you choose to use IPv6, and the computer used to get its IPv6 address (prefix...) from another device (router...) using "Router Advertisements", all IPv6 connectivity is lost #1453
Description
I used this script to install OpenVPN on a Raspberry Pi Zero 2 W. My goal is to use it simply as a way to access my home network from outside.
All my devices are connected to a modem/router provided by my ISP, either wirelessly or wired.
This modem doesn't allow any IPv4 port forwarding, because my IPv4 address is shared. Naturally I want to use IPv6 instead.
By default, the modem/router uses SLAAC to help all IPv6 devices to "auto-configure".
IPv6 worked fine on the Raspberry Pi before I installed OpenVPN.
But after installing it with your script, by choosing "IPv6" when asked "What IP version should clients use to connect to this server?", suddenly all IPv6 connectivity was lost.
The "ifconfig" command showed that a local link IPv6 address was chosen (line ending with <link>), but there was no global address (line ending with <global>).
Example:
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.220 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::XXXX:XXXX:XXXX:XXXX prefixlen 64 scopeid 0x20<link>
I tested IP connectivity with the following command:
wget --output-document - https://ipv6.lafibre.info
Which gave me an error explaining that the connection failed, but I didn't write it down. I can reproduce this again if needed.
Also, it was impossible to connect to the OpenVPN server with the official client.
Device: Raspberry Pi Zero 2 W
OS: Raspberry Pi OS Lite (Debian Trixie)
Kernel version: 6.12.62+rpt-rpi-v8
Explanation
After several hours, I understood that this happened because the install script creates a configuration file "/etc/sysctl.d/99-openvpn.conf" with the following content:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
The second setting makes the computer/device behave "like a router".
So, by default it makes it ignore "Router Advertisements" from other devices, which AFAIK are needed to get an IPv6 global address when your device is not actually a router.
More details about that are here: https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html Search for "forwarding - INTEGER"
I managed to fix this in my case by creating another config file in /etc/sysctl.d, with the following setting which forces the device to accept "Router Advertisements" from other devices even if local forwarding is enabled:
net.ipv6.conf.wlan0.accept_ra=2
See https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html for more info. Search for "accept_ra - INTEGER"
This makes IPv6 connectivity work again, and the OpenVPN server can be used from outside my network.
Suggested fix
In "interactive" mode, when using IPv6, the openvpn-install.sh script should detect if the device needs to accept "Router Advertisements" from an external router, or ask the user.
The question could be something like:
Does your device configure its IPv6 connectivity (global address...) with the help of an external router?
Depending on the detection or the answer given, the script should add another line to 99-openvpn.conf.
For example:
net.ipv6.conf.all.accept_ra=2
Unless using "all" is problematic. Then the correct network interface to use could be detected or asked to the user.
I'm not a network expert at all, but I think if "local forwarding" is not already enabled when you install OpenVPN, it's a clue that there is an external router. So maybe the script could even detect that and add the "accept_ra=2" setting by default.