This website is IPv6 ready

As of today, this modest Gentoo VPS is finally available over IPv6. I’ve been putting off this move for a while as I needed to make sure that my services were correctly configured for IPv6.

IPv6 validation test

IPv6 flag

I added ipv6 to my global use flags and issued a rebuild, but it turned out that all installed packages were already compiled with IPv6 support where available.

Ip6tables

I was previously using my own tediously crafted iptables script which has served me well, but it only supports IPv4. The obvious choice was to replace the script with UFW (The Uncomplicated Firewall) which supports both IPv4 and IPv6 out of the box.

Fail2ban

I rely heavily on Fail2ban to keep malicious bots from wasting bandwidth and server resources. Thankfully, the Fail2ban 0.10.x series supports IPv6 by default.

IPv6 on Scaleway

I’m hosting this VPS on Scaleway which offers native IPv6 connectivity. After enabling IPv6 and rebooting the server, I recived an IPv6 address, gateway and route, but other than that, nothing worked as expected.

I could successfully ping localhost over IPv6 but the gateway was unreachable. Thus I was incapable of connecting to, or receive connections from any external service over IPv6. I could not find any issues with the server configuration so I decided to perform what Scaleway refers to as a hard reboot. But alas, that made no difference.

I eventually remembered that in addition to my local firewall, I also have a few stateful rules deployed on the host. My default inbound policy was set to drop, while my default outbound policy was set to accept. I tried adding a few IPv6 rules using ::/0 (the IPv6 equivalent of 0.0.0.0/0) but it had no effect as far as I could tell.

What did work though was to change the default inbound policy from drop to accept, which I suspect just removed all remaining host rules. I’m not sure if Scaleway’s security groups (host firewall rules) support IPv6 or not, but I’m guessing the latter. At least I could not make any sense of it, or find any relevant documentation.

ping6
Pinging Google over IPv6 before and after disabling Scaleway’s host firewall rules.

I could now finally connect and receive connections over IPv6, but for some reason blog.paranoidpenguin.net was still not available over IPv6. That particular issue turned out to be DNS related. Scaleway had given me a new IPv6 address when I previously performed the hard reboot… yeah that’s really not an optimal solution /O\

Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed or check out the human-readable sitemap for more content.

Related posts