Add IPv6 support for OpenVPN (PiVPN) on Pi

[teusink]

Add IPv6 support for OpenVPN (PiVPN) on Pi

Two options here:

1. Enable IPv6 inside the tunnel.
2. Enable IPv6 outside the tunnel, as in: the tunnel itself is IPv6.

Exposing a IPv6 tunnel to the outside world requires fail2ban 0.10 for rate-limiting. This is not yet available on Debian Stretch. See issue: https://github.com/teusink/Home-Security-by-Pi/issues/26

So for now option 1 only should suffice.

Considerations:

• IPv6 range that is different from your original IPv6 range from your ISP.
• Security in regard to rate-limiting (fail2ban).
• Is IPv6 really needed to be set to be used inside the tunnel, while you still access it over IPv4? What is the added value?

Roadblocks:

• No fail2ban 0.10 release on Pi leads to no protection on IPv6. Current release is 0.9.6-2: https://packages.debian.org/stretch/fail2ban

Sources:

• https://community.openvpn.net/openvpn/wiki/IPv6
• https://blog.apnic.net/2017/06/09/using-openvpn-ipv6/
• https://www.apnic.net/get-ip/faqs/ipv6-documentation-prefix/
• https://unix.stackexchange.com/questions/373947/why-do-i-need-another-ipv6-block
• https://superuser.com/questions/528523/how-can-i-figure-out-what-ipv6-to-use-if-i-want-to-set-a-static-ip-for-my-comput
• https://forums.openvpn.net/viewtopic.php?t=21735
• https://unix.stackexchange.com/questions/216689/blocking-ssh-brute-force-attacks-on-ipv6
• https://www.ctrl.blog/entry/fail2ban-ipv6
• http://ncomputers.org/fail2ban

[teusink]

Native IPv6 on Pi works out-of-the-box with stretch. Now I need to find a way to do a IPv6-tunnel.

[teusink]

Got full IPv6 support within my network. Can access any source over IPv6 (DHCP, DNS, Pi-hole Admin console). Somehow cannot reach any IPv6 source from the outside, even with port-forwarding. Might be ISP issue. Will look further into that.

[teusink]

In addition, due to lack of fail2ban support for IPv6 (Raspbian repos not updated with latest fail2ban), it is not even smart to open up VPN through IPv6 to the outside world.

[teusink]

Wait for future release of Debian for Raspberry Pi that has fail2ban which supports IPv6. Then look into getting IPv6 tunneling working. Perhaps also impacts UDP/TCP?

[teusink]

Repo will be archived, so this issue won't receive a follow up.