François' Blog

OpenBSD IPv6-only Networking & Firewall

Published on 2023-10-16

After setting up a VM at Hetzner with IPv6-only and OpenBSD, some configuration was needed to make it work. It being OpenBSD, I tried to find the canonical way. You can install OpenBSD on Hetzner VMs by first choosing a random Linux distribution, then mounting the OpenBSD image and rebooting into it.

Church in Bugewitz, Germany

The sections below will explain how to configure IPv6 after you've booted into the system (with the console) if you didn't (yet) configure it during installation. In addition, we'll discuss using pf to configure a very basic (server) firewall, and in case you also want IPv4, how to add that as well.

IPv6

Network

I found a blog post here that got me started, but I managed to simplify it even more.

The IPv6 address can be set in /etc/hostname.vio0. Make sure you take the IP address from Hetzner's web interface. It is shown as *::/64 as you have the entire /64 available. I generally pick ::1:

inet6 2001:db8::1/64

The IPv6 gateway can be set in /etc/mygate:

fe80::1%vio0

You can configure the hostname in /etc/myname:

helium.tuxed.net

To configure DNS, you can modify /etc/resolv.conf and add these lines:

nameserver 2a01:4ff:ff00::add:1
nameserver 2a01:4ff:ff00::add:2

These are Hetzner's recursive DNS addresses.

(Re)start the network:

# sh /etc/netstart

Firewall

It was difficult to find a working example of a firewall for IPv6 only hosts where IPv6 does not break. I was under the (wrong) assumption that you do not need IPv6 neighbor discovery when using a static IPv6 address configuration.

For a very simple firewall, that allows SSH, HTTP and HTTPS, you can use the following content and put it in /etc/pf.conf:

set skip on lo
block return
pass in quick on egress inet6 proto icmp6 icmp6-type { echoreq, neighbrsol, neighbradv }
pass in quick on egress proto tcp to port { 22, 80, 443 }
pass out on egress proto { tcp, udp, icmp6 } from any to any modulate state (if-bound)

If you want to silently drop connections now allowed instead of returning an ICMP response, you can change block return to block. If you do not want to allow ping, you can remove echoreq. If you are running somewhere where you need to accept router advertisements, you need to add routeradv to the icmp6-type set as well.

Apply the firewall rule changes by running pfctl -f /etc/pf.conf.

IPv4

Network

If you also have an IPv4 address, you can configure it like this. Modify your /etc/hostname.vio0 file:

inet autoconf
inet6 2001:db8::1/64

Unfortunately I was unable to get static IP configuration working for IPv4 on OpenBSD. Hetzner documents it for Debian and NetworkManager, but now idea how to "translate" that. The FreeBSD and NetBSD examples also use DHCP.

You can also add the IPv4 DNS addresses in /etc/resolv.conf:

nameserver 185.12.64.1
nameserver 185.12.64.2

(Re)start the network:

# sh /etc/netstart

Firewall

You can update /etc/pf.conf:

set skip on lo
block return
pass in quick on egress inet proto icmp icmp-type { echoreq }
pass in quick on egress inet6 proto icmp6 icmp6-type { echoreq, neighbrsol, neighbradv }
pass in quick on egress proto tcp to port { 22, 80, 443 }
pass out on egress proto { tcp, udp, icmp, icmp6 } from any to any modulate state (if-bound)

Apply the firewall rule changes by running pfctl -f /etc/pf.conf.

History