{{Header}}
{{title|title=
IPv6 Development
}}
{{#seo:
|description=Development notes for adding IPv6 support to {{project_name_short}}.
}}
{{intro|
Development notes for adding IPv6 support to {{project_name_short}}.
}}
= Essential Knowledge =
* Tor 6to4: Tor is capable of tunneling IPv6 over IPv4. Even if your ISP does not support IPv4, the user will still be able to reach IPv6 destinations. Tor will build circuits over IPv4. However, IPv6 traffic is tunneled through IPv4. There is no need to have functional IPv6 support for clearnet just to be able to reach IPv6 destinations over Tor.
* Qubes specific.
** https://www.qubes-os.org/doc/networking/#limitations
*** Currently only IPv4 DNS servers are configured, regardless of ipv6 feature state. It is done this way to avoid reconfiguring all connected qubes whenever IPv6 DNS becomes available or not. Configuring qubes to always use IPv6 DNS and only fallback to IPv4 may result in relatively long timeouts and poor usability. But note that DNS using IPv4 does not prevent to return IPv6 addresses. In practice this is only a problem for IPv6-only networks.
** Qubes IPv6 only mode bug: [https://github.com/QubesOS/qubes-issues/issues/9288 Fix IPv6 connectivity on downstream qubes]
= IPv6 Support in Whonix =
IPv6 support are multiple parts.
* '''A)''' Whonix-Workstation connecting to Whonix-Gateway using IPv6.
** The following pull requests implement this:
*** https://github.com/Whonix/anon-ws-disable-stacked-tor/pull/2
*** https://github.com/Whonix/anon-gw-anonymizer-config/pull/5
*** https://github.com/Whonix/whonix-gw-network-conf/pull/1
*** https://github.com/Whonix/qubes-whonix/pull/2
*** https://github.com/Whonix/whonix-firewall/pull/10
*** https://github.com/Kicksecure/helper-scripts/pull/10
*** https://github.com/Whonix/whonix-ws-network-conf/pull/1
*** https://gitlab.torproject.org/tpo/core/torsocks/-/merge_requests/17
* '''B)''' Tor proxying connections to IPv6 destinations.
** Already functional with Tor Browser.
*** NOTE: ISP IPv6 feature state does not matter. Tor does not require functional IPv6 by the ISP to be able to proxy/tunnel IPv6. Tor can tunnel IPv6 over IPv4.
** curl: TODO - connection via IPv6 works once above pull requests are merged, however for name resolution curl wants to open a nameserver connection, which gets filtered by torsocks. Thus curl currently fails resolving IPv6 destinations.
** transparent proxying: Implemented once above pull requests are merged
* '''C)''' Tor using IPv6 to build Tor circuits.
** Implemented once above pull requests are merged
= Whonix TODO =
* Whonix
** In file [https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/sysctl.d/anonymizer-config-gateway.conf /etc/sysctl.d/anonymizer-config-gateway.conf] comment out net.ipv6.conf.all.disable_ipv6 = 1.
* Use [https://en.wikipedia.org/wiki/Unique_local_address ULA (unique local address)]?
** [https://github.com/QubesOS/qubes-issues/issues/7803 IPV6: Use GUA (Global Unicast Addresses) or reserved addresses instead of ULA (Unique Local Unicast Addresses) within Qubes]
** GUA might have a higher risk for leaks?
** We should avoid depending on reserved addresses because their status could be changed in the future (while we aren't keeping tracking of this anymore) and we'd run into unexpected behavior or leakage.
** At least ULAs designed to do what we want them to do and will remain as such.
** Solution? Keep using ULA but use one of the workaround from above ticket?
* Use IPv4 mapped IPv6 addresses?
** /etc/network/interfaces
iface eth0 inet6 static
address ::FFFF:192.168.0.1
netmask 96
* Non-Qubes-Whonix
** Whonix-Gateway: https://github.com/Whonix/whonix-gw-network-conf/blob/master/etc/network/interfaces.d/30_non-qubes-whonix
** Whonix-Workstation: https://github.com/Whonix/whonix-ws-network-conf/blob/master/etc/network/interfaces.d/30_non-qubes-whonix
* Qubes-Whonix
** temporarily during development in dom0: {{CodeSelect|code=
qvm-features sys-whonix ipv6 1
}}
** '''TODO:''' Send a pull request to Qubes salt to no longer run command qvm-features sys-whonix ipv6 "" or maybe qvm-features sys-whonix ipv6 0.
** '''TODO:''' Qubes IPv6 migration difficulty.
*** When enabling Qubes host virtualizer setting qvm-features sys-whonix ipv6 1, then sys-whonix network will fail to come up as long as sysctl net.ipv6.conf.all.disable_ipv6=1 is set.
*** Vice versa, when enabling sysctl sysctl net.ipv6.conf.all.disable_ipv6=1 in sys-whonix without enabling Qubes host virtualizer setting qvm-features sys-whonix ipv6 1, networking will also fail to come up.
*** This makes migration very difficult.
*** TODO: patch Qubes upstream to simplify this so networking does not fail just because of IPv6 disabled/enabled on host VM settings but not disabled/enabled inside VM sysctl settings
** '''TODO:''' https://forum.qubes-os.org/t/qubes-4-3-cannot-create-a-new-appvm-that-provides-network-to-other-qubes/30906
= VirtualBox =
* VirtualBox NAT currently doesn't support IPv6. It only provides an IPv4 address which we configured statically in etc/network/interfaces.d/30_non-qubes-whonix
* As a workaround, we can switch the Gateway network to use a Bridged Adapter to the hosts network interface. This however exposes the Gateway to the hosts network. To allow IPv6 packages reaching the VM, Promiscuous mode needs to be changed to "Allow All".
* We need to add an address to our network configuration in etc/network/interfaces.d/30_non-qubes-whonix or let it automatically be configured, such as with
iface eth0 inet6 auto
= Libvirt =
* On the gateway, the network XML configuration needs to be modified to add an additional IPv6 address, such as the following:
Whonix-External
0944b9e9-dd9c-4dd2-97e8-3b8d810d3b3f
* We need to add the same address also to our network configuration in etc/network/interfaces.d/30_non-qubes-whonix
auto eth0
iface eth0 inet6 static
address fd19:c33d:98bc::15
netmask 64
gateway fd19:c33d:98bc::
* On the host it may be necessary to allow forwarding of IPv6 traffic for the desired network on the firewall. The necessary rules may or may not be added by libvirt automatically. Here an example configuration for ip6tables created by libvirt:
-A LIBVIRT_FWI -d fd19:c33d:98bc::/64 -o virbr1 -j ACCEPT
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp6-port-unreachable
-A LIBVIRT_FWO -s fd19:c33d:98bc::/64 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp6-port-unreachable
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
* On the host we also need to enable forwarding of IPv6 with sysctl net.ipv6.conf.all.forwarding=1
= Tor IPv6 Configuration =
{{CodeSelect|code=
sudo nano /etc/tor/torrc
}}
{{CodeSelect|code=
SocksPort [::1]:9050
}}
{{CodeSelect|code=
sudo systemctl restart tor
}}
* [https://tor.stackexchange.com/questions/24029/how-to-listen-on-both-localhost-ipv4-and-ipv6-at-the-same-time-with-1-configura How to listen on both localhost, IPv4 and IPv6 at the same time with 1 configuration line?]
* [https://gitlab.torproject.org/tpo/core/tor/-/issues/40952 document how to listen on localhost on both, IPv4 and IPv6 at the same time using SocksPort *:Port]
Note: If localhost on the system (inside the VM) does not have IPv6 support, Tor will fail to start.
[warn] Could not bind to ::1:9050: Cannot assign requested address
[warn] Failed to parse/validate config: Failed to bind one of the listener ports.
[err] Reading config failed--see warnings above.
= Functional =
Definitions:
* broken ISP IPv6: Your ISP does not provide IPv6. Visiting IPv6 pages are broken.
Overview:
* broken ISP IPv6 + Debian + Tor IPv6 Configuration (see above) + curl --ipv6 + IPv6 localhost
** using IP (without DNS)
*** {{CodeSelect|code=
curl --ipv6 --proxy socks5h://[::1]:9050 --resolve v6.ipv6test.app:443:[2600:9000:21f3:1800:18:3c03:3680:93a1] https://v6.ipv6test.app/
}}
** using DNS
*** {{CodeSelect|code=
curl --ipv6 --proxy socks5h://[::1]:9050 https://v6.ipv6test.app/
}}
** example output: 2a0b:f4c2:1::1
*** an IP address of a Tor IPv6 exit relay. Can be verified using [[ExoneraTor|ExoneraTor]] ([https://metrics.torproject.org/exonerator.html?ip=2a0b%3Af4c2%3A1%3A%3A1×tamp=2024-06-04&lang=en example]).
* broken ISP IPv6 + Debian + Tor Browser + IPv6-only test page
* broken ISP IPv6 + Whonix-Workstation + Tor Browser + IPv6-only test page
Notes:
* Tor SocksPort configuration option IPv6Traffic is optional, not required.
* Find out the IP address of an IPv6 test server. Requires functional IPv6 connectivity somewhere.
** {{CodeSelect|code=
nslookup v6.ipv6test.app
}}
*** 2600:9000:21f3:1800:18:3c03:3680:93a1
= TODO Test =
* functional ISP IPv6 + Debian + curl --ipv6 + IPv6 via IP only (without DNS)
** useful for testing if IP connectivity is functional while exluding potential DNS related issues
** {{CodeSelect|code=
curl --ipv6 --resolve v6.ipv6test.app:443:[2600:9000:21f3:1800:18:3c03:3680:93a1] https://v6.ipv6test.app/
}}
= IPv6-only test pages =
These are only reachable over IPv6. Not over IPv4 at all. This makes these test pages ideal for testing.
* https://v6.ipv6test.app/
= Test Scenario =
After full IPv6 support has been added to Whonix, the following test might be ideal to test if IPv6 is fully functional.
IPv6 only ISP simulation:
* Disable IPv4 either:
** A) on the router or,
** B) alternatively, in case of Non-Qubes-Whonix alternatively on the host operating system.
** C) alternatively, in case of Qubes-Whonix use a VM sys-ipv4-breaker (A ProxyVM that disables IPv4 using sysctl)
= Discussion =
* [https://forums.whonix.org/t/add-ipv6-support/19893 add IPv6 support]
* [https://github.com/QubesOS/qubes-issues/issues/9267 add IPv6 support to Qubes-Whonix]
[[Category:Development]]
{{Footer}}