add IPv6 support

Patrick · May 28, 2024, 6:52pm

Now that the port to nftables has been completed, it’s time to add IPv6 support.

Suggestions which internal IPv6 addresses we should use for,

A) Whonix-Gateway internal network interface?
B) Whonix-Gateway external network interface?
C) Whonix-Workstation internal network interface?

I plan to keep using static IP configuration without introducing the complexities of DHCP.

related source code files:

related, on why we use 10.152.152.10 for IPv6:

This is for Non-Qubes-Whonix only. For Qubes-Whonix, there is a separate ticket: add IPv6 support to Qubes-Whonix · Issue #9267 · QubesOS/qubes-issues · GitHub

Patrick · June 6, 2024, 11:33am

Should consider using unique local address (ULA).

Patrick · June 6, 2024, 1:12pm

github.com/QubesOS/qubes-issues

IPV6: Use GUA (Global Unicast Addresses) or reserved addresses instead of ULA (Unique Local Unicast Addresses) within Qubes

opened 09:17PM - 01 Oct 22 UTC

brejdol

T: enhancement P: default C: networking

The current IPv6 setup within Qubes use Unique Local Unicast Addresses (ULA) (f…c::/7) + NAT66 today. The original intention with ULA was to have a private address space in IPv6, and to use NAT66 if internet access is needed, just as RFC1918 addresses work in IPv4. For Qubes, this makes perfect sense since it solves all portability issues - The network within Qubes doesn't change even if you move from one network to another, and the environment within is oblivious to the uplink. The problem is that ULA addresses in 2022 doesn't work as originally did, and this is unfortunately not common knowledge outside the networking community. The working order of ULA addresses was changed a few years back. Now, IPv4 addresses are ALWAYS preferred over ULA addresses, wich makes ULA addresses pretty much useless in a dual stack environment - They will never be used by the operating system for anything. You can force ping and traceroute to use IPv6, but not much else. Even if you change the priority for ULA in /etc/gai.conf, you will still not be able to reliably get IPv6 ULA and AAAA DNS records to always be preferred (probably due to some hard-coding somewhere). The solution is to stop using ULA addresses internally, and to use Global Unicast Adresses (GUA) instead. This however means you need to get ahold of a prefix to use for this. Another option is to use addresses from the reserved address space, like the documentation prefix 2001:db8::/32, or the unused and reserved 0200::/8 space. The latter one is proposed to be the new "lab" prefix (not ratified yet) in order to solve this exact issue with ULA addresses not being preferred by the operating system. Both these reserved prefixes are considered bogon networks on the internet, and they will be dropped at the first hop (just like RFC1918 addresses in IPv4). They can't be routed on the internet, so they can't ever be destination networks. This means they are both perfectly suited to be used within Qubes for the internal addressing instead of the dreaded ULA. IPv6 deployments for home users is now starting to pick up the pace. This change would make the Qubes environment more seamlessly blend in, and would make it work exactly the same as the rest of your equipment in your IPv6 enabled network. As it is now, Qubes doesn't really use IPv6.

Patrick · June 6, 2024, 1:58pm

Patrick · June 15, 2024, 1:48pm

Patrick · June 16, 2024, 2:34pm

Patrick · August 22, 2024, 5:37pm

Requested to re-open Listen on IPv6 by default for SocksPort *:Port (#11360) · Issues · The Tor Project / Core / Tor · GitLab because it might not have been actually implemented.

Patrick · October 8, 2024, 9:51am

Issue:

Pull requests to fix this issue:

Patrick · October 12, 2024, 8:17am

This adds an IPv6 for the gateway:

github.com/Whonix/whonix-gw-network-conf

Add IPv6 address

Whonix:master ← DanWin:ip6

opened 07:23PM - 11 Oct 24 UTC

DanWin

+5 -0

This pull request adds an IPv6 address ## Mandatory Checklist - [X] Legal …agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.whonix.org/wiki/Terms_of_Service), [Privacy Policy](https://www.whonix.org/wiki/Privacy_Policy), [Cookie Policy](https://www.whonix.org/wiki/Cookie_Policy), [E-Sign Consent](https://www.whonix.org/wiki/E-Sign_Consent), [DMCA](https://www.whonix.org/wiki/DMCA), [Imprint](https://www.whonix.org/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [X] I have tested it locally - [ ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it

Same for the workstation:

github.com/Whonix/whonix-ws-network-conf

Add IPv6 address

Whonix:master ← DanWin:ip6

opened 07:23PM - 11 Oct 24 UTC

DanWin

+6 -0

This pull request adds an IPv6 address ## Mandatory Checklist - [X] Legal …agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.whonix.org/wiki/Terms_of_Service), [Privacy Policy](https://www.whonix.org/wiki/Privacy_Policy), [Cookie Policy](https://www.whonix.org/wiki/Cookie_Policy), [E-Sign Consent](https://www.whonix.org/wiki/E-Sign_Consent), [DMCA](https://www.whonix.org/wiki/DMCA), [Imprint](https://www.whonix.org/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [X] I have tested it locally - [ ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it

Enables IPv6 usage in tor and removes the sysctl disable setting:

github.com/Whonix/anon-gw-anonymizer-config

Enable IPv6

Whonix:master ← DanWin:ip6

opened 07:23PM - 11 Oct 24 UTC

DanWin

+111 -2

This pull request enables IPv6 ## Mandatory Checklist - [X] Legal agreemen…ts accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.whonix.org/wiki/Terms_of_Service), [Privacy Policy](https://www.whonix.org/wiki/Privacy_Policy), [Cookie Policy](https://www.whonix.org/wiki/Cookie_Policy), [E-Sign Consent](https://www.whonix.org/wiki/E-Sign_Consent), [DMCA](https://www.whonix.org/wiki/DMCA), [Imprint](https://www.whonix.org/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [X] I have tested it locally - [ ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it

Update firewall rules to split IP4/IP6 variables to allow defining proper IPv6 addresses in those and accept NDP required for IPv6:

github.com/Whonix/whonix-firewall

Add IPv6 support

Whonix:master ← DanWin:ip6

opened 07:23PM - 11 Oct 24 UTC

DanWin

+139 -33

This pull request adds IPv6 support ## Mandatory Checklist - [X] Legal agr…eements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.whonix.org/wiki/Terms_of_Service), [Privacy Policy](https://www.whonix.org/wiki/Privacy_Policy), [Cookie Policy](https://www.whonix.org/wiki/Cookie_Policy), [E-Sign Consent](https://www.whonix.org/wiki/E-Sign_Consent), [DMCA](https://www.whonix.org/wiki/DMCA), [Imprint](https://www.whonix.org/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [X] I have tested it locally - [ ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it

Patrick · October 18, 2024, 10:57am

Patrick · October 31, 2024, 5:44am

github.com/Whonix/anon-ws-disable-stacked-tor

Add IPv6 listening sockets

Whonix:master ← DanWin:ipv6

opened 09:37PM - 30 Oct 24 UTC

DanWin

+178 -0

Adds IPv6 listening sockets ## Mandatory Checklist - [X] Legal agreements …accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.whonix.org/wiki/Terms_of_Service), [Privacy Policy](https://www.whonix.org/wiki/Privacy_Policy), [Cookie Policy](https://www.whonix.org/wiki/Cookie_Policy), [E-Sign Consent](https://www.whonix.org/wiki/E-Sign_Consent), [DMCA](https://www.whonix.org/wiki/DMCA), [Imprint](https://www.whonix.org/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [X] I have tested it locally - [ ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it

Patrick · October 31, 2024, 8:51pm

github.com/Whonix/qubes-whonix

Add IPv6 replacements

Whonix:master ← DanWin:ipv6

opened 02:10PM - 31 Oct 24 UTC

DanWin

+40 -4

This pull request adds IPv6 address replacements ## Mandatory Checklist - …[X] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.whonix.org/wiki/Terms_of_Service), [Privacy Policy](https://www.whonix.org/wiki/Privacy_Policy), [Cookie Policy](https://www.whonix.org/wiki/Cookie_Policy), [E-Sign Consent](https://www.whonix.org/wiki/E-Sign_Consent), [DMCA](https://www.whonix.org/wiki/DMCA), [Imprint](https://www.whonix.org/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [X] I have tested it locally - [ ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it Fixes #

github.com/Kicksecure/helper-scripts

Add GATEWAY_IP6 variable

Kicksecure:master ← DanWin:ipv6

opened 03:35PM - 31 Oct 24 UTC

DanWin

+16 -0

This pull request adds an IPv6 gateway configuration variable ## Mandatory Ch…ecklist - [X] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.kicksecure.com/wiki/Terms_of_Service), [Privacy Policy](https://www.kicksecure.com/wiki/Privacy_Policy), [Cookie Policy](https://www.kicksecure.com/wiki/Cookie_Policy), [E-Sign Consent](https://www.kicksecure.com/wiki/E-Sign_Consent), [DMCA](https://www.kicksecure.com/wiki/DMCA), [Imprint](https://www.kicksecure.com/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [X] I have tested it locally - [ ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it