1

I am running a PiVPN Wireguard installation on my Pi. I have multiple docker services running on the Pi as well. My setup works. I can connect to my VPN and access all the services. The problem is that my router firewall does not support opening specific ports over ipv6, it only supports enabling or disabling the ipv6 firewall entirely. I am running the entire VPN setup over ipv6 so I don't have to pay for a static ipv4 address (My ISP blocks port forwarding over ipv4). I want to open only the wireguard port over ipv6 to the internet and I don't want any other service to be accessible over the internet without connecting to the VPN.

Right now I have a hacky insecure solution where I scan for any open ports on my system and keep blocking them one by one using iptables. This seems to work but of course, isn't ideal. I have tried making general ipv6tables rules but those usually end up blocking everything for me.

How can I achieve this by maybe adding some rules to the iptables for ipv6?

Aniansh
  • 61
  • 5

1 Answers1

1

You could just allow incoming connections on the WireGuard port (default = 51820) on your Raspberry Pi including established and related traffic and drop all else:

sudo ip6tables -A INPUT -p udp --dport 51820 -j ACCEPT
sudo ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -j DROP

Regarding your router/firewall, if you can only block all IPv6 traffic or allow all IPv6 traffic, it might be a good idea to place a router of your own between the one your ISP provided so you can configure it to function as a firewall for your network.

Stephan
  • 11
  • 2