Wondering about IPv6 homelab security

Hi everyone, extremely new here, read up for several days before making this post so as not to waste people's time. The actual question's in bold toward the bottom, it's less of a technical question than a cultural one.

For my setup, important to know that I'm in Japan on IPoE and MAP-E (CG-NAT).

I've got an OpenWrt One router and had been trying to set up WireGuard for remote access to my home network, when a user on this forum helped me understand that WireGuard doesn't work smoothly with CG-NAT.

I learned about some workarounds using a VPS, but I don't want to go that route because I'm trying to keep everything self-contained within my own home. (I'm cheap!)

Then I learned that having native IPv6 means that I don't even technically need WireGuard or services like that, apparently just remoting in from anywhere is a feature of IPv6. At that point it's all about firewall rules and proper DNS, SLAAC, and, um, DHCP configuration (or whatever!)

I can figure that stuff out slowly. What I'm wondering is, do a lot of you guys do that? If you have IPv6 through your ISP, do you start to transition your network over to a dual- or pure-IPv6 setup in terms of security? Or do you try to stick with your IPv4 setup as much as possible--and if so, is it for any other reason that it's more comfortable? At this point, I'm such a newbie that I think I should just learn the IPv6 unless there is some compelling reason not to.

But I'm hesitating because just surfing around on Reddit, YouTube, and the like, it feels like people sort of go out of their way to avoid a pure or mostly IPv6 environment. Like, you can find a million explainers on YouTube about how to set up WireGuard, but only a random handful for setting up secure remote access via IPv6.

I understand all the basics about IPv6, that it's "new", that not all websites use it yet, and that there are still pretty big security vulnerabilities being found in IPv6, but the general vibe I'm getting from googling around about home network security is that most people are intentionally leaning away from an all-or-mostly IPv6 setup.

Thanks for any advice you can give. I don't want to hook any of the nice gadgets I bought (switch, NAS, etc) until my router is fully configured, and I've been stuck in the mire over this remote access problem for about two weeks now, so I appreciate anybody who could help me find a clear path forward.

I'm getting my popcorn ready, can't wait for the responses to this one...

Not sure where you got all that, but it's pretty much untrue. IPv6 has no more nor fewer bugs than IPv4 these days. OpenWrt's default configuration makes your router just as secure whether you run IPv4-only, IPv6-only or dual stack.

The only thing holding you back from running IPv6-only is really just support from the wider web; some providers are very late to the party. I think maybe reddit is still v4-only??? And some AWS stuff was v4-only until very recently.

Yeah, the only website I've had trouble with so far is Reddit, and that's not a big deal for me.

I think I'm having a hard time understanding IPv6 remote security on a conceptual level. I have a good amateur-level understanding of encryption and a basic understanding of VPN tunneling, so when I hear that all 2000:: addresses are public and we use those on both sides of the router, I wonder what else can protect my devices from remote access besides the firewall?

Like, if I get my firewall rules 99% right, what other hurdle can I put up so that if someone manages to discover one of my IPv6 addresses, they can't just spoof the thing and waltz through my router?

I think you're alluding to IPv4 Network Address Translation (also a firewall component, at least in Linux) being employed as a security feature. While IPv6 doesn't employ that (at least by default, it could be used though ), NAT was never originally intended to be a security feature. It was one of the first large-scale engineering efforts to mitigate the IPv4 exhaustion.

• "Discover" one of your IPv6 addresses?
• Spoof what thing to waltz through your router?

You are aware that IPv6 devices generally use a rotating privacy address, correct?

Be sure you've configured it on the client.

See this is what I mean, I don't know what I don't know yet I expect most of my questions are pretty silly, but thank you for the info, it's all helpful.

So I'm aware that the addresses change, but with my ISP I'm not sure how often that happens, and I guess I'm not sure what steps to take going forward. I know there are options, like SLAAC, DNS, DDNS, etc, but I haven't been able to find a definitive guide for people at my level saying "IPv6-only homelab and you want to access Immich from your phone? You're gonna wanna configure [SLAAC]."

There is an abundance of information which is great, but it's overwhelming, I feel like I'm in a Japanese bookstore fresh off the boat

If you're alluding to the clients using random addresses, subsequent prefix changes from the ISP aren't required for that to occur.

Options to accomplish what?

Just use DDNS on the client with the IP if you need a hostname for a server (same as IPv4).

(But if you plan to make a DDNS, not sure why you're concerned about someone learning the IP.)

You only really to pay attention if or when you add new rules that punch through the firewall. By default, OpenWrt's configuration is to reject 100% of incoming connections, v4 or v6, everyone outside the LAN stays outside.

It might be good to just start digging in and trying to figure out what's going on in the firewall itself, here's a link to the default config:

Notice that the lan zone can initiate and receive traffic from everything else by default. More importantly, notice that incoming wan zone traffic is rejected, without making any distinction as to v4 or v6; only traffic on already existing connections is allowed (i.e., connections that were initiated by a lan device to the wan).

Looking below the zone defaults, you'll see that various ports/services that are exposed on the router's wan interface. These are all to allow your router and your ISP's router to exchange configuration information in order to set up and maintain a connection. (Go to wikipedia and read the blurbs on the ICPM and ICMPv6 pages, maybe IGMP, to get a sense of what that looks like.)

And don't worry about exposing your IP addresses, they're already known and being attacked right now. It doesn't matter because the firewall is blocking all the external ports that aren't hardened.

Good heavens, that is so useful, thank you very much. Can I buy you a coffee?

Independently of IPv4 or IPv6, whatever you don't want to see on the big screen on Times Square is better put behind bars (your own roadwarrior-style VPN). Keep the attack surface low and not battle-hardened services out of reach of potential attackers. With IPv6, we finally get end-to-end connectivity back, which is a good thing - but that doesn't mean everything should be -indiscriminately- accessible from the outside (even -just- a login page invites brute force attacks). OpenWrt's default firewall setup does indeed treat IPv4 and IPv6 alike, in a safe manner.

I'm using an ISP with cgNAT plus semi-static IPv6 /56 prefix for half a decade now, incoming VPNs are working fine over IPv6 and usually well enough in practice (public hotspots, guest networks, international 4g/ 5g roaming or business networks often don't support IPv6, all national phone ISPs around here do (or at least can do, if you explicitly opt-in), which means I can usually get by without IPv4). However IPv6 proliferation does massively differ regionally, while it's just there in one country/ at one ISP, others might not have heard about it.

Thank you for your help.

Do you mind if I ask some more nonsense? (I still have to read through the wikipedia pages that were recommended above, so this might be covered there.) So you use VPNs, are any of those just for tunneling into your network remotely to access a NAS, something like that? Or would using a VPN with IPv6 just for that reason be redundant with proper firewall/etc configuration?

Again sorry if I'm sort of wandering in circles here with my questions, just trying to make sure I'm not making bad assumptions.

Exactly.

That would be possible (if you configure the firewall to let this traffic through), indeed, BUT… Anything going over the internet should be encrypted, that's why the VPN with its strong encryption is strongly recommended. Likewise I wouldn't trust a NAS' login page to be secure enough to stand every script kiddy around the world and the various state sponsored criminals looking for jump hosts to cover their tracks or organized crime to extort money trying their luck 24 hours a day, another reason to put this all behind a VPN.

If you want to provide a public service to >dozens of strangers, sure just add the necessary IPv6 traffic rules to the firewall and you're done (well, not really, you then need to put this server into a DMZ and do proper software maintenance and timely security support, following best practices, like you'd do for a rented root server). But if only you yourself and your closest family needs access, the VPN route is preferable - always. It's simply a question of reducing security exposure/ your attack surface and restricting access to only those who need it.

Now that this is stuck in my head, I have to get it out so I can get on to other things...

"Security by obscurity" is just theater, assume everyone knows your IP addresses and behave accordingly. Things like SLAAC address rotation are not security measures, they are privacy measures as they attempt to change your fingerprint to make tracking harder (it's a separate discussion as to how well that works).

Firewall and lan hygiene fall into some broad categories:

1. Home use - just you and people in your house use the internet, you provide no services. Simply lock the firewall down completely - this describes OpenWrt's default configuration.

2. Home worksite/lab - one or few trusted users require access to some service from their hotel room or office, say to access your home media server. Since users are trusted (this is key), we can leave the lan devices as above, but use a VPN solution to simply and securely allow users through the firewall.

3. Public server - you wish to provide a service (say host your own website) to untrusted users. Oops, that one untrusted user has pushed you across the line from "OpenWrt user" to "IT professional". You need to change your network config as @slh describes, with a DMZ (often on a separate LAN, either physical or virtual). Put your server in that DMZ, harden it by running an OS designed for that purpose, maybe an SELinux-enabled one like Alma Linux or Rocky or whatever. Such servers almost always have their own redundant firewall, which you'll need to configure. Install your service there, install monitoring tools, set up intrusion triggers and so on. This server should not be able to see, much less access, any other local device. Finally, put new rules in the router's firewall exposing just the necessary ports on that server to the public. Watch the intrusion monitors and keep it up-to-date.

Thank you very much for spelling this out for me, it's very intuitive and easy to understand​:man_bowing: