Getting universally routable IPv6 Addresses for your Linux Containers on Ubuntu 18.04 with LXD 4.0 on a VPS

Preliminary

Goals

  • Direct connection to the containers over the internet with IPv6 (If you point a Cloudflare proxied FQDN to the IPv6 of the container Cloudflare will add IPv4 compatibility for you)
  • Using lxdbr0 to be able to limit ingress and egress of the container
  • Not ditching netplan as that is too complicated in my opinion
  • Should work if the ISP uses MAC address filtering which mine does

Prerequisites

  • Having an /64 or larger IPv6 subnet assigned to your VPS
  • The ISP routes the /64 subnet directly to the host (If not NDP proxy deamon ndppd has to be used, see here)
  • Running Ubuntu 18.04 and LXD 4.0

Networking

Setting up Netplan

$macaddress, $ipv6address1, $ipv4address and $ipv4gateway have to be set/changed to your addresses. And eth0 my default physical interface may have a different name for you.

cat > /etc/netplan/01-netcfg.yaml <<EOF
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      match:
        macaddress: $macaddress
      addresses:
        - $ipv4address/32
        - $ipv6address1/128
      routes:
        - to: ::/0
          via: fe80::1
      routes:
        - to: 0.0.0.0/0
          via: $ipv4gateway
          on-link: true
      nameservers:
        search: [ invalid ]
        addresses:
          - 1.1.1.1 # These four entries are Cloudflare's DNS
          - 1.0.0.1 # you may set different ones
          - 2606:4700:4700::1111
          - 2606:4700:4700::1001
EOF

Setting up the Kernel NDP proxying and forwarding

cat >>/etc/sysctl.conf <<EOF
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.eth0.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
net.ipv6.conf.eth0.proxy_ndp=1
EOF

Also make sure IPv6 is not disabled in this file.

UFW Change - If the UFW firewall is used
nano /etc/default/ufw

Make this change: DEFAULT_FORWARD_POLICY="ACCEPT"

Then do a reboot.

LXD

Install and setup LXD
When initiating LXD after the install put the IPv6/64 range as the lxdbr0 IPv6 address. Beware that you should not use the same address on the host’s eth0 and on lxdbr0. The ipv4 stuff can be left alone and set to auto and stay with NAT. If already installed you can run:

lxc network set lxdbr0 ipv6.address $ipv6address2/64  # Other one than eth0!!!

This way the containers are going to get an ipv6 address from lxdbr0.

Also the following options should be set:

lxc network set lxdbr0 ipv6.dhcp false
lxc network set lxdbr0 ipv6.nat false
lxc network set lxdbr0 ipv6.routing true

Run a Linux Container and enjoy
lxc launch ubuntu:18.04 c1
Enjoy a container with an universally routable IPv6.
To get the address you can run lxc list

Special Thanks

This would not have been possible without the help and tutorials of Thomas Parrott @tomp and Ryan Young @yoryan and his tutorial here. Thank you both very very much! And of course a big thank you also to the whole LXD team and Canonical!

2 Likes