Question about IPv6

ricardo.martinez · August 15, 2025, 12:51am

Hey everyone! I am not sure if this the best place to post this, so if it is not, sorry in advance.

I am trying to configure reticulum which is a new kind of decentralized network and it auto connects over IPv6 to other nodes on the network.

When I checked if IPv6 was enabled in Kicksecure, it says it is not.

Reading the docs, I found this on the DNS security page:
/wiki/DNS_Security

" * The user’s computer has a local IPv6 but no actual IPv6 connectivity which might confuse DNS resolvers such as unbound."

My question is: is it safe to enable IPv6?

Why is turned off by default, and should I take any additional security/privacy measures if I decide to enable it?

arraybolt3 · August 15, 2025, 2:59am

How exactly did you check? On my end, IPv6 is enabled by default. Your network needs to support it for it to work obviously, but if your network supports IPv6, Kicksecure should just use IPv6 by default.

(Note that if you’re using Kicksecure in KVM, it’s very possibly IPv6 won’t be working for you. It looks like however libvirt/QEMU handles networking, IPv6 doesn’t work out of the box, at least not on an Ubuntu host. That’s and example the network not supporting IPv6.)

Quiksilver · August 16, 2025, 5:55pm

Yes, you should enable IPv6 privacy extensions these aren’t enabled by default but are optional for you to un-comment if you need them. IPv6 has privacy issues by default as it relates to MAC Address in the addresses it uses

What you need to do to enable is you need to un-comment # ipv6.ip6-privacy=2 in /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf

and IPv6PrivacyExtensions=kernel and /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf to enable “Privacy Extensions”.

Quiksilver · August 16, 2025, 5:56pm

As far as I can tell IPv6 isn’t disabled in 40_kernel_hardnening.cfg (commented out) so it should be enabled? If it is not specifically disabled then IPv6 Privacy should be enabled by default by Kicksecure in my opinion I’m not quite sure why its not (maybe something related to virtual box)?

ricardo.martinez · August 18, 2025, 2:41pm

After reading your response, and quicksilver’s response, I checked again with

[ -f /proc/net/if_inet6 ] && echo ‘IPv6 ready system!’ || echo ‘No IPv6 support found!’

Apparently ipv6 is enabled, so now I think the issue I am having with reticulum may be related to apparmor blocking access to my wifi/ethernet for the app.

I think I may need to create an apparmor profile for reticulum

Patrick · August 19, 2025, 5:31am

github.com/Kicksecure/security-misc

MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic

opened 01:11PM - 06 Jan 24 UTC

adrelanos

https://github.com/Kicksecure/security-misc/blob/master/usr/lib/NetworkManager/c…onf.d/80_randomize-mac.conf ``` [device-mac-randomization] wifi.scan-rand-mac-address=yes [connection-mac-randomization] ethernet.cloned-mac-address=random wifi.cloned-mac-address=random ``` 1) Breaks root servers, namely broke kicksecure.com. This is what the server provide sent by e-mail. ``` We have detected that your server is using different MAC addresses from those allowed by your Robot account. Please take all necessary measures to avoid this in the future and to solve the issue. We also request that you send a short response to us. This response should contain information about how this could have happened and what you intend to do about it. In the event that the following steps are not completed successfully, your server can be locked at any time after 2024-01-17 16:51:11 +0100. How to proceed: - Solve the issue - Please note, in case you have fixed the problem, please wait at least 10 minutes before rechecking: ... - After successfully testing that the issue is resolved, send us a statement by using the following link:... Please visit our FAQ here, if you are unsure how to proceed: https://docs.hetzner.com/robot/dedicated-server/faq/error-faq/#mac-errors Important note: When replying to us, please leave the abuse ID [...] unchanged in the subject line. Manual replies will only be handled in the event of a lock. Please note that we do not provide telephone support in our department. If you have any questions, please send them to us by responding to this email. Kind regards Network department ``` 2) Breaks VirtualBox DHCP when using Network Manger (in Kicksecure) after VM reboot (`sudo reboot`). It is functional for the first start after powering off and powering on the VM. [1] Might be related: https://forums.virtualbox.org/viewtopic.php?t=86753 Could be a Network Manager issue: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1116421 https://askubuntu.com/questions/307717/networkmanager-problem-with-cloned-mac-address ---- [1] Before someone says that's a VirtualBox issue, no, I mean, maybe, but that doesn't matter. VirtualBox is a valid environment. If that breaks, other environments will break as well. Broken networking is extremely frustrating. MAC randomization would be suitable for Kicksecure, but only if stable. It's not important enough to break common network configurations in common environments. ---- TODO: This bug has to be reported to Network Manager (NM) as above bug reports apparently never have reached upstream NM.