Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to properly disable IPv6 on Hetzner dedi?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to properly disable IPv6 on Hetzner dedi?

JohnRoeJohnRoe Member
edited February 2020 in Help

Hi. Can anyone tell me the correct way to disable IPv6 on Hetzner?

I Googled around and found this

Edit /etc/sysctl.conf

Paste these:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Execute sudo sysctl -p

IPv6 successfullt disabled but the problem is, the server cannot be reached anymore after a reboot.

These are files in /etc/sysctl.d/

10-console-messages.conf
10-kernel-hardening.conf
10-magic-sysrq.conf
10-ptrace.conf
9999-vpn.conf
99-sysctl.conf
10-ipv6-privacy.conf
10-link-restrictions.conf
10-network-security.conf
10-zeropage.conf
99-hetzner.conf
README

And this is content of 99-hetzner.conf

### Hetzner Online GmbH installimage
# sysctl config
#net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
# ipv6 settings (no autoconfiguration)
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.accept_dad=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_source_route=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_dad=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.accept_ra_defrtr=0
net.ipv6.conf.all.accept_ra_rtr_pref=0
net.ipv6.conf.all.accept_ra_pinfo=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_redirects=0

Should I delete 99-hetzner.conf and retry method above? Is that a proper way?

Thanks.

OS: Ubuntu 18.04

Comments

  • rm_rm_ IPv6 Advocate, Veteran
    edited February 2020

    JohnRoe said: Can anyone tell me the correct way to disable IPv6 on Hetzner?

    The correct way is to not disable IPv6.

  • @rm_ said:

    JohnRoe said: Can anyone tell me the correct way to disable IPv6 on Hetzner?

    The correct way is to not disable IPv6.

    This. I can't think of any reason to ever disable IPv6.

  • @rm_ said:

    JohnRoe said: Can anyone tell me the correct way to disable IPv6 on Hetzner?

    The correct way is to not disable IPv6.

    I am trying to solve this issue.
    The obvious difference between before and after reinstall is I got IPv6 disabled back then.

    I am trying to eliminate possibilities. I have changed my webserver and the error still occurs. Cloudflare strongly suggest there is a network issue but Hetzner denied that. So I am at loss. I have terabytes of files stored on the server and it costs me 3-4 days to backup, restore, and reconfiguring the server. So reinstalling this server would be my last resort.

    Thanks

  • JohnRoeJohnRoe Member
    edited February 2020

    @marvel said:

    @rm_ said:

    JohnRoe said: Can anyone tell me the correct way to disable IPv6 on Hetzner?

    The correct way is to not disable IPv6.

    This. I can't think of any reason to ever disable IPv6.

    I don't remember why I disabled it last time. But you can read my reply above.

  • what's your OS, if debian, just comment off ipv6 setting in /etc/network/interfaces

  • @webdev said:
    what's your OS, if debian, just comment off ipv6 setting in /etc/network/interfaces

    Ubuntu 18.04, so I can use the same method. Should I just ignore /etc/sysctl.d/99-hetzner.conf?

  • RickBakkrRickBakkr Member, Patron Provider, LIR

    JohnRoe said: Cloudflare strongly suggest there is a network issue but Hetzner denied that

    Ditch CloudFlare, or just its proxy? Or just remove the AAAA record to force CF to internally use v4?

    All better than ditching V6... :(

  • @RickBakkr said:

    JohnRoe said: Cloudflare strongly suggest there is a network issue but Hetzner denied that

    Ditch CloudFlare, or just its proxy? Or just remove the AAAA record to force CF to internally use v4?

    All better than ditching V6... :(

    I don't really want to expose my server IP to visitors. But if nothing can solve this including reinstalling, I have no choice. Also I don't have any AAAA configured.

  • indeed, remove AAAA record would be much simple.

  • @webdev said:
    indeed, remove AAAA record would be much simple.

    I don't have any configured.

  • RickBakkrRickBakkr Member, Patron Provider, LIR
    edited February 2020

    JohnRoe said:
    I don't really want to expose my server IP to visitors.

    If you are in a business where you cannot expose your IP, you are with the wrong kind of folks.. Never had to hide away and never had any trouble for the time I've been around :')

    Thanked by 2benj0x xms
  • @RickBakkr said:

    JohnRoe said:
    I don't really want to expose my server IP to visitors.

    If you are in a business where you cannot expose your IP, you are with the wrong kind of folks.. Never had to hide away and never had any trouble for the time I've been around :')

    Is it really safe? What about DDOS and other vulnerabilities? Does Hetzner offer DDOS for free? Of course I disabled root user and using strong password for SSH. But I am on this server alone and I am not an IT expert or that kind of stuff. I never feel safe whenever someone knew its IP address. Plus, Cloudflare have pretty fancy Analytics which wouldn't cost me anything especially resources.

    Anyway I am using this server to host my Telegram Bots, encode video, and to test stuff personally. Web server mainly used for users from Telegram Bots to fetch some files.

  • JohnRoe said: I don't have any configured.

    If you have nothing, then the server has IPV6 or not does not matter. other choice would be use a new VPS for web server, your current server as storage/database server.

    have you tried other web server like openlitespeed?

  • benj0xbenj0x Member
    edited February 2020

    @JohnRoe said:

    @RickBakkr said:

    JohnRoe said:
    I don't really want to expose my server IP to visitors.

    If you are in a business where you cannot expose your IP, you are with the wrong kind of folks.. Never had to hide away and never had any trouble for the time I've been around :')

    Is it really safe? What about DDOS and other vulnerabilities? Does Hetzner offer DDOS for free? Of course I disabled root user and using strong password for SSH. But I am on this server alone and I am not an IT expert or that kind of stuff. I never feel safe whenever someone knew its IP address. Plus, Cloudflare have pretty fancy Analytics which wouldn't cost me anything especially resources.

    Anyway I am using this server to host my Telegram Bots, encode video, and to test stuff personally. Web server mainly used for users from Telegram Bots to fetch some files.

    Hetzner doesn't offer DDoS Attacks for free. But you can use their quite good Anti-DDoS service. It's free.
    I have been experiencing already some attacks against my Hetzner dedicated server which all went quite well. I stayed online throughout the whole attack after their Anti-DDoS kicked in.
    Analytics you can get on your own. Setup Matomo or something else and you'll be fine. You could also analyze your apache2 logs. Just google a bit for services which could help you out.

    Just for your knowledge: Cloudflare doesn't make you un-DDoSable. Their free plan doesn't help really if someone seriously wants to attack you. They'll find ways to bypass Cloudflare and take you down.

    But please: don't disable IPv6. That's the wrong action to solve your issue. Please don't be that stupid and say that IPv6 is causing all of your issues.

    Thanked by 2Hetzner_OL xms
  • @webdev said:

    JohnRoe said: I don't have any configured.

    If you have nothing, then the server has IPV6 or not does not matter. other choice would be use a new VPS for web server, your current server as storage/database server.

    have you tried other web server like openlitespeed?

    I also have Telegram Bots on the server which serve files. So web server needs to be on the same server.

    I have tried Caddy and Apache2. I have no intention to try another when these 2 got the same issue as well. I want to highlight here that whenever the 525 error code appears, there is no log get written in log files. Looks like something happen before the request could reach my webserver.

  • But why would you disable IPv6 when you have NEVER mentioned your IPv6 address in Cloudflare's DNS settings? I honestly don't get why you'd see the issue in IPv6.

    Please stop this bullshit ☹️. I hate when companys recommend you to disable IPv6.

    Thanked by 3maverickp rm_ xms
  • @benj0x said:

    @JohnRoe said:

    @RickBakkr said:

    JohnRoe said:
    I don't really want to expose my server IP to visitors.

    If you are in a business where you cannot expose your IP, you are with the wrong kind of folks.. Never had to hide away and never had any trouble for the time I've been around :')

    Is it really safe? What about DDOS and other vulnerabilities? Does Hetzner offer DDOS for free? Of course I disabled root user and using strong password for SSH. But I am on this server alone and I am not an IT expert or that kind of stuff. I never feel safe whenever someone knew its IP address. Plus, Cloudflare have pretty fancy Analytics which wouldn't cost me anything especially resources.

    Anyway I am using this server to host my Telegram Bots, encode video, and to test stuff personally. Web server mainly used for users from Telegram Bots to fetch some files.

    Hetzner doesn't offer DDoS Attacks for free. But you can use their quite good Anti-DDoS service. It's free.

    I have been experiencing already some attacks against my Hetzner dedicated server which all went quite well. I stayed online throughout the whole attack after their Anti-DDoS kicked in.

    Extra money for something that I don't generate any money :/

    Analytics you can get on your own. Setup Matomo or something else and you'll be fine. You could also analyze your apache2 logs. Just google a bit for services which could help you out.

    Cloudflare analytics count every single request. Having matomo would require me to setup many things including embedding the code everywhere. I used matomo back then but then moved to Google Analytic because I don't want to waste any more time to optimize it. Also like I said, no extra resources needed.

    Just for your knowledge: Cloudflare doesn't make you un-DDoSable. Their free plan doesn't help really if someone seriously wants to attack you. They'll find ways to bypass Cloudflare and take you down.

    I am 100% aware this. But Cloudflare will prevent people who not serious to attack me from get to know my server IP address. Like I said, I am using this server mostly for personal things, so no one would seriously would want to take me down.

    But please: don't disable IPv6. That's the wrong action to solve your issue. Please don't be that stupid and say that IPv6 is causing all of your issues.

    I am surprised that you are saying I am stupid after all those nice conversation. I wrote in the 3rd comments that I just want to eliminate possibilities. I had IPv6 disabled before I reinstalled this server and it worked fine. So what is wrong to take notes of what are the differences between before and after reinstalling, then eliminate them 1 by 1?

  • JohnRoeJohnRoe Member
    edited February 2020

    @benj0x said:
    But why would you disable IPv6 when you have NEVER mentioned your IPv6 address in Cloudflare's DNS settings? I honestly don't get why you'd see the issue in IPv6.

    Please stop this bullshit ☹️. I hate when companys recommend you to disable IPv6.

    I am trying to eliminate possibilities. Read my reply above.
    There is nothing to lose to try right?

    So can we get back to then topic?

    Edit: Also Cloudflare never asked me to disable IPv6. I just want to disable it to eliminate possibilities. I will turn it back on when it is proved disabling IPv6 doesn't solve my issue.

  • I need to up this question.
    Same situation here. I HAVE to disable ipv6 on my system. Tried grub method and editing /etc/sysctl.conf , everytime the server goes lost, and can't ping it anymore. Any ideas?

    Thanked by 1Not_Oles
  • For people having this issue in the future:
    apparently, there is a weird issue with ipv6 and hetzner, when you disable it at the system level, the server gets lost and can't be pinged anymore.
    I tried different solutions over the internet, but apparently, nothing works. Ultimately the issue was solved through Hetzner support, opening a ticket asking to delete ipv6 subnet

    Thanked by 1Not_Oles
  • yoursunnyyoursunny Member, IPv6 Advocate

    This thread title hurts my feelings.

  • Not_OlesNot_Oles Moderator, Patron Provider

    Hi @ascicode! I can't say whether or not @willbe is right, but it does seem that he was aware that he was adding relevant content to an issue more people might face in the future. Maybe, for people that search and find this thread, having @willbe's comment added might be helpful? Best wishes for 2023! 👍

    Thanked by 1willbe
Sign In or Register to comment.