Hetzner, OpenBSD, IPv6

I like Hetzner Cloud a lot for small projects that just need to work or for machines that have a short lifespan, for experiments and whatnot. It's comfortable, cheap and gets the job done. I don't expect much for roughly three bucks a month, but so far the service quality has been exceptional – no downtime, no hassle, nothing.

But, for the first time since I started using them, I ran into a problem that cost me some nerves – and it was totally the fault of Hetzner and not my fault for not being aware of some normally invisible configurations on their end that are absolutely legitimate.

Because I was frustrated with some developments in the Linux-world, I started to switch my machines over to OpenBSD, slowly and gradually. It was, and still is, a massive learning process for me, but I'm certain that in the end it will be worth the effort, since I perceive it to be the more reliable (both in terms of operative stability and development process) operating system in the long run. Up until now I hadn't used it with Hetzner.

Luckily, they allow you to run your own, manually installed OpenBSD instead of forcing you to use preexisting templates, if they allow OpenBSD at all. So I did just that, install it on an encrypted virtual hard-drive and went on to configure the services that I needed.

Everything worked like a breeze. Except that I could only get connectivity through IPv4. No matter what I tried, I could not get IPv6 to work.

Usually, I rely on SLAAC and DHCP for virtual servers. Yes, it involves a certain level of trust that the provider does not, maliciously or accidentally, assigns me a wrong address or screws up otherwise – yet I've never had any problems until this day, but have been burned multiple times with static addresses that caused interesting (to say the least) problems. But nope, I wasn't getting an address.

I'll spare you the details, but I think I debugged for around two hours at least, including getting really cozy with tcpdump, until I got too frustrated and gave up for a moment. And by 'giving up' I mean getting coffee and furiously googling for any kind of useful information, which in turn resulted in a plethora of useless tips. They weren't useless because they were factually false, but because I greatly misidentified my problem.

The whole thing was especially frustrating because I know that I've seen it working before, without any tweaking. Why was it broken now?

I didn't find the answer at first, but I did find the solution – in a forum post on heise.de. I turned out that adding -soii at the end of my /etc/hostname/vio0 did the trick, and IPv6 was working. After taking to Mastodon, I learned why that was needed:

I ended up finding a complete answer in the upgrade notes for OpenBSD 6.3:

RFC 7217 style IPv6 addresses enabled by default. Stateless address autoconfiguration and link local IPv6 addresses historically embeded the layer 2 (ethernet mac) address in the lower 64 bits of the IPv6 address. This has various downsides and RFC 7217 specifies an alternative scheme of how to generate autoconfiguration addresses that are stable between reboots. This is enabled per default and IPv6 link local addresses will change if IPv6 is enabled on an interface. Furthermore, stateless autoconfiguration IPv6 addresses will change if autoconfiguration is enabled on an interface. If you need the old style stateless address calculated from the layer 2 address (i.e. ethernet mac address) put -soii into the /etc/hostname.if file. See also ifconfig(8).

There's a point I'm trying to make here – this whole endeavor was a renewed set of lessons, namely the following: