hestiacp
Full IPv6 Support for HestiaCP
General Overview This PR implements full IPv6 support in HestiaCP, improving compatibility, automation, and security for dual-stack servers and modern environments. The goal is for each web/domain/service to have its own dedicated /128 IPv6 address, making management, SSL issuance, and automatic assignment seamless for both IPv4 and IPv6.
Main changes included π’ 1. Native IPv6 support throughout the system Modified scripts, forms, and validations to fully accept IPv6 addresses and ranges (/64, /128, etc).
Automatic IPv6 suggestions from assigned ranges, ensuring unique non-shared IPs for each domain/service.
Logic improved to correctly handle IPv6 prefixes and avoid duplicate assignments.
π’ 2. Dynamic compatibility with custom ROOT_USER Internal scripts adapted to detect the root user defined in the configuration (ROOT_USER), removing the hardcoded admin dependency.
π’ 3. Improved network, firewall, and panel scripts Dual-stack support for iptables and fail2ban, automatically duplicating IPv4/IPv6 rules and jails without breaking legacy compatibility.
Added block to create symlinks to /sbin/iptables, /sbin/ip6tables, etc., improving compatibility with current Debian/Ubuntu paths.
π’ 4. Automatic IPv6 suggestions in panel forms When creating web domains, the UI now shows several suggested IPv6 addresses from the userβs /64 range, always offering unused addresses.
Assigned IPv6 addresses can be viewed and edited directly from the interface.
π’ 5. Adaptation of scripts for web, DNS, and mail Scripts like v-add-sys-ip, v-add-dns-domain, v-update-sys-ip, etc., now accept and process IPv6 addresses and ranges correctly.
Support for AAAA records and automatic detection to set up dual-stack DNS.
Full SSL (Let's Encrypt) validation and issuance for IPv6-enabled domains.
π’ 6. Integration and security improvements Updated /proc logic to hide processes from unprivileged users (security best practice).
Automatic detection of PTR records for IPv6 is prepared for future improvements (not enforced yet).
Fixed Exim and Fail2ban handling for IPv6 scenarios.
π’ 7. Compatibility and improvements in installer scripts Updated hst-install-ubuntu.sh and hst-install-debian.sh to include IPv6 support, proper iptables symlinks, and maximum compatibility with modern Debian/Ubuntu releases.
Notes & Considerations All changes strive to maintain backward compatibility, so existing installations without IPv6 are unaffected.
The system detects if /64 ranges are configured and only suggests free IPv6 addresses, avoiding collisions.
The logic now relies on system configuration variables instead of hardcoded values.
Currently, all features have only been tested in local environments. Real-world testing with production domains and daily usage is still pending. Community feedback and further testing are very welcome!
Any contributions, tests, or reviews are highly appreciated! Pull request prepared by: @coriaweb Feel free to contact for support or questions.
Let me know if you want further tweaks or want to add/remove any specific detail. This should be great for a first PR and easy for reviewers to understand!
Great work! Thank you very much for this PR!
This is a hell of a PR, and I'm not quite done reviewing everything in detail, as I want to see the changes in action on a running system.
A few larger points:
- The file
v-update-firewall-ipv6is missing and is probably pretty relevant.- Currently, there's no method to manage ipv6 firewall rules in the web gui. It would be great if they didn't have to be managed in two separate lists, but I can see how that is not going to be easy to implement, so for an MVP managing ipv4 and ipv6 firewalls separately in the web gui would be fine for me.
- The option to add ipv6 ipsets is also missing, and would be great to have too...
Hi! Thank you for your detailed review and feedback.
I've now carefully reviewed and addressed all your comments and suggestions in the codebase. The v-update-firewall-ipv6 file has been added, and I have ensured consistency and clarity across all scripts. Outdated or unnecessary files have been removed as well.
For the next phase, Iβll start working on the web GUI to allow management of IPv6 firewall rules directly from the interface. As you mentioned, for now, I will implement separate lists for IPv4 and IPv6 firewall rules as a first MVP step. Later, we can explore unified management if feasible.
Regarding IPv6 ipsets in the GUI, I will also review how best to integrate this feature, but my priority will be getting rule management working first.
If you find any other issues or have suggestions for the UI, please let me know. Thanks again for your support and for reviewing such a large PR!
@Anuril I just added firewall management from the interface, you can try it out.
I noticed this branch broke our automated test server(s) Have been busy the last few days with "real" work so haven't been able to check it out yet
@jaapmarcus I ran Prettier on those files.
Because I received an email notifying me that it failed here:
https://github.com/hestiacp/hestiacp/actions/runs/15181607573/job/42693178792
Don't hit me, I'm still learning with GitHub hahaha
We run our own "testing" similar as GitHub actions on drone.io https://drone.hestiacp.com/hestiacp/hestiacp/5314/1/5
It seems to break the testing it self..
We run our own "testing" similar as GitHub actions on drone.io https://drone.hestiacp.com/hestiacp/hestiacp/5314/1/5
It seems to break the testing it self..
@jaapmarcus I noticed some errors when adding/removing IPs, I think Iβve fixed them.
It is important to have ipv6 support ready.
Necesitamos esto.
Trabajo enorme @coriaweb . Gracias!
It is important to have ipv6 support ready.
Necesitamos esto.
Trabajo enorme @coriaweb . Gracias!
I'm just waiting for the team's review to continue working on it. :D
Today, I spent about an hour struggling with IPv6 settings on my server before I found out that support is still being worked on. π
Hopefully, it won't fall out for long and will be successfully completed. After all, IPv6 support is quite significant these days. For example, I know internet providers in my area who only give out IPv6 addresses.
Anyway, thank you for all the work that has been done on this. ππ
Hi, is there any update on the status of this PR? Can't wait for this feature!
It is an essential feature, but it does not seem to be a priority. We can always make donations to the project.
Hi, is there any update on the status of this PR? Can't wait for this feature!
I am willing to continue working on it, but I see that it's not important, probably due to lack of resources. For now, I have it on hold, waiting for it to be reviewed by the creators so I can continue working on it and fixing errors, since it's difficult to do without support.