Skip to main content
  1. Posts/

Fix IPv6 connectivity on a Vultr VM after upgrading to OpenBSD 7.1

··4 mins·
OpenBSD Sysadmin

I manage a Vultr VM that host few anycast services for an Autonomous System that I manage.

When I tried to sys-upgrade the VM to the freshly 7.1 release of OpenBSD, I loosed my BGP session and the access to the VM via the IPv6 address that Vultr expose to me in the Vultr console and via the API.

During the boot, I discovered some weird messages that I never saw before:

OpenBSD boot logs

As you can see, there are some errors on trying to add routes but, the weirdest is this one:

ifconfig: -autoconfprivacy: no address associated with name

To be sure if the problem only concern my setup or potentially all OpenBSD VMs hosted on Vultr infrastructure, I deployed a new IPv6-only VM to see if everything works fine. I opened the VNC console and when the installation finished, I tried to ping the VM but nothing happened. So I logged into the VM and checked the /etc/hostname.vio0 file. It was similar to the one I have on my VM and I considered that the problem is more general:

dhcp
inet6 autoconf -autoconfprivacy -soii

After searching on man pages of ifconfig(8), I found anything about -autoconfprivacy until I found something in the documentation of the 6.8 release of OpenBSD:

autoconfprivacy
	Enable privacy extensions for stateless IPv6 address autoconfiguration (RFC 4941) on
	the interface. These extensions are enabled by default. The purpose of these extensions
	is to prevent tracking of individual devices which connect to the IPv6 internet from
	different networks using stateless autoconfiguration. The interface identifier often
	remains constant and provides the lower 64 bits of an autoconfigured IPv6 address,
	facilitating tracking of individual devices (and hence, potentially, users of these
	devices) over long periods of time (weeks to months to years). When these extensions
	are active, random interface identifiers are used for autoconfigured addresses.

	Autoconfigured addresses are also made temporary, which means that they will
	automatically be replaced regularly. Temporary addresses are deprecated after 24
	hours. Once a temporary address has been deprecated, a new temporary address will be
	configured upon reception of a router advertisement indicating that the prefix is
	still valid. Deprecated addresses will not be used for new connections as long as a
	non-deprecated address remains available. Temporary addresses become invalid after
	one week, at which time they will be removed from the interface. Address lifetime
	extension through router advertisements is ignored for temporary addresses.

-autoconfprivacy
	Disable IPv6 autoconf privacy extensions on the interface. Currently configured
	addresses will not be removed until they become invalid.

In the OpenBSD 6.9 release notes, I found this line:

Added a deprecation warning for autoconfprivacy to ifconfig(8).

And in the OpenBSD 7.1 release notes, I found this one:

Removed the ifconfig(8) autoconfprivacy deprecation warning.

To have more information, I took a look at the tech mailing-list archives of OpenBSD and discovered an email sent on October 5th, 2021 named ifconfig(8): remove “autoconfprivacy” containing this diff:

diff --git ifconfig.c ifconfig.c
index 7d86e887561..33aea910d80 100644
--- ifconfig.c
+++ ifconfig.c
@@ -246,7 +246,6 @@ void	setgroupattribs(char *, int, char *[]);
 int	printgroup(char *, int);
 void	setautoconf(const char *, int);
 void	settemporary(const char *, int);
-void	setprivacy(const char *, int);
 void	settrunkport(const char *, int);
 void	unsettrunkport(const char *, int);
 void	settrunkproto(const char *, int);
@@ -466,8 +465,6 @@ const struct	cmd {
 	{ "pltime",	NEXTARG,	0,		setia6pltime },
 	{ "vltime",	NEXTARG,	0,		setia6vltime },
 	{ "eui64",	0,		0,		setia6eui64 },
-	{ "autoconfprivacy",	1,		0,	setprivacy },
-	{ "-autoconfprivacy",	-1,		0,	setprivacy },
 	{ "temporary",	1,		0,		settemporary },
 	{ "-temporary",	-1,		0,		settemporary },
 	{ "soii",	-IFXF_INET6_NOSOII,	0,	setifxflags },
@@ -1602,14 +1599,6 @@ settemporary(const char *cmd, int val)
 	}
 }

-/* XXX remove after 7.0 */
-void
-setprivacy(const char *cmd, int val)
-{
-	warnx("The 'autoconfprivacy' option is deprecated, use 'temporary'");
-	settemporary(cmd, val);
-}
-
 #ifndef SMALL
 /* ARGSUSED */
 void

Here’s the cause of the error message I spotted earlier. In OpenBSD 6.9, the [-]autoconfprivacy option was marked as deprecated in favor of using the [-]temporary option and its deletion was already planned to be removed for +/- 1 year later.

To fix the problem and get back a correct IPv6 connectivity, the fix is trivial. Replace the -autoconfprivacy option from the /etc/hostname.vio0 file by -temporary and restart the VM (sh /etc/netstart vio0 was not enough for me).

Once the restart is done, the VM have his IPv6 address back.

Conclusion
#

I opened a ticket to inform Vultr to take actions on their side to fix the problem by updating their autoinstall(8) script and inform their customers about the problem. I will update this post if I have updates from the support.

In the meantime, if you are planning to sys-upgrade an existing OpenBSD installation, apply the fix before the sys-upgrade in order to not have the issue after the reboot. If you plan to deploy new OpenBSD VMs on Vultr, be aware of this issue.

EDIT 06/05: Mike Marinescu, CTO of Vultr, informed me that a patched OpenBSD 7.1 image has been updated and available for everybody.