Feature Request: Prioritize Public IPv6 for SSH Connections when Private Network is Enabled but Public IPv4 is Disabled #661
Description
Problem Statement
The hetzner-k3s tool fails to connect to cluster nodes via SSH when the following configuration is used:
A private network is enabled (networking.private_network.enabled: true).
Public IPv4 is disabled (networking.public_network.ipv4: false).
Public IPv6 is enabled (networking.public_network.ipv6: true).
The tool attempts to connect to the node's private IP address, which results in a Connection timed out error if hetzner-k3s is run from a machine that does not have access to the private network. The debug logs confirm this behavior.
[Instance k3s-master1] SSH command failed (exit code: 255): debug1: OpenSSH_10.0p2 Debian-7, OpenSSL 3.5.1 1 Jul 2025
debug1: Reading configuration data /etc/ssh/ssh_config
...
debug1: Connecting to 10.0.0.2 [10.0.0.2] port 22.
debug1: connect to host 10.0.0.2 port 22: Connection timed out
ssh: connect to host 10.0.0.2 port 22: Connection timed out
Expected Behavior
When public_network.ipv4 is explicitly set to false, but public_network.ipv6 is set to true, the hetzner-k3s tool should prioritize using the public IPv6 address for SSH connections. This would allow for seamless cluster management from an IPv6-enabled client machine without needing to be on the same private network.
The connection logic should be modified to check for a public IPv6 address before falling back to the private IPv4 address. The host_ip_address property, which determines the IP to connect to, currently prioritizes private addresses when a private network is enabled.
This functionality would eliminate the need for creating a dedicated NAT server. Instead, users could leverage the additional_pre_k3s_commands option to create a transparent SSH tunnel on the newly created nodes, providing them with IPv4 internet access to complete the installation. An example of this is:
additional_packages:
- sshpass
additional_pre_k3s_commands:
- sshpass -p 'secret' ssh -o StrictHostKeyChecking=no -N -D 9050 root@ipv6-address &
- export http_proxy="socks5://127.0.0.1:9050"
- export https_proxy="socks5://127.0.0.1:9050"