e1e0.net

sources for e1e0 website
git clone https://git.e1e0.net/e1e0.net.git
Log | Files | Refs

ipv6-config-he.md (6130B)

      1 Title: IPv6 setup when your provider doesn't give a shit.
      2 Author: paco
      3 Date: 2018-11-09
      4 Type: article
      5 
      6 This is a small guide to set up IPv6 via [HE][1] tunnel on a mostly
      7 "unixy" environment.
      8 
      9 I've been thinking to play with the new IP version for a while, but
     10 never really get into it until a couple of months ago.
     11 
     12 Sadly most internet providers out there (at least the ones serving
     13 residential buildings) don't give a shit about IPv4 exhaustion or IPv6
     14 implementation. My provider is one of those. And I could not find in my
     15 area one that provides native IPv6.
     16 
     17 There are other options. The one that came to mind (I've read about it
     18 some time ago) was using [Tunnelbroker][2].
     19 
     20 That's a 6-in-4 tunnel operated by Hurricane Electric. There are more
     21 companies/projects offering this, here's a [list][3].
     22 
     23 The process with HE is pretty simple. First one has to register on their
     24 website and then create a tunnel.
     25 This process involves choosing a endpoint server to tunnel your v6
     26 traffic. Choose one that's "close" to you in internet terms (that
     27 basically means few hops, low latency. `traceroute(8)` and `ping(8)` are
     28 your friends).
     29 
     30 You'll be then assigned a `/64`. Two really, one is for the tunnel itself.
     31 But I won't be using them really (well, just for the tunnel). More on
     32 that later
     33 
     34 On their website they have lots of example configurations. Just choose
     35 your poison and they will provide basic instructions on how to set it
     36 up.
     37 
     38 I wanted to set up this for my entire home/office network. I have a
     39 small fanless OpenBSD machine acting as a router, so the instructions
     40 are super simple:
     41 
     42     ifconfig gif0 tunnel 1.2.3.4 216.66.84.42
     43     ifconfig gif0 inet6 alias 2001:470:aaa:aaa::2 2001:470:aaa:aaa::1 prefixlen 128
     44     route -n add -inet6 default 2001:470:aaa:aaa::1
     45 
     46 With just this, my router has IPv6 connection to the world !
     47 In this example `1.2.3.4` is my real IPv4 and `2001:470:aaa:aaa/64` is the
     48 range assigned for the tunnel. As said earlier they assign another `/64`
     49 so you can use it on your internal network.
     50 
     51 But, they also offer `/48` just in case you want to create different
     52 subnets and do proper IPv6 auto configuration. You can ask for it once
     53 you complete the registration and successfully establish the tunnel.
     54 
     55 It's still shocking to me that they deliver that prefix ... that means
     56 they just route to you 65536 (+2) /64s ... nuts !
     57 
     58 Anyway, the goal then is having the tunnel set up permanently, assign a
     59 `/64` to every internal vlan and enable router advertisement for those
     60 too.
     61 
     62 On my OpenBSD machine goes like this:
     63 
     64 Create `/etc/hostname.gif0` (the tunnel interface):
     65 
     66     tunnel 1.2.3.4 216.66.84.42
     67     !ifconfig gif0 inet6 alias 2001:470:aaa:aaa::2 2001:470:aaa:aaa::1 prefixlen 128
     68     !route -n add -inet6 default 2001:470:aaa:aaa::1
     69 
     70 Add IPv6 config for the vlans. Here is the full config of one of mine,
     71 at `/etc/hostname.vlan10`
     72 
     73     inet 10.42.10.1 255.255.255.0 NONE vnetid 10 parent em1 description "cable" up
     74     inet6 2001:470:bbb:cab::1 64
     75     group internal
     76 
     77 Note that I'm using now part of the `/48`
     78 I'll configure a `/64` for every other vlan in my net.
     79 
     80 Now we'll use `rad(8)` so all the devices on the net have IPv6
     81 connectivity too.
     82 Here's part of my `/etc/rad.conf` Have a look at `rad.conf(5)` for more info.
     83 
     84     interface vlan10 {
     85             prefix 2001:470:bbb:cab::/64
     86             dns {
     87                     nameserver 2001:470:bbb:cab::1
     88                     search home.my.domain
     89             }
     90     }
     91 
     92 That's nice because we can set up `AAAA` records on a real domain, and HE
     93 provides reverse DNS too !
     94 
     95 Remember to enable IPv6 forwarding in your router. On OpenBSD is done
     96 via `sysctl(8)/sysctl.conf(5)`
     97 
     98     net.inet6.ip6.forwarding=1
     99 
    100 Also, check your pf(4) configuration. Most likely you'll need to adjust
    101 it.
    102 
    103 At this point most of the devices in your network will be negotiating
    104 IPv6 auto configuration. I found out that Android and iOS phones do that
    105 automatically, and prefer v6 if present. All linux boxes using `dhcpcd(8)`
    106 will work automatically too.
    107 On Macs I found out that some were configured to take v6 config if
    108 possible and others have it disabled, so just "switch it on" and you're
    109 good to go.
    110 
    111 I have a couple of machines that act like servers, so I needed to set up
    112 ip configuration manually there. Check your OS documentation on any
    113 case.
    114 
    115 My main workstation runs OpenBSD too, so that was simple to set up.
    116 On my `/etc/hostname.em0`
    117 
    118     dhcp
    119     inet6 autoconf
    120 
    121 Also, tell the system resolver to prefer v6 over v4 if you want. On
    122 `/etc/resolv.conf.tail`
    123 
    124     nameserver 2001:470:bbb:cab::1
    125     lookup file bind
    126     family inet6 inet4
    127 
    128 And that's it ! It was easier than expected !
    129 
    130 A couple of caveats, though.
    131 
    132 Network latency could be a bit higher, depending on how packets get
    133 routed to your tunnel server, etc. In my case, oddly enough, most times
    134 latency is better through the tunnel ... which does not speak so well
    135 about my internet provider right ?
    136 
    137 Also, speed may be an issue depending on your current connection. In
    138 theory there's no speed limit on the tunnel. I have 200/200 Mbps here,
    139 and I get about 65/65 Mbps through the tunnel easily. Which is more than
    140 ok for my tests. But it varies in time. I guess they could have load
    141 issues at some point.
    142 
    143 Besides, Netflix and other streaming services are not happy with you
    144 using those ip ranges. You'll see the same error you get when you try to
    145 use most vpns on the market ... So basically you may have problems with
    146 any service that controls you to the extreme and cares about where you
    147 connect from. The lesson here, don't use those services :-P
    148 
    149 And that's all folks !
    150 With some kind-of-simple steps one can have billions of public routable
    151 ip addresses to play with at home/office/whatever for free.
    152 
    153 Another cool thing. HE has this [IPv6 Certification][4]. Is not that hard
    154 if you take some time to do it and you'll learn a lot in the process.
    155 Besides, they will send you a super nerd t-shirt when you complete all
    156 levels ;-)
    157 
    158 [1]: http://he.net/
    159 [2]: https://tunnelbroker.net
    160 [3]: https://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
    161 [4]: https://ipv6.he.net/certification/