ipv6-config-he.md (6130B)
1 Title: IPv6 setup when your provider doesn't give a shit. 2 Author: paco 3 Date: 2018-11-09 4 Type: article 5 6 This is a small guide to set up IPv6 via [HE][1] tunnel on a mostly 7 "unixy" environment. 8 9 I've been thinking to play with the new IP version for a while, but 10 never really get into it until a couple of months ago. 11 12 Sadly most internet providers out there (at least the ones serving 13 residential buildings) don't give a shit about IPv4 exhaustion or IPv6 14 implementation. My provider is one of those. And I could not find in my 15 area one that provides native IPv6. 16 17 There are other options. The one that came to mind (I've read about it 18 some time ago) was using [Tunnelbroker][2]. 19 20 That's a 6-in-4 tunnel operated by Hurricane Electric. There are more 21 companies/projects offering this, here's a [list][3]. 22 23 The process with HE is pretty simple. First one has to register on their 24 website and then create a tunnel. 25 This process involves choosing a endpoint server to tunnel your v6 26 traffic. Choose one that's "close" to you in internet terms (that 27 basically means few hops, low latency. `traceroute(8)` and `ping(8)` are 28 your friends). 29 30 You'll be then assigned a `/64`. Two really, one is for the tunnel itself. 31 But I won't be using them really (well, just for the tunnel). More on 32 that later 33 34 On their website they have lots of example configurations. Just choose 35 your poison and they will provide basic instructions on how to set it 36 up. 37 38 I wanted to set up this for my entire home/office network. I have a 39 small fanless OpenBSD machine acting as a router, so the instructions 40 are super simple: 41 42 ifconfig gif0 tunnel 1.2.3.4 216.66.84.42 43 ifconfig gif0 inet6 alias 2001:470:aaa:aaa::2 2001:470:aaa:aaa::1 prefixlen 128 44 route -n add -inet6 default 2001:470:aaa:aaa::1 45 46 With just this, my router has IPv6 connection to the world ! 47 In this example `1.2.3.4` is my real IPv4 and `2001:470:aaa:aaa/64` is the 48 range assigned for the tunnel. As said earlier they assign another `/64` 49 so you can use it on your internal network. 50 51 But, they also offer `/48` just in case you want to create different 52 subnets and do proper IPv6 auto configuration. You can ask for it once 53 you complete the registration and successfully establish the tunnel. 54 55 It's still shocking to me that they deliver that prefix ... that means 56 they just route to you 65536 (+2) /64s ... nuts ! 57 58 Anyway, the goal then is having the tunnel set up permanently, assign a 59 `/64` to every internal vlan and enable router advertisement for those 60 too. 61 62 On my OpenBSD machine goes like this: 63 64 Create `/etc/hostname.gif0` (the tunnel interface): 65 66 tunnel 1.2.3.4 216.66.84.42 67 !ifconfig gif0 inet6 alias 2001:470:aaa:aaa::2 2001:470:aaa:aaa::1 prefixlen 128 68 !route -n add -inet6 default 2001:470:aaa:aaa::1 69 70 Add IPv6 config for the vlans. Here is the full config of one of mine, 71 at `/etc/hostname.vlan10` 72 73 inet 10.42.10.1 255.255.255.0 NONE vnetid 10 parent em1 description "cable" up 74 inet6 2001:470:bbb:cab::1 64 75 group internal 76 77 Note that I'm using now part of the `/48` 78 I'll configure a `/64` for every other vlan in my net. 79 80 Now we'll use `rad(8)` so all the devices on the net have IPv6 81 connectivity too. 82 Here's part of my `/etc/rad.conf` Have a look at `rad.conf(5)` for more info. 83 84 interface vlan10 { 85 prefix 2001:470:bbb:cab::/64 86 dns { 87 nameserver 2001:470:bbb:cab::1 88 search home.my.domain 89 } 90 } 91 92 That's nice because we can set up `AAAA` records on a real domain, and HE 93 provides reverse DNS too ! 94 95 Remember to enable IPv6 forwarding in your router. On OpenBSD is done 96 via `sysctl(8)/sysctl.conf(5)` 97 98 net.inet6.ip6.forwarding=1 99 100 Also, check your pf(4) configuration. Most likely you'll need to adjust 101 it. 102 103 At this point most of the devices in your network will be negotiating 104 IPv6 auto configuration. I found out that Android and iOS phones do that 105 automatically, and prefer v6 if present. All linux boxes using `dhcpcd(8)` 106 will work automatically too. 107 On Macs I found out that some were configured to take v6 config if 108 possible and others have it disabled, so just "switch it on" and you're 109 good to go. 110 111 I have a couple of machines that act like servers, so I needed to set up 112 ip configuration manually there. Check your OS documentation on any 113 case. 114 115 My main workstation runs OpenBSD too, so that was simple to set up. 116 On my `/etc/hostname.em0` 117 118 dhcp 119 inet6 autoconf 120 121 Also, tell the system resolver to prefer v6 over v4 if you want. On 122 `/etc/resolv.conf.tail` 123 124 nameserver 2001:470:bbb:cab::1 125 lookup file bind 126 family inet6 inet4 127 128 And that's it ! It was easier than expected ! 129 130 A couple of caveats, though. 131 132 Network latency could be a bit higher, depending on how packets get 133 routed to your tunnel server, etc. In my case, oddly enough, most times 134 latency is better through the tunnel ... which does not speak so well 135 about my internet provider right ? 136 137 Also, speed may be an issue depending on your current connection. In 138 theory there's no speed limit on the tunnel. I have 200/200 Mbps here, 139 and I get about 65/65 Mbps through the tunnel easily. Which is more than 140 ok for my tests. But it varies in time. I guess they could have load 141 issues at some point. 142 143 Besides, Netflix and other streaming services are not happy with you 144 using those ip ranges. You'll see the same error you get when you try to 145 use most vpns on the market ... So basically you may have problems with 146 any service that controls you to the extreme and cares about where you 147 connect from. The lesson here, don't use those services :-P 148 149 And that's all folks ! 150 With some kind-of-simple steps one can have billions of public routable 151 ip addresses to play with at home/office/whatever for free. 152 153 Another cool thing. HE has this [IPv6 Certification][4]. Is not that hard 154 if you take some time to do it and you'll learn a lot in the process. 155 Besides, they will send you a super nerd t-shirt when you complete all 156 levels ;-) 157 158 [1]: http://he.net/ 159 [2]: https://tunnelbroker.net 160 [3]: https://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers 161 [4]: https://ipv6.he.net/certification/