Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

IPV6 tunneling on vpsfree: Difference between revisions

From posixlycorrect wiki
No edit summary
No edit summary
Line 71: Line 71:
/ipv6/route/add dst-address=::/0 gateway=wgipv6tun
/ipv6/route/add dst-address=::/0 gateway=wgipv6tun
/ipv6/route/add dst-address=2a03:3b40:XXX::/48 blackhole
/ipv6/route/add dst-address=2a03:3b40:XXX::/48 blackhole
</pre>
Note: in addition to the above configuration, it will probably also be useful to set IPv6 addresses on the LAN side of the router. It may also be necessary to enable Wireguard tunnel operation in the firewall. In the [https://help.mikrotik.com/docs/display/ROS/WireGuard default configuration], the Wireguard tunnel uses local port number 13231.
== Set the allocated block as Unreachable ==
It is very likely that you will not use the entire allocated block of length /48. Since the default gateway is tunneled, any packet that comes into the unused portion of the block will be bounced back into the tunnel and back to you. To eliminate this problem, it is a good idea to install an entry for the entire block in the routing table, like this:
<pre>
ip -6 route add unreachable 2a03:3b40:XXX::/48
</pre>
This command needs to be run after every boot. If you're using OpenWRT, there's nothing to worry about, this behavior is the default.
== Allowing incoming traffic on OpenWRT ==
Presumably, if you're interested in IPv6, it's because you want to remotely connect to your devices behind the tunnel. Unfortunately, OpenWRT blocks such connections by default. But they can be easily unblocked in the firewall. It is necessary to separately allow access to the local network/networks and to the router itself.
<pre>
config rule
        option name 'IPv6 forwarding'
        option family 'ipv6'
        option src 'wan'
        option dest 'lan' # Eventuálně * pro všechny sítě
        ## Pokud chcete povolit pouze dynamické porty (pro P2P služby),
        ## odkomentujte následující řádky.
        #option proto 'tcpudp'
        #option dest_port '49152-65535'
        option target 'ACCEPT'
config rule
        option name 'SSH to router over IPv6'
        option family 'ipv6'
        option src 'wan'
        option proto 'tcp'
        option dest_port '22'
        option target 'ACCEPT'
</pre>
</pre>

Revision as of 17:11, 8 August 2024

Note: This was translated from the original: https://kb.vpsfree.cz/informace/projekty/ipv6tunel.

vpsFree.cz operates its own tunneling server, through which it is possible to obtain an IPv6 tunnel to places where IPv6 has not yet been introduced.

Motivation

On June 6, 2017, the operation of the SixXS tunneling platform was terminated. It was the only one that provided a tunneling server in Prague that could be used even without a public IPv4 address. Although SixXS's argument is understandable, there are situations where it is simply not possible to ask a provider for IPv6 connectivity, and often it is not even possible to change providers.

If a public IPv4 address is available, it is possible to arrange a tunnel from HE.net, which works quickly and reliably. Our service therefore mainly focuses on situations where there is not even a public IPv4 address in the place. Unfortunately, the sixxsd software, which formed the server part of the SixXS tunneling platform and was able to efficiently handle hundreds of tunnels, was never released as Open Source and was not published for a long time. So it was necessary to look for another solution.

Solution using Wireguard

It is possible to use the modern WireGuard tunneling protocol. It offers encryption and authentication, but also great performance compared to OpenVPN. UDP traffic on port 51820 is used. Each client authenticates with a pair of public and private keys. Each client is statically assigned one connecting IPv6 address and a subnet with a prefix length of /48.

Each tunnel will have an expiration date set for one year after establishment, after which it is deconfigured. Therefore, an extension must be requested for uninterrupted operation. The intention of this inconvenient measure is for every user to write to their connection provider at least once a year about the status of IPv6 support. Note: this feature is not yet implemented. Any deconfiguration in the future will be preceded by several email warnings.

How to get the tunnel up and running

  1. Ask your ISP about IPv6 support.
  2. Generate a pair of private and public keys: $ wg genkey | tee privatekey | wg pubkey - the private key is created in the privatekey file, the public key is displayed on the terminal. To display the public key again, call $ wg pubkey < privatekey.
  3. Request a tunnel via e-mail to ipv6tun@vpsfree.cz. Don't forget to attach the public key. Please do not send the key in an attachment, put it directly in the text of the message. If the end of the tunnel is to be located in Slovakia, please indicate this in the application.
  4. You will receive an email with example configuration for wg-quick and OpenWRT. You will also find out the allocated address block in the configuration file.
  5. Add your private key to the configuration file and configure your client.
  6. Configure your router to assign some addresses from the assigned subnet to your home network.

Example configuration file for wg-quick

[Interface]
# FIXME: Insert your private key
PrivateKey = 
Address = 2a03:3b40:200::XXX
# Alternatively, the ListenPort value can be set to any value. By default, a random value should be selected automatically.
#ListenPort = 51820

[Peer]
Endpoint = ipv6tun01.vpsfree.cz:51820
PublicKey = r7vzF6irpXSmkTibIHztIcfc/YzPmpyMX9LYa9z5Yw0=
AllowedIPs =  ::/0
#PersistentKeepalive = 120  # Optional: use if there is a NAT/firewall blocking incoming traffic

Example of configuring Wireguard on OpenWRT

config interface 'wgipv6tun'
        option proto 'wireguard'
        option private_key 'FIXME'
        option ip6prefix '2a03:3b40:XXX::/48'
        list addresses '2a03:3b40:200::XXX'

config wireguard_wgipv6tun
        option endpoint_host 'ipv6tun01.vpsfree.cz'
        option endpoint_port '51820'
        option route_allowed_ips '0'
        option public_key 'r7vzF6irpXSmkTibIHztIcfc/YzPmpyMX9LYa9z5Yw0='
        list allowed_ips '::/0'
        #option persistent_keepalive '120'  # Optional: use if there is a NAT/firewall
        

config route6 'default_v6_gw_a'
        option interface 'wgipv6tun'
        option target '::/0'
        option source '2a03:3b40:200::XXX'

config route6 'default_v6_gw_b'
        option interface 'wgipv6tun'
        option target '::/0'
        option source '2a03:3b40:XXX::/48'

Wiregurad configuration example for MikroTik (version 7)

/interface/wireguard/add name="wgipv6tun" mtu=1420 private-key="FIXME"
/interface/wireguard/peers/add interface=wgipv6tun public-key="r7vzF6irpXSmkTibIHztIcfc/YzPmpyMX9LYa9z5Yw0=" endpoint-address=ipv6tun01.vpsfree.cz endpoint-port=51820 allowed-address=::/0
/ipv6/address/add address=2a03:3b40:200::XXX/128 interface=wgipv6tun
/ipv6/route/add dst-address=::/0 gateway=wgipv6tun
/ipv6/route/add dst-address=2a03:3b40:XXX::/48 blackhole

Note: in addition to the above configuration, it will probably also be useful to set IPv6 addresses on the LAN side of the router. It may also be necessary to enable Wireguard tunnel operation in the firewall. In the default configuration, the Wireguard tunnel uses local port number 13231.

Set the allocated block as Unreachable

It is very likely that you will not use the entire allocated block of length /48. Since the default gateway is tunneled, any packet that comes into the unused portion of the block will be bounced back into the tunnel and back to you. To eliminate this problem, it is a good idea to install an entry for the entire block in the routing table, like this:

ip -6 route add unreachable 2a03:3b40:XXX::/48

This command needs to be run after every boot. If you're using OpenWRT, there's nothing to worry about, this behavior is the default.

Allowing incoming traffic on OpenWRT

Presumably, if you're interested in IPv6, it's because you want to remotely connect to your devices behind the tunnel. Unfortunately, OpenWRT blocks such connections by default. But they can be easily unblocked in the firewall. It is necessary to separately allow access to the local network/networks and to the router itself.

config rule
        option name 'IPv6 forwarding'
        option family 'ipv6'
        option src 'wan'
        option dest 'lan' # Eventuálně * pro všechny sítě
        ## Pokud chcete povolit pouze dynamické porty (pro P2P služby),
        ## odkomentujte následující řádky.
        #option proto 'tcpudp'
        #option dest_port '49152-65535'
        option target 'ACCEPT'

config rule
        option name 'SSH to router over IPv6'
        option family 'ipv6'
        option src 'wan'
        option proto 'tcp'
        option dest_port '22'
        option target 'ACCEPT'