IPV6 tunneling on vpsfree: Difference between revisions

vpsFree.cz operates its own tunneling server, through which it is possible to obtain an IPv6 tunnel to places where IPv6 has not yet been introduced.

On June 6, 2017, the operation of the SixXS tunneling platform was terminated. It was the only one that provided a tunneling server in Prague that could be used even without a public IPv4 address. Although SixXS's argument is understandable, there are situations where it is simply not possible to ask a provider for IPv6 connectivity, and often it is not even possible to change providers.

If a public IPv4 address is available, it is possible to arrange a tunnel from HE.net, which works quickly and reliably. Our service therefore mainly focuses on situations where there is not even a public IPv4 address in the place. Unfortunately, the sixxsd software, which formed the server part of the SixXS tunneling platform and was able to efficiently handle hundreds of tunnels, was never released as Open Source and was not published for a long time. So it was necessary to look for another solution.

It is possible to use the modern WireGuard tunneling protocol. It offers encryption and authentication, but also great performance compared to OpenVPN. UDP traffic on port 51820 is used. Each client authenticates with a pair of public and private keys. Each client is statically assigned one connecting IPv6 address and a subnet with a prefix length of /48.

Each tunnel will have an expiration date set for one year after establishment, after which it is deconfigured. Therefore, an extension must be requested for uninterrupted operation. The intention of this inconvenient measure is for every user to write to their connection provider at least once a year about the status of IPv6 support. Note: this feature is not yet implemented. Any deconfiguration in the future will be preceded by several email warnings.

1. Ask your ISP about IPv6 support.
2. Generate a pair of private and public keys: $ wg genkey | tee privatekey | wg pubkey - the private key is created in the privatekey file, the public key is displayed on the terminal. To display the public key again, call $ wg pubkey < privatekey.
3. Request a tunnel via e-mail to ipv6tun@vpsfree.cz. Don't forget to attach the public key. Please do not send the key in an attachment, put it directly in the text of the message. If the end of the tunnel is to be located in Slovakia, please indicate this in the application.
4. You will receive an email with example configuration for wg-quick and OpenWRT. You will also find out the allocated address block in the configuration file.
5. Add your private key to the configuration file and configure your client.
6. Configure your router to assign some addresses from the assigned subnet to your home network.

[Interface]
# FIXME: Insert your private key
PrivateKey = 
Address = 2a03:3b40:200::XXX
# Alternatively, the ListenPort value can be set to any value. By default, a random value should be selected automatically.
#ListenPort = 51820

[Peer]
Endpoint = ipv6tun01.vpsfree.cz:51820
PublicKey = r7vzF6irpXSmkTibIHztIcfc/YzPmpyMX9LYa9z5Yw0=
AllowedIPs =  ::/0
#PersistentKeepalive = 120  # Optional: use if there is a NAT/firewall blocking incoming traffic

config interface 'wgipv6tun'
        option proto 'wireguard'
        option private_key 'FIXME'
        option ip6prefix '2a03:3b40:XXX::/48'
        list addresses '2a03:3b40:200::XXX'

config wireguard_wgipv6tun
        option endpoint_host 'ipv6tun01.vpsfree.cz'
        option endpoint_port '51820'
        option route_allowed_ips '0'
        option public_key 'r7vzF6irpXSmkTibIHztIcfc/YzPmpyMX9LYa9z5Yw0='
        list allowed_ips '::/0'
        #option persistent_keepalive '120'  # Optional: use if there is a NAT/firewall
        

config route6 'default_v6_gw_a'
        option interface 'wgipv6tun'
        option target '::/0'
        option source '2a03:3b40:200::XXX'

config route6 'default_v6_gw_b'
        option interface 'wgipv6tun'
        option target '::/0'
        option source '2a03:3b40:XXX::/48'

/interface/wireguard/add name="wgipv6tun" mtu=1420 private-key="FIXME"
/interface/wireguard/peers/add interface=wgipv6tun public-key="r7vzF6irpXSmkTibIHztIcfc/YzPmpyMX9LYa9z5Yw0=" endpoint-address=ipv6tun01.vpsfree.cz endpoint-port=51820 allowed-address=::/0
/ipv6/address/add address=2a03:3b40:200::XXX/128 interface=wgipv6tun
/ipv6/route/add dst-address=::/0 gateway=wgipv6tun
/ipv6/route/add dst-address=2a03:3b40:XXX::/48 blackhole

Note: in addition to the above configuration, it will probably also be useful to set IPv6 addresses on the LAN side of the router. It may also be necessary to enable Wireguard tunnel operation in the firewall. In the default configuration, the Wireguard tunnel uses local port number 13231.

It is very likely that you will not use the entire allocated block of length /48. Since the default gateway is tunneled, any packet that comes into the unused portion of the block will be bounced back into the tunnel and back to you. To eliminate this problem, it is a good idea to install an entry for the entire block in the routing table, like this:

ip -6 route add unreachable 2a03:3b40:XXX::/48

This command needs to be run after every boot. If you're using OpenWRT, there's nothing to worry about, this behavior is the default.

Presumably, if you're interested in IPv6, it's because you want to remotely connect to your devices behind the tunnel. Unfortunately, OpenWRT blocks such connections by default. But they can be easily unblocked in the firewall. It is necessary to separately allow access to the local network/networks and to the router itself.

config rule
        option name 'IPv6 forwarding'
        option family 'ipv6'
        option src 'wan'
        option dest 'lan' # Eventuálně * pro všechny sítě
        ## Pokud chcete povolit pouze dynamické porty (pro P2P služby),
        ## odkomentujte následující řádky.
        #option proto 'tcpudp'
        #option dest_port '49152-65535'
        option target 'ACCEPT'

config rule
        option name 'SSH to router over IPv6'
        option family 'ipv6'
        option src 'wan'
        option proto 'tcp'
        option dest_port '22'
        option target 'ACCEPT'

We do not recommend using OpenVPN for new installations. Wireguard proves to be simpler and more reliable.

To tunnel IPv6 traffic, it is also possible to use OpenVPN version 2.4 with traffic encryption and authentication disabled - this is due to the lack of performance on the client side. UDP traffic on standard port 1194 is used. Each client is authenticated with a certificate. Each client is statically assigned one connecting IPv6 address and a subnet with prefix length /48.

The client certificate is valid for one year. A new one must be requested before it expires. The intention of this inconvenient measure is for every user to write to their connection provider at least once a year about the status of IPv6 support.

How to get the tunnel up and running

1. Ask your ISP about IPv6 support.
2. Request a tunnel via e-mail to ipv6tun@vpsfree.cz.
3. You will receive a configuration file for the OpenVPN client.
4. Edit the file as per your need.
5. Configure your router to assign some addresses from the assigned subnet to your home network. (The configuration file contains a sample configuration for OpenWRT)

OpenVPN configuration example for OpenWRT

In this case, the sample is directly in the supplied configuration file. Just save the configuration file as is (with Template:Ci\.conf extension) in Template:Ci (you need to have the Template:Ci package installed). And define the service:

Template:Ci

config openvpn custom_config
        option enabled 1
        option config /etc/openvpn/ipv6tun-XXX.conf

Next, you need to create a new logical interface:

Template:Ci

config interface 'ipv6tun'
        option ifname 'tunipv6'
        option proto 'static'
        option ip6addr '<adresa konce tunelu>/64'
        option ip6gw '<adresa brány>'
        option ip6prefix '<přidělený prefix>/48'

and add logical interface `ipv6tun` to firewall zone `wan`:

Template:Ci

config zone
        option name 'wan'
        option network 'wan wan6 ipv6tun'
        option ...