Huricane Electric IPv6 tunnel broker

ยท 429 words ยท 3 minute read

IPv6 is quite old technology but its adoptions is not as widespread as IPv4. Blessed with virtually unlimited number of addresses, it still lacks support on major internet service providers. But one might use a tunnel to Hurricane Electric to get a routable prefix to his home network.

Last days I’ve been studying OpenBSD 7.5 and use it as a home lab and a home router. So let’s start!

Configure tunnel ๐Ÿ”—

You provide your public IP to HE and you get the something like this:

  • Server IPv4 address - we will use 216.66.88.98
  • Server IPv6 address - we will use 2001:db8:1f1c:1a6::1/64
  • Client IPv4 address - we will use 10.0.2.22 because my machine is behind NAT, otherwise the public IP must be used.
  • Client IPv6 address - we will use 2001:db8:1f1c:1a6::2/64
  • Routed /48 - we will use 2001:db8:cafe::/48

The prefix 2001:db8::/32 has a special meaning in IPv6 address plan and it’s called a documentation prefix. It is used only for documentation purposes.

So, you need to create a file /etc/hostname.gif0:

tunnel 10.0.2.22 216.66.88.98
inet6 alias 2001:db8:1f1c:1a6::2 128 2001:db8:1f1c:1a6::1
!route -n add -inet6 default 2001:db8:1f1c:1a6::1
up

This file specifies that the interface gif0 is created that:

  1. tunnels network traffic from 10.0.2.22 to 216.66.88.98;
  2. uses static IPv6 address 2001:db8:1f1c:1a6::2 with prefix length 128 and broadcasting to 2001:db8:1f1c:1a6::1;
  3. has default route for IPv6 to broadcasting address 2001:db8:1f1c:1a6::2;
  4. and up and running!

Check the connectivity ๐Ÿ”—

Start the interface by:

# sh /etc/netstart gif0

Or you might reboot the machine as files hostname.* specify all network interfaces that should be created during the boot.

Now, you should be able to ping Google by IPv6 network:

# ping6 google.com

If not, check your colons! In IPv6 addresses, of course.

IPv6 forwarding ๐Ÿ”—

To share the connection OpenBSD kernel should know that it is allowed to forward packets between interfaces. So let’s switch it on:

# sysctl -w net.inet6.ip6.forwarding=1

and make it persistent by adding the following line to /etc/sysctl.conf:

net.inet6.ip6.forwarding=1

Router advertisements ๐Ÿ”—

Router with IPv6 is great but others machines on the network don’t bother about it. So, router should let them know. The standard procedure for it uses router advertisements and rad daemon.

The configuration rad.conf is pretty straight forward:

dns {
    nameserver {
        2001:4860:4860::8888
        2001:4860:4860::8844
    }
}

interface em0 {
    prefix 2001:db8:cafe::/48
}

It says use Google DNS servers and advertise the routed prefix on the network interface

If you didn’t modify the default packet filter configuration, whole the network should support IPv6 internet.

That’s it!

PS: The book Absolute OpenBSD by Michael W. Lucas is a fantastic guide to this part of the world.

ipv6 openbsd