IPv6 setup when your provider doesn't give a shit.


This is a small guide to set up IPv6 via HE tunnel on a mostly "unixy" environment.

I've been thinking to play with the new IP version for a while, but never really get into it until a couple of months ago.

Sadly most internet providers out there (at least the ones serving residential buildings) don't give a shit about IPv4 exhaustion or IPv6 implementation. My provider is one of those. And I could not find in my area one that provides native IPv6.

There are other options. The one that came to mind (I've read about it some time ago) was using Tunnelbroker.

That's a 6-in-4 tunnel operated by Hurricane Electric. There are more companies/projects offering this, here's a list.

The process with HE is pretty simple. First one has to register on their website and then create a tunnel. This process involves choosing a endpoint server to tunnel your v6 traffic. Choose one that's "close" to you in internet terms (that basically means few hops, low latency. traceroute(8) and ping(8) are your friends).

You'll be then assigned a /64. Two really, one is for the tunnel itself. But I won't be using them really (well, just for the tunnel). More on that later

On their website they have lots of example configurations. Just choose your poison and they will provide basic instructions on how to set it up.

I wanted to set up this for my entire home/office network. I have a small fanless OpenBSD machine acting as a router, so the instructions are super simple:

ifconfig gif0 tunnel
ifconfig gif0 inet6 alias 2001:470:aaa:aaa::2 2001:470:aaa:aaa::1 prefixlen 128
route -n add -inet6 default 2001:470:aaa:aaa::1

With just this, my router has IPv6 connection to the world ! In this example is my real IPv4 and 2001:470:aaa:aaa/64 is the range assigned for the tunnel. As said earlier they assign another /64 so you can use it on your internal network.

But, they also offer /48 just in case you want to create different subnets and do proper IPv6 auto configuration. You can ask for it once you complete the registration and successfully establish the tunnel.

It's still shocking to me that they deliver that prefix ... that means they just route to you 65536 (+2) /64s ... nuts !

Anyway, the goal then is having the tunnel set up permanently, assign a /64 to every internal vlan and enable router advertisement for those too.

On my OpenBSD machine goes like this:

Create /etc/hostname.gif0 (the tunnel interface):

!ifconfig gif0 inet6 alias 2001:470:aaa:aaa::2 2001:470:aaa:aaa::1 prefixlen 128
!route -n add -inet6 default 2001:470:aaa:aaa::1

Add IPv6 config for the vlans. Here is the full config of one of mine, at /etc/hostname.vlan10

inet NONE vnetid 10 parent em1 description "cable" up
inet6 2001:470:bbb:cab::1 64
group internal

Note that I'm using now part of the /48 I'll configure a /64 for every other vlan in my net.

Now we'll use rad(8) so all the devices on the net have IPv6 connectivity too. Here's part of my /etc/rad.conf Have a look at rad.conf(5) for more info.

interface vlan10 {
        prefix 2001:470:bbb:cab::/64
        dns {
                nameserver 2001:470:bbb:cab::1
                search home.my.domain

That's nice because we can set up AAAA records on a real domain, and HE provides reverse DNS too !

Remember to enable IPv6 forwarding in your router. On OpenBSD is done via sysctl(8)/sysctl.conf(5)


Also, check your pf(4) configuration. Most likely you'll need to adjust it.

At this point most of the devices in your network will be negotiating IPv6 auto configuration. I found out that Android and iOS phones do that automatically, and prefer v6 if present. All linux boxes using dhcpcd(8) will work automatically too. On Macs I found out that some were configured to take v6 config if possible and others have it disabled, so just "switch it on" and you're good to go.

I have a couple of machines that act like servers, so I needed to set up ip configuration manually there. Check your OS documentation on any case.

My main workstation runs OpenBSD too, so that was simple to set up. On my /etc/hostname.em0

inet6 autoconf

Also, tell the system resolver to prefer v6 over v4 if you want. On /etc/resolv.conf.tail

nameserver 2001:470:bbb:cab::1
lookup file bind
family inet6 inet4

And that's it ! It was easier than expected !

A couple of caveats, though.

Network latency could be a bit higher, depending on how packets get routed to your tunnel server, etc. In my case, oddly enough, most times latency is better through the tunnel ... which does not speak so well about my internet provider right ?

Also, speed may be an issue depending on your current connection. In theory there's no speed limit on the tunnel. I have 200/200 Mbps here, and I get about 65/65 Mbps through the tunnel easily. Which is more than ok for my tests. But it varies in time. I guess they could have load issues at some point.

Besides, Netflix and other streaming services are not happy with you using those ip ranges. You'll see the same error you get when you try to use most vpns on the market ... So basically you may have problems with any service that controls you to the extreme and cares about where you connect from. The lesson here, don't use those services :-P

And that's all folks ! With some kind-of-simple steps one can have billions of public routable ip addresses to play with at home/office/whatever for free.

Another cool thing. HE has this IPv6 Certification. Is not that hard if you take some time to do it and you'll learn a lot in the process. Besides, they will send you a super nerd t-shirt when you complete all levels ;-)

Have any comments ? Send an email to the comments address.