Setting up a 6in4 tunnel with Fedora

Why using IPv6 Tunnels anyway?

Today, most Internet access providers are IPv6 enabled. However, unfortunately the majority of them do not provide a static /64 prefix, you will get it dynamically assigned. Some providers can assign you a static prefix for a surcharge.

That’s useless if you want to ensure end-to-end connectivity with your Gadgets at home.

Choosing a tunnel provider

Since 2004 I had my own IPv6 prefix from SixXS. Pretty sad that they are shutting down its services on 2017-06-06.

Time to look for an alternative. Wikipedia has a list of public tunnel brokers. Most brokers are providing only PoP’s in one country. For most users, the only option left is Hurricane Electric which offers tunnels to PoP’s on three continents in various cities.

Setup in Fedora

The whole setup is rather simple, there is just one thing you should keep in mind. The provided Client IPv6 Address is not in the same subnet as the Routed /64. You easily copy-paste the wrong address and you will end up in a nice routing loop. The difference is i.e. 2001:470:6c:something vs. 2001:470:6d:something, only the one character of difference. It was taking me more that an hour to figure out 😉

Tunnel configuration

Create a new interface for the tunnel.

cat >>/etc/sysconfig/network-scripts/ifcfg-he-ipv6 <<EOF
DEVICE=he-ipv6
TYPE=sit
BOOTPROTO=none
ONBOOT=yes
IPV6INIT=yes
# The IPv4 address depends on the PoP you choose
IPV6TUNNELIPV4=216.66.86.114
# That is the IPv6 address of the client, not from the routed prefix
IPV6ADDR=2001:db8:dead:beef::2/64
EOF

LAN interface configuration

In my case I use a bridge to be able to provide IPv6 connectivity not only for the LAN but for Wifi and VPN as well.

cat >>/etc/sysconfig/network-scripts/ifcfg-br0 <<EOF
DEVICE=br0
ONBOOT=yes
TYPE=Bridge
BOOTPROTO=none
IPADDR=192.168.100.1
NETMASK=255.255.255.0
IPV6_AUTOCONF=no
IPV6INIT=yes
IPV6TO4INIT=no
# That is a random IP from your routed /64 prefix. Usually just use the first one
IPV6ADDR=2001:db8:cafe:1::1/64
EOF

 

Enable IPv6 routing

echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf

Setting the default device for IPv6 routing

echo "IPV6_DEFAULTDEV=he-ipv6"  >> /etc/sysconfig/network

Setting up the Route Advertisement Daemon (RADVD

There are several ways of how to configure the clients with an IPv6 address. DHCP6, Static manual configuration and the most easy way is to use RADVD which tells the clients which prefix to use (prefix + fffe + MAC). The client itself adds the MAC address on top of the prefix.

Your clients will always get the same IPv6 address, this may be a privacy problem for you or not. In contrary to SixXS, Hurricane Electric does not provide your name and address to whois, only the city and the ZIP code is made public.

Install radvd if not yet done

router:~# dnf install radvd
router:~# systemctl enable radvd.service

Configuration for the example of the prefix 2001:db8:cafe:1/64

cat >> /etc/radvd.conf <

After restarting your network your done, have fun with IPv6 🙂

Setting up DNS

I’m not going into the details here. I’m using FreeIPA for DNS management, DNS entries are created automatically when you enroll your clients. The only thing you need to do is adding the prefix to be able to do reverse lookups.

[root@ipa1 ~]# ipa dnszone-add --name-from-ip=2001:db8:cafe::/64 --dynamic-update=true 
Zone name [0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa.]: 
  Zone name: 0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa.
  Active zone: TRUE
  Authoritative nameserver: ipa1.example.com.
  Administrator e-mail address: hostmaster
  SOA serial: 1490512663
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa. PTR;
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
[root@ipa1 ~]# 

Reverse DNS delegation

Hurricane Electric allows you to delegate DNS lookups of your prefix to your DNS server(s). Make use of that is good practice.

Read further

Fancy stuff

If you finished setting up all your services such as DNS, HTTP, SMTP etc. with IPv6, get “certified” at https://ipv6.he.net/certification/cert-main.php and get a fancy batch like this: IPv6 Certification Badge for ldelouw

Have fun! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *