Why using IPv6 Tunnels anyway?
Today, most Internet access providers are IPv6 enabled. However, unfortunately the majority of them do not provide a static /64 prefix, you will get it dynamically assigned. Some providers can assign you a static prefix for a surcharge.
That’s useless if you want to ensure end-to-end connectivity with your Gadgets at home.
Choosing a tunnel provider
Since 2004 I had my own IPv6 prefix from SixXS. Pretty sad that they are shutting down its services on 2017-06-06.
Time to look for an alternative. Wikipedia has a list of public tunnel brokers. Most brokers are providing only PoP’s in one country. For most users, the only option left is Hurricane Electric which offers tunnels to PoP’s on three continents in various cities.
Setup in Fedora
The whole setup is rather simple, there is just one thing you should keep in mind. The provided Client IPv6 Address is not in the same subnet as the Routed /64. You easily copy-paste the wrong address and you will end up in a nice routing loop. The difference is i.e. 2001:470:6c:something vs. 2001:470:6d:something, only the one character of difference. It was taking me more that an hour to figure out 😉
Create a new interface for the tunnel.
cat >>/etc/sysconfig/network-scripts/ifcfg-he-ipv6 <<EOF
# The IPv4 address depends on the PoP you choose
# That is the IPv6 address of the client, not from the routed prefix
LAN interface configuration
In my case I use a bridge to be able to provide IPv6 connectivity not only for the LAN but for Wifi and VPN as well.
cat >>/etc/sysconfig/network-scripts/ifcfg-br0 <<EOF
# That is a random IP from your routed /64 prefix. Usually just use the first one
Enable IPv6 routing
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
Setting the default device for IPv6 routing
echo "IPV6_DEFAULTDEV=he-ipv6" >> /etc/sysconfig/network
Setting up the Route Advertisement Daemon (RADVD
There are several ways of how to configure the clients with an IPv6 address. DHCP6, Static manual configuration and the most easy way is to use RADVD which tells the clients which prefix to use (prefix + fffe + MAC). The client itself adds the MAC address on top of the prefix.
Your clients will always get the same IPv6 address, this may be a privacy problem for you or not. In contrary to SixXS, Hurricane Electric does not provide your name and address to whois, only the city and the ZIP code is made public.
Install radvd if not yet done
router:~# dnf install radvd
router:~# systemctl enable radvd.service
Configuration for the example of the prefix 2001:db8:cafe:1/64
cat >> /etc/radvd.conf << EOF
After restarting your network your done, have fun with IPv6 🙂
Setting up DNS
I’m not going into the details here. I’m using FreeIPA for DNS management, DNS entries are created automatically when you enroll your clients. The only thing you need to do is adding the prefix to be able to do reverse lookups.
[root@ipa1 ~]# ipa dnszone-add --name-from-ip=2001:db8:cafe::/64 --dynamic-update=true
Zone name [0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa.]:
Zone name: 0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa.
Active zone: TRUE
Authoritative nameserver: ipa1.example.com.
Administrator e-mail address: hostmaster
SOA serial: 1490512663
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa. PTR;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Reverse DNS delegation
Hurricane Electric allows you to delegate DNS lookups of your prefix to your DNS server(s). Make use of that is good practice.
If you finished setting up all your services such as DNS, HTTP, SMTP etc. with IPv6, get “certified” at https://ipv6.he.net/certification/cert-main.php and get a fancy batch like this:
Have fun! 🙂