Hurricane Electric Tunnel

Since my ISP currently does not offer dual stack IPv6 I have decided to figure out how to get tunneled IPv6 set up on a Debian based router for my home network. I wanted everything to be firewalled so I would get the added security benefit instead of setting up IPv6 on each PC/VM.

I will be using Debian Wheezy as my router.
eth0 = WAN
eth1 = LAN
he-ipv6 = Tunnel

  1. Go to tunnelbroker.net and get an IPv6 block

  2. Edit your interfaces file and change the comments below to match what is on the Hurricane Electric website

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    iface eth1 inet6 static
    address # Routed /64 (append ::1 to the end of the address)
    netmask 64
    up ip -6 route add # Client IPv6 Address::/64 via # Server IPv6 Address dev he-ipv6
    down ip -6 route del # Client IPv6 Address::/64 via # Server IPv6 Address
    auto he-ipv6
    iface he-ipv6 inet6 v4tunnel
    address # Client IPv6 Address
    netmask 64
    endpoint # Server IPv4 Address
    ttl 255
    gateway # Server IPv6 Address
    dns-nameservers 2001:470:20::2 74.82.42.42
  3. Set up ip6tables

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    LAN_IF="eth1"
    HE_IF="he-ipv6"
    # Flush old rules, old custom tables
    $IPT6 -F
    $IPT6 -X
    $IPT6 -Z
    for table in $(</proc/net/ip6_tables_names)
    do
    $IPT6 -t $table -F
    $IPT6 -t $table -X
    $IPT6 -t $table -Z
    done
    # Default policy
    $IPT6 -P INPUT DROP
    $IPT6 -P FORWARD DROP
    $IPT6 -P OUTPUT ACCEPT
    # Enable free use of the loopback interface
    $IPT6 -A INPUT -i lo -j ACCEPT
    $IPT6 -A OUTPUT -o lo -j ACCEPT
    # Drop RHO packets
    $IPT6 -A INPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
    $IPT6 -A FORWARD -m rt --rt-type 0 --rt-segsleft 0 -j DROP
    $IPT6 -A OUTPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
    # Accept inbound established connections
    $IPT6 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow incoming established connections
    $IPT6 -A FORWARD -i $HE_IF -o $LAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow outgoing LAN connections
    $IPT6 -A FORWARD -i $LAN_IF -o $HE_IF -j ACCEPT
    # Allow ICMP (this is required for IPv6 to function)
    $IPT6 -A INPUT -p icmpv6 -j ACCEPT
    # Log and reject everything else
    $IPT6 -A INPUT -i $HE_IF -j LOG
    $IPT6 -A INPUT -i $HE_IF -j REJECT --reject-with icmp6-port-unreachable
  4. Enable IPv6 forwarding
    nano /etc/sysctl.conf
    net.ipv6.conf.all.forwarding = 1

  5. Configure clients

    1
    2
    3
    4
    Address: Routed /64 (choose random values)
    Subnet: 64
    Gateway: eth1 address that you used above
    DNS: 2001:470:20::2
  6. Test
    ping ipv6.google.com
    or
    ping6 ipv6.google.com

Dynamic IP Setup

  1. Go to https://tunnelbroker.net and find your “Tunnel ID” (it’s the first item at the top)

  2. Edit your firewall script (replace USERNAME, PASSWORD, and TUNNELID)
    wget -q --timeout=5 https://USERNAME:[email protected]/ipv4_end.php?tid=TUNNELID -O/dev/null

More information can be found here: http://www.tunnelbroker.net/ipv4_end.php

radvd
If you want all clients to be automatically configured for the tunnel you can set up radvd which is the ‘Router Advertisement Daemon’.

  1. Install radvd
    apt-get install radvd

  2. Create an radvd config in /etc/radvd.conf

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    interface eth1 {
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
    AdvLinkMTU 1480;
    IgnoreIfMissing on;
    AdvManagedFlag on;
    AdvOtherConfigFlag on;
    prefix Routed /64::/64 {
    AdvOnLink on;
    AdvAutonomous on;
    };
    };
  3. Start radvd
    service radvd start