Hurricane Electric Tunnel
Jul 16, 2015
Since my ISP currently does not offer dual stack IPv6 I have decided to figure out how to get tunneled IPv6 set up on a Debian based router for my home network. I wanted everything to be firewalled so I would get the added security benefit instead of setting up IPv6 on each PC/VM.
I will be using Debian Wheezy as my router. eth0 = WAN eth1 = LAN he-ipv6 = Tunnel
-
Go to tunnelbroker.net and get an IPv6 block
-
Edit your interfaces file and change the comments below to match what is on the Hurricane Electric website ``` iface eth1 inet6 static address # Routed /64 (append ::1 to the end of the address) netmask 64 up ip -6 route add # Client IPv6 Address::/64 via # Server IPv6 Address dev he-ipv6 down ip -6 route del # Client IPv6 Address::/64 via # Server IPv6 Address
auto he-ipv6 iface he-ipv6 inet6 v4tunnel address # Client IPv6 Address netmask 64 endpoint # Server IPv4 Address ttl 255 gateway # Server IPv6 Address dns-nameservers 2001:470:20::2 74.82.42.42
3. Set up ip6tables
LAN_IF=”eth1” HE_IF=”he-ipv6”
Flush old rules, old custom tables
$IPT6 -F $IPT6 -X $IPT6 -Z for table in $(</proc/net/ip6_tables_names) do $IPT6 -t $table -F $IPT6 -t $table -X $IPT6 -t $table -Z done
Default policy
$IPT6 -P INPUT DROP $IPT6 -P FORWARD DROP $IPT6 -P OUTPUT ACCEPT
Enable free use of the loopback interface
$IPT6 -A INPUT -i lo -j ACCEPT $IPT6 -A OUTPUT -o lo -j ACCEPT
Drop RHO packets
$IPT6 -A INPUT -m rt –rt-type 0 –rt-segsleft 0 -j DROP $IPT6 -A FORWARD -m rt –rt-type 0 –rt-segsleft 0 -j DROP $IPT6 -A OUTPUT -m rt –rt-type 0 –rt-segsleft 0 -j DROP
Accept inbound established connections
$IPT6 -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
Allow incoming established connections
$IPT6 -A FORWARD -i $HE_IF -o $LAN_IF -m state –state ESTABLISHED,RELATED -j ACCEPT
Allow outgoing LAN connections
$IPT6 -A FORWARD -i $LAN_IF -o $HE_IF -j ACCEPT
Allow ICMP (this is required for IPv6 to function)
$IPT6 -A INPUT -p icmpv6 -j ACCEPT
Log and reject everything else
$IPT6 -A INPUT -i $HE_IF -j LOG $IPT6 -A INPUT -i $HE_IF -j REJECT –reject-with icmp6-port-unreachable
4. Enable IPv6 forwarding
`nano /etc/sysctl.conf`
`net.ipv6.conf.all.forwarding = 1`
5. Configure clients
Address: Routed /64 (choose random values) Subnet: 64 Gateway: eth1 address that you used above DNS: 2001:470:20::2
6. Test
`ping ipv6.google.com`
or
`ping6 ipv6.google.com`
**Dynamic IP Setup**
1. Go to <a href="https://tunnelbroker.net" target="_blank">https://tunnelbroker.net</a> and find your "Tunnel ID" (it's the first item at the top)
2. Edit your firewall script (replace USERNAME, PASSWORD, and TUNNELID)
`wget -q --timeout=5 https://USERNAME:[email protected]/ipv4_end.php?tid=TUNNELID -O/dev/null`
More information can be found here: <a href="http://www.tunnelbroker.net/ipv4_end.php" target="_blank">http://www.tunnelbroker.net/ipv4_end.php</a>
<b>radvd</b>
If you want all clients to be automatically configured for the tunnel you can set up radvd which is the 'Router Advertisement Daemon'.
1. Install radvd
`apt-get install radvd`
2. Create an radvd config in /etc/radvd.conf
interface eth1 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvLinkMTU 1480; IgnoreIfMissing on; AdvManagedFlag on; AdvOtherConfigFlag on;
prefix Routed /64::/64 {
AdvOnLink on;
AdvAutonomous on;
}; }; ```
- Start radvd
service radvd start