Hurricane Electric Tunnel
Jul 16, 2015

Since my ISP currently does not offer dual stack IPv6 I have decided to figure out how to get tunneled IPv6 set up on a Debian based router for my home network. I wanted everything to be firewalled so I would get the added security benefit instead of setting up IPv6 on each PC/VM.

I will be using Debian Wheezy as my router. eth0 = WAN eth1 = LAN he-ipv6 = Tunnel

  1. Go to and get an IPv6 block

  2. Edit your interfaces file and change the comments below to match what is on the Hurricane Electric website ``` iface eth1 inet6 static address # Routed /64 (append ::1 to the end of the address) netmask 64 up ip -6 route add # Client IPv6 Address::/64 via # Server IPv6 Address dev he-ipv6 down ip -6 route del # Client IPv6 Address::/64 via # Server IPv6 Address

auto he-ipv6 iface he-ipv6 inet6 v4tunnel address # Client IPv6 Address netmask 64 endpoint # Server IPv4 Address ttl 255 gateway # Server IPv6 Address dns-nameservers 2001:470:20::2

3. Set up ip6tables

LAN_IF=”eth1” HE_IF=”he-ipv6”

Flush old rules, old custom tables

$IPT6 -F $IPT6 -X $IPT6 -Z for table in $(</proc/net/ip6_tables_names) do $IPT6 -t $table -F $IPT6 -t $table -X $IPT6 -t $table -Z done

Default policy


Enable free use of the loopback interface

$IPT6 -A INPUT -i lo -j ACCEPT $IPT6 -A OUTPUT -o lo -j ACCEPT

Drop RHO packets

$IPT6 -A INPUT -m rt –rt-type 0 –rt-segsleft 0 -j DROP $IPT6 -A FORWARD -m rt –rt-type 0 –rt-segsleft 0 -j DROP $IPT6 -A OUTPUT -m rt –rt-type 0 –rt-segsleft 0 -j DROP

Accept inbound established connections


Allow incoming established connections


Allow outgoing LAN connections


Allow ICMP (this is required for IPv6 to function)

$IPT6 -A INPUT -p icmpv6 -j ACCEPT

Log and reject everything else

$IPT6 -A INPUT -i $HE_IF -j LOG $IPT6 -A INPUT -i $HE_IF -j REJECT –reject-with icmp6-port-unreachable

4. Enable IPv6 forwarding
`nano /etc/sysctl.conf`
`net.ipv6.conf.all.forwarding = 1`

5. Configure clients

Address: Routed /64 (choose random values) Subnet: 64 Gateway: eth1 address that you used above DNS: 2001:470:20::2

6. Test

**Dynamic IP Setup**
1. Go to <a href="" target="_blank"></a> and find your "Tunnel ID" (it's the first item at the top)

2. Edit your firewall script (replace USERNAME, PASSWORD, and TUNNELID)
`wget -q --timeout=5 https://USERNAME:[email protected]/ipv4_end.php?tid=TUNNELID -O/dev/null`

More information can be found here: <a href="" target="_blank"></a>

If you want all clients to be automatically configured for the tunnel you can set up radvd which is the 'Router Advertisement Daemon'.

1. Install radvd
`apt-get install radvd`

2. Create an radvd config in /etc/radvd.conf

interface eth1 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvLinkMTU 1480; IgnoreIfMissing on; AdvManagedFlag on; AdvOtherConfigFlag on;

    prefix Routed /64::/64 {
            AdvOnLink on;
            AdvAutonomous on;
    }; }; ```
  1. Start radvd service radvd start