Using an IPv6 tunnel broker

01 Nov 2019 - tsp
Last update 01 Nov 2019
Reading time 11 mins

What is IPv6 and what is a tunnel broker

IPv6 is the current version of the internet protocol which has been standardized by the IETF back in 1998. It is the direct successor of the version 4 (IPv4). One of the main modifications was to expand IP adresses from 32 bits to 128 bits. This was a necessary change since the IPv4 pools have nearly all been already allocated to network operators - so we basically ran out of IPv4 adresses. This lead to an emerging of circumvention strategies like using network address translation (NAT). This brought a whole bunch of problems like not offering a real IP network connection.

To see where the problem with NAT comes from one has to realize that in an IP network there is no distinction between different types of devices connected. There is no notation of server or client. There are just nodes connected to the network. They can initiate connections, they can accept connections. The whole network is built agnostic about the content transferred by these nodes - and also agnostic about the direction this data takes. The whole network is a bunch of autonomous systems loosely held together by routing protocols by which every autonomous network announces for which IP subnets itā€™s responsible or is capable of routing traffic to (and also with which metric - i.e. a link cost thats influenced by bandwidth and hop count as well as latency). That way all routers on the network learn how to reach each subnet on the whole internet via which physical routes. All autonomous systems normally run an open and cost neutral peering policy - they simply take any traffic form anyone and route it everywhere independent of source, destination and content. Thatā€™s the key concept of net neutrality thatā€™s really required to hold the whole internet together. In fact there is no destinction between a network and the often used notation of an internet service provider or access provider. They are just networks with a bunch of nodes and normally operate some kind of network cabling (like the TV cable networks, DSL lines, optical networks, etc.) as a backhault to transfer data from the users to their own network - i.e. itā€™s all about the long cable to your home. Wireless access is a little bit different though (and because of this normally exepmted from net neutrality - the main difference is the roaming feature of mobile networks that makes it just unpredictable where how many clients want to join and also makes the prediction of network load nearly impossible; on the other hand these networks have been built primarily for isochronous services with quality of service like voice thatā€™s also prioritized).

The main problem now arrises when one runs out of IP adresses. Normally every node has to have an IP adress so it can receive data by any other side (either requested or as a service provided, etc.). The main solution used here had been network address translation (NAT). In this case the nodes only get assigned a private IP adress (i.e. an adress that is never routed onto the internet). The NAT device then tries to translate connection information for TCP and UDP by remembering which internal device requested a connection to which external device at which port combination and opens itself a connection on a random port. It remembers the combination of client IP, client port, destination IP, destination port, public IP used, public port used and rewrites the source address and source port fields of each UDP or TCP packet to match itā€™s choosen public IP and port fields. First this makes it impossible to choose source ports. On the other hand inbound connections are not possible - a connection has to be established always from the inside so that the NAT device is capable of learning the connection data (which it forgets after a given timeout). There is a whole bunch of problems with this:

There have been some techniques that try to make use of characteristics of many NAT implementations to establish connections between devices behind NAT (like STUN and STUNT) which work to a given degree under some circumstances but these solutions are also just hacks. And there has been the major misconception that NAT might be a security feature - it really is not! Never mistake a NAT device as a firewall or security device.

IPv6 solves the whole NAT problem by extending the IP adress range from 32 bits to 128 bits which should be enough to assign every device a worldwide unique address. Subnetting is supported but there are some differences to IPv4. At IPv4 you could freely choose the prefix length and some network operators even assigned up to /29 or /30 for small subnets. Since IPv6 also changes the way autoconfiguration works - one does not need DHCP any more - subnetting also changed a little bit. Each IPv6 address is separated into the network part (upper 64 bit) and a local part (lower 64 bit) - the longest prefix that can be announced on a network is /64. Longer prefixes violate the IPv6 RFC. IP address assignment via stateless address autoconfiguration (SLAAC) work by letting the router announce the subnets on each of itā€™s interfaces. Everytime a node sees such an advertisment it takes the advertised subnet and appends a value derived from the worldwide unique ethernet MAC address at the lower 64 bit of the address - and has itā€™s address assigned. Note that this of course means that you should never manipulate your MAC addresses / they have to be unique at least in the same IP subnet.

To assign DNS servers like previously done via DHCP one can use rddns in the same advertisement. If one really requires other configuration options there is DHCPv6 which supplies this configuration information but should never be used to configure IP addresses, SLAAC should be used for that.

There have been a few other changes with IPv6 like mobility extensions (that allow a backhaul of mobile devices into your local network via mechanisms known to the router), etc. Note that ICMP is still an integral part of IP and is even more important with IPv6 so it should not be blocked by a firewall.

Since the worldwide transition to IPv6 should be as flawless and easy as possibe dual stack operation was established, that means every host gets his IPv4 address as known before and also enabled IPv6 operation. Whenever possible hosts use IPv6, when not possible they fall back to IPv4 connectivity. There are other mechanisms like NAT64 or 4in6 mappings that allow one to operate a clean IPv6 only network and still donā€™t loose connection to legacy IPv4 networks but thatā€™s out of scope for this short article.

In general all modern networks should support IPv6 and ISPs should normally delegate a /48 prefix to each user as specified by the IPv6 RFC, the shortest prefix they should every announce to a home network is a /64 (but as stated by the RFC they should at least provide a /48 on request without any charge). If your ISP is also still living in the stoneages of the internet and not providing IPv6 routing there are some parts of the internet that are unreachable even tody - to circumvent this one can use a tunnel provider. This is simply an network operator that allows you to build up an tunnel over IPv4 and route all your IPv6 traffic via this tunnel to one of their points of presence from which on the traffic will be routed as usualy inside the internet. Normally these tunnel providers use a generic route encapsulation tunnel (GRE) or similar mechanisms to transfer data between networks.

Registering your tunnel at hurricane electric

One of the major tunnel providers is Hurricane Electric. It allows one to freely register an account. After registration you are free to create a new tunnel. Choose a point of presence that has the best network connection to you (do not choose based on geographic location, measure via ICMP echo, look at peering information between the networks, etc. - a short topological distance as well as low latency and high bandwidth connection is desired). The tunnel creation also requires your current public IPv4 address so you have to have a publically reachable tunnel endpoint. Enter the static IP address assigned to your gateway (that we will configure in the next step) or your currently dynamically assigned public IP address for the local part.

After tunnel creation HE shows you the tunnel configuration:

Network configuration (gif, interfaces, router advisory, DNS)

Now one can simply enable the tunnel by configuring the gif interface. On FreeBSD one can temporarily do this via

ifconfig gif0 create
ifconfig gif0 tunnel ${YOUR_PUBLIC_IPV4} ${POP_IPV4}
ifconfig gif0 inet6 ${CLIENT_IPV6} ${POP_IPV6} prefixlen 128
route -n add -inet6 default ${POP_IPV6}
ifconfig gif0 up

Thatā€™s all thatā€™s required to bring the interface up. One can then test the IPv6 connection via

ping6 ${POP_IPV6}

If this doesnā€™t work one might be missing a firewall rule for icmp-v6.

To make that change persistent the following entries are required in /etc/rc.conf:

gif_interfaces="gif0"
gifconfig_gif0="${YOUR_PUBLIC_IPV4} ${POP_IPV4}"
ifconfig_gif0="inet6 ${CLIENT_IPV6} ${POP_IPV6} prefixlen 128"
ipv6_defaultrouter="${POP_IPV6}"

Now one wants to advertise the assigned prefix into the local network. To do that one uses the router advisory daemon. This is configured via /etc/rtadvd.conf. One just configured the interface facing the local network (in the following example that will be re0) with the prefix and prefixlen. The following example also includes an rdnss entry that autoconfigures DNS servers:

re0:\
	:addr="${YOUR_V6_PREFIX}":\
	:prefixlen#64:\
	:vltime=60:\
	:raflags#64:\
	:rdnss="${DNS_V6_IP}":\
	:dnssl="${YOUR_DNS_SUFFIX}":\
	:maxinterval#120:\
	:mininterval#30:

Now one can enable rtadvd in /etc/rc.conf via rtadvd_enable="YES" and launch via

/etc/rc.d/rtadvd start

After that clients should get IPv6 addresses assigned. Eventually one has to enable forwarding if this hasnā€™t been done until now:

sysctl net.inet6.ip6.forwarding=1

and make that change persistent in /etc/sysctl.conf or inside ones firewall script.

The last thing to do is to configure reverse DNS. One simply configures the reverse zone on oneā€™s DNS server and enters the DNS server name itself into the tunnel configuration. There are two approaches for this: Wildcard reverse DNS just responds with a generic response for each reverse DNS client or one only configures for specific clients (which leads to clients using privacy extensions having no reverse name). Iā€™d personally choose the second approach since I normally want to have a specific name for specific clients and no wildcard approach.

Dynamic IP considerations (update script)

When one has a dynamically assigned external IPv4 address there might be a problem with the tunnel configuration thoug. On has to update the public tunnel endpoint whenever the local IP changes. One might use the following shellscript to periodically (for example via cron) check if the external IP has changed and in case trigger the update process. One might also use dhclient hooks to be notified of v4 address changes and run the script:

This article is tagged:

Related articles

How does the Internet work and what is it anyways?

Mini introduction into the nature of the Internet and it's basic working principles.

Privacy - TOR, VPN, DOH, Encryption. What's effective and what does it provide?

Since I often hear confusion about the level or type of privacy when I talk with people about onion routing services like TOR, tunneling services like VPN, DNS encryption via DOH, using proxyservers, using alternate DNS services, using encryption and signature, etc. I've decided to write a short blog post about that different stuff and what it provides - and what not (in my personal opinion).

Bridging networks (VPNs)

A mini tutorial on different approaches to bridge networks

Building a LoRA WAN gateway (and supplying data for the things network)

The following article leads the reader through building an LoRA-WAN gateway from an iMST ic880a concentrator board and an RaspberryPi. Optionally is shows the reader how to add GPS, enable remote configuration via the tinc VPN daemon and via a TOR stealth hidden service.

A look at the pastry distributed hashtable

This blog post takes a look at the pastry distributed hashtable. This is a hashtable that allows resilient and scaling distributed key value stores and that can be used to build a variety of applications on top.

Sane Windows IP configuration: Disabling IPv6 privacy extensions and enabling ICMP echo

Mini note but essential when a Windows machine should join any sanely administered network.

Building a TCP console server for Windows and FreeBSD

A common problem in industry and laboratories - accessing a serial port via the network to allow multiple machines or VMs access the same physical serial port. This blog post explains how to build such an console server on a FreeBSD host offering physical serial ports an FreeBSD as well as Windows clients who are able to access the ports like local ones.

Simple DHCP failover with ISC-DHCP

Mini summary on how to configure DHCP failover or load balancing when using ISC-DHCP for legacy IP networks. This is not a full explanation of all details, just a quick sample on how to get up failover in a few minutes.

Also on this blog

Detecting frequency, delay and phase relation as well as multiple targets using correlation functions

A short story about how one can use autocorrelation and cross-correlation functions on discretized samples of radio frequency data and also noise to detect the frequency of a single signal, the delay of a reflected signal, the phase relation between two signals and how one can track multiple reflective targets in applications like LIDAR, sonar or radar using correlations - and how to get them robust against external influence.

GPU size estimation for LLMs

Ever wondered how much VRAM you actually need to run a 13B, 65B, or even 500B language model? This compact, no-fluff guide - mostly a personal reference - breaks down GPU memory needs by model size, quantization, and task complexity. Includes real-world GPU examples with affiliate links for anyone thinking of building or upgrading their own AI rig. Great for hobbyists, tinkerers, and anyone asking, 'Can I run that locally?'

The Enigma of Consciousness: Are Humans Uniquely Special in the Realm of Mind and Experience?

Are humans metaphysically unique, or is consciousness a matter of organization and dynamics that could, in principle, emerge in other substrates? This essay tackles the long-standing debate by weighing arguments for human exceptionalism against counterpoints from philosophy of mind, neuroscience, and AI. It explores whether qualities like subjective experience, qualia, and the hard problem demand a biological essence, or whether feedback loops, global broadcast, embodiment, intrinsic drives, and learning dynamics suffice to explain why minds feel the way they do. The conclusion points toward a continuum rather than an exclusive divide: human minds feel special, but their vividness and unity can be linked to patterns of information processing, not an untouchable spark. Machines do not yet meet these conditions fully, but no principled barrier rules it out. What makes minds special is excellence of organizationā€”loops, memory, drives, and adaptationā€”not the matter they are built from.

Ignoring the Warning Signs: Shock, Silence, and Stigma in Tragedies

Western societies are repeatedly stunned by suicides and acts of mass violence that, in hindsight, were foreshadowed by clear warning signs. This short article explores the recurring cycle of inaction, denial, and shocked aftermathā€”drawing on psychology, sociology, and media analysis to understand why cries for help are often ignored and why communities struggle to acknowledge their role in preventable tragedies. Through analysis and real-world case studies, the article reveals how empathy gaps, stigma, moral disengagement, and media framing distort our response to suffering. It challenges readers to confront uncomfortable truths and calls for systemic change in how we recognize, interpret, and act on early signs of crisisā€”before grief becomes regret. In the appendix, an extended overview is provided on the full range of prevention strategies. Suicide and suicide-driven violence are complex phenomena influenced by social, economic, and psychological factors. Evidence shows that social connectedness and supportive communities can buffer against suicide risk, whereas isolation and stressors (economic hardship, bullying, trauma) exacerbate it. A comprehensive prevention strategy must span upstream (long-term societal supports) to downstream (immediate crisis intervention) approaches. The appendix reviews major prevention strategies, highlighting their proven benefits, controversies, and potential unintended effects, with academic references where available.

Data protection policy

Dipl.-Ing. Thomas Spielauer, Wien (webcomplains389t48957@tspi.at)

This webpage is also available via TOR at http://rh6v563nt2dnxd5h2vhhqkudmyvjaevgiv77c62xflas52d5omtkxuid.onion/

Valid HTML 4.01 Strict Powered by FreeBSD IPv6 support