IPv4 only OpenVZ VPS, how to gain access to IPv6?
Short answer: Tunnel!
I use TunnelBroker. TunnelBroker generously provides 5 free tunnels.
I have an VPS with only public IPv4 addresses, but I would like to access another VPS with only IPv6 address.
So we need some help here, a proxy that encapsulates IPv6 data in an existing IPv4 connections and transfer it to a host which has both IPv4 and IPv6, and process the IPv6 request in that host, and return the result.
PS. The client has to be able to process IPv6, e.g. set up an IPv6 address.
Architect
This setup requires a host with public IPv4+IPv6 and I will name the host 'tunnel server' afterwards. The client host and the tunnel server are connected via an IPv4 tunnel. All IPv6 data will be encapsulated in IPv4 packets and transferred through this tunnel. The tunnel server receives and de-encapsulates the IPv4 packet, gets the IPv6 request, processes it and get the result, encapsulates in IPv4 and transfers the result back to the client.
I found a nice tunnel server provider named TunnelBroker. After registering, it gave me a tunnel, and here is the information.
Server IPv4 Address: 201.0.0.1 (TB side public IPv4)
Server IPv6 Address: 2001:db8:a:20::1/64
Client IPv4 Address: 100.0.0.1 (my VPS public IPv4)
Client IPv6 Address: 2001:db8:a:20::2/64
Routed /64: 2001:db8:b:20::/64 (note it is b, not a)
The client IPv6 address is what you use to access the server, and it is just for one server only. For more public accessible v6 IPs, TunnelBroker kindly provides Routed Prefixes for exactly this purpose. For more subnets, you may request a /48 prefix too.
A routed prefix means when someone in the Internet wants to access an IP in this CIDR (e.g. 2001:db8:b:20::1/64), the ISP will send/route the request to you via the tunnel, thus the name routed prefix. You have to process these requests, by either forwarding to an appropriate server or processing it locally.
So by assigning these v6 IPs to your servers, you make your servers public to Internet. Personally, I just use the client address and set DNS AAAA to it, so my VPS is accessible from Internet using IPv6 address.
Strongly recommend you turn off your firewall during testing, or allow protocol 41 and ICMP. Otherwise, you won't be able to connect to the client address or those routed prefixes. e.g. if you use firewalld, run this command.
# firewall-cmd --add-protocol=41
# firewall-cmd --add-protocol=icmp
HOW-TO
My VPS is based on OpenVZ, not KVM.
Because of it, I won't be able to setup a tunnel using ifconfig/iproute2 command directly. Found a workaround named ustun provided by Luca Bertoncello. It is a userspace tunnel.
1. Download and extract.
You don't need to compile if you download from here. Choose 'tb-tun_r18.tar.gz'. After extraction, you will get an executable file tb_userspace.
2. Start tunnel.
# Prepare
$ SERVER_IP="201.0.0.1"
$ ME_IP="100.0.0.1"
$ ME_IPV6="2001:db8:a:20::2/64"
# assume the tb_userspace is in current directory
# start the underlying 'tunnel' named 'tb'
$ setsid ./tb_userspace tb $SERVER_IP $ME_IP sit > /dev/null 2>&1 &
# give it some time.
$ sleep 3
# bring tunnel up.
$ ifconfig tb up
# add the IPv6 assigned to me.
$ ifconfig tb inet6 add $ME_IPV6
# do I have to set MTU?
# $ ifconfig tb mtu 1480
# set the default route through the 'tunnel'
$ route -A inet6 add ::/0 dev tb
# remove the pre-defined default route
$ route -A inet6 del ::/0 dev venet0
# verify the setup
$ ping -6 ipv6.google.com
$ traceroute6 -n ipv6.google.com
# public IP for my server.
# remember firewall setting.
$ ifconfig tb inet6 add 2001:db8:b:20::1/64
KVM
For my KVM, it supports IPv6 tunneling. TunnelBroker provides you the command to setup the tunnel using ifconfig or iproute2.
Reference
https://serverfault.com/questions/684455/ipv6-differences-between-routed-prefix-and-link-prefix
https://gist.github.com/lrstanley/9458454
https://fabiobaltieri.com/2011/10/10/ipv6-tunnel-broker-linux/
Comments
Post a Comment