1. Thu28
    Jan2010
    @13:54

    NAT-safe IPv6 Tunnel from Mac OS X to Linux Server

    Here is how I routed myself a block of IPv6 to my laptop, wherever I am in the world! Note that I deliberately route myself an entire /64, but only allow a /128 through tinc (to reduce the amount of junk I might drown in). It should be relatively trivial to swap addresses if necessary in future.

    Mac OS X Laptop

    tinc.conf

    Name = laptop
ConnectTo = server
DeviceType = tun
Mode = router

    tinc-up

    #!/bin/sh
ifconfig $INTERFACE up
ifconfig $INTERFACE inet6 add 2001:0db8:1234:5678:cafe:babe:feed:face prefixlen 64
route add -inet6 2001:0db8:1234:5600::1 -prefixlen 56 -iface $INTERFACE
route add -inet6 :: -prefixlen 0 2001:0db8:1234:5600::1

    tinc-down

    #!/bin/sh
route delete -inet6 :: -prefixlen 0
route delete -inet6 2001:0db8:1234:5678:: -prefixlen 64
route delete -inet6 2001:0db8:1234:5678:cafe:babe:feed:face
ifconfig $INTERFACE inet6 delete 2001:0db8:1234:5678:cafe:babe:feed:face prefixlen 64
ifconfig $INTERFACE down

    ~/bin/ipv6

    #!/bin/sh
sudo /opt/local/sbin/tincd -D -c ~/.tinc

    Debian Linux Server

    nets.boot

    tunnel-5600

    tunnel-5600/tinc.conf

    Name = server
DeviceType = tun
Mode = router
Subnet = 0:0:0:0:0:0:0:0/0

    tunnel-5600/tinc-up

    #!/bin/sh
ip addr add 2001:0db8:1234:5600::1/56 dev $INTERFACE
ip link set $INTERFACE up

    tunnel-5600/tinc-down

    #!/bin/sh
ip addr del 2001:0db8:1234:5600::1/56 dev $INTERFACE
ip link set $INTERFACE down

    Common

    hosts/laptop

    Subnet = 2001:0db8:1234:5678:cafe:babe:feed:face/128
-----BEGIN RSA PUBLIC KEY-----
SNIP
-----END RSA PUBLIC KEY-----

    hosts/server

    Address = 192.168.1.1
Subnet = 0:0:0:0:0:0:0:0/0

-----BEGIN RSA PUBLIC KEY-----
SNIP
-----END RSA PUBLIC KEY-----
    Notes
    Comments (View)
  2. Tue19
    Jan2010
    @22:17

    IPv6/BGP Tunnel to Hurricane Electric on Debian with Quagga

    The IPv6 Internet is not immune to breakage and so it seems prudent right now to ensure good connectivity to the big providers. Faelix takes IPv6 transit from TINet, but the possibility of a free 6-in-4 tunnel to Hurricane Electric as a backup path is too good to pass up.

    Having put in my request to HE’s tunnelbroker.net I waited… and within 12 hours had a positive response that it was ready:

    Looks good, tunnel and BGP configured on our side. You'll peer with ::1
of the tunnel's /64 allocation, and our ASN is 6939.

    Here are some pseudonymised details:

    Server IPv4 address:  216.66.84.50
Server IPv6 address:  2001:0db8:1234:5678::1/64
Client IPv4 address:  192.0.2.128
Client IPv6 address:  2001:0db8:1234:5678::2/64

    Here is what I put in /etc/network/interfaces:

    auto as6369v6to4
iface as6369v6to4 inet6 v4tunnel
    address 2001:0db8:1234:5678::2
    netmask 64
    endpoint 216.66.84.50
    local 192.0.2.128
    ttl 255

    And here is the appropriately pseudonymised example section from Quagga’s bgpd.conf:

    router bgp 65500
 neighbor 2001:0db8:1234:5678::1 remote-as 6939
 neighbor 2001:0db8:1234:5678::1 update-source 2001:0db8:1234:5678::2
 neighbor 2001:0db8:1234:5678::1 remove-private-AS
 neighbor 2001:0db8:1234:5678::1 route-map rm-AS6939tun-v6i in
 neighbor 2001:0db8:1234:5678::1 route-map rm-AS6939tun-v6o out
 address-family ipv6
  neighbor 2001:0db8:1234:5678::1 activate
  neighbor 2001:0db8:1234:5678::1 route-map rm-AS6939tun-v6i in
  neighbor 2001:0db8:1234:5678::1 route-map rm-AS6939tun-v6o out
 exit-address-family

ipv6 prefix-list pl-transit-64-v6i seq 5 deny ::/0
ipv6 prefix-list pl-transit-64-v6i seq 10 permit ::/0 le 64

ipv6 prefix-list pl-AS41495-v6-to-upstream seq 5 permit 2001:0db8:666::/48 le 64

route-map rm-AS6939tun-v6i permit 10
 match ipv6 address prefix-list pl-transit-64-v6i
 set as-path prepend 6939 6939 6939

route-map rm-AS6939tun-v6o permit 10
 match ipv6 address prefix-list pl-AS41495-v6-to-upstream
 set as-path prepend 65500 65500 65500
    0 notes
    Comments (View)