Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Tunnel IPv6 to Raspberry@Home
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Tunnel IPv6 to Raspberry@Home

v3ngv3ng Member, Patron Provider

Hi,

I'd like to have external access to my Raspberry PI which I have running at home.

I have several VPS with /64 IPv6 subnets, my goal would be to tunnel one of the IPv6 addresses and maybe also a few IPv4 ports to my local PI over a Wireguard tunnel.

Is that possible at all? I don't have a static IP at home.

Regards

Comments

  • It is possible. Just don't specify any endpoint ip on the server, and enable keepalives.

    Thanked by 1v3ng
  • rm_rm_ IPv6 Advocate, Veteran
    edited September 2019

    Also you may need to run ndppd on the server in case the /64 subnet is not set as "routed", but as "on-link" on the provider's side. But it's nothing difficult and overall definitely possible.

    Thanked by 1v3ng
  • v3ngv3ng Member, Patron Provider

    Does anyone have a guide to set this up?

  • RickBakkrRickBakkr Member, Patron Provider, LIR

    Setting up NDPPD is rather easy:
    Installation of the package

    wget https://github.com/DanielAdolfsson/ndppd/archive/0.2.5.tar.gz -O - | tar xz
    cd ndppd-0.2.5
    make
    make install
    

    Config to put in /etc/ndppd.conf:

    route-ttl 30000
    proxy <INTERFACE> {
        router yes
        timeout 500
        ttl 30000
        rule <IPv6 PREFIX>/64 {
            static
        }
    }
    

    Start the NDPPD daemon with ndppd -d, and boom - the magic is done: your /64 is routed straight to your VM.

    To my experience, Wireguard has been the most easy and best performant means to run a tunnel while passing through a NAT.

    There's plenty of tutorials on how to set up WG and a tunnel config, so I don't think it's necessary to write it down here. What you have to achieve, is to add a IPv6 route: ip -6 ro a 2001:db8::/64 via <NEXT HOP>, where NEXT HOP is the IPv6 address of a /127 transport net (or you can use on-link fe80:: addresses just fine), on the side of the VM. Be sure to set a return route, which is just a rather rudimentary default route back to the other IP in the /127 (on link on VPS side): ip -6 ro a default via <NEXT HOP>

    While this is a rather basic and and not too indepth, I hope it gives you some hints. If you still have any questions, feel free to ask or DM :-)

  • Hurricane Electric's (he.het) IPv6 tunnel works pretty well with dynamic IPs; that might be simpler than trying to roll your own.

  • RickBakkrRickBakkr Member, Patron Provider, LIR
    edited September 2019

    ras07 said: Hurricane Electric's (he.het) IPv6 tunnel works pretty well with dynamic IPs; that might be simpler than trying to roll your own.

    Do note that Hurricane's /32 is usually geolocated to US, which would cause some effort of your own. Also, many consumer modems / NAT "routers", are hardly capable of properly forwarding protocol 41.

    Thanked by 2gkz v3ng
  • jbuggiejbuggie Member
    edited September 2019

    Setup ndppd as mentioned above. Each wireguard config consist of a pair of public/private key and an optional preshared key. On your VPS peer, set up a fixed listening IP/port for wireguard. On the Pi, just point it to the VPS IP/port combo. Make sure the allow_ip field is set up to allow your ipv6/ipv4 range. You can add ipv6 routing as part of PostUp wg config option. Set a conservative MTU for your tunnel or strange things will happen. Nothing beats wg in term of VPN performance. Enable PersistentKeepalive to keep the firewall happy.

    Thanked by 1v3ng
  • RickBakkrRickBakkr Member, Patron Provider, LIR

    jbuggie said: Set a conservative MTU for your tunnel or strange things will happen

    Life saver:
    iptables6 -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

  • Glad to see some IPv6 interest

    Have you looked into Hurricane Electrics's tunnel service?

  • Pretty much what I do where I have a /56 in one location and no v6 in the 2nd location.

  • @RickBakkr said:

    There's plenty of tutorials on how to set up WG and a tunnel config, so I don't think it's necessary to write it down here. What you have to achieve, is to add a IPv6 route: ip -6 ro a 2001:db8::/64 via <NEXT HOP>, where NEXT HOP is the IPv6 address of a /127 transport net (or you can use on-link fe80:: addresses just fine), on the side of the VM. Be sure to set a return route, which is just a rather rudimentary default route back to the other IP in the /127 (on link on VPS side): ip -6 ro a default via <NEXT HOP>

    Came across this post - I think ip default route may be what I am missing (see my post) for SLAAC to work?

    I think what you are suggesting is that
    server wg0 interface address be from private Ipv6 space fd80::1
    client wg0 int address be from fd80::2

    Then on server ndppd would reply to ICMPv6 RA requests and issue IPv6 from the pool?
    My VPS was setup with the first IPv6 available in the block to eth0 so its pingable. I am not sure if your post implies that I need a point to point /128 on my VPS eth0 and then have my VPS provider route the /64 to the eth0 interface /128 can you clarify?

Sign In or Register to comment.