Assigning IPv6 to VPS without IPv6 via tunnel

mcgree

I know there are free tunnels avablie, but I want to build my own to experiment.

I have two VPS, one of them has the following configuration:

IPv4:A.A.A.A
IPv6 subnet:aaaa:aaaa:aaaa:aaaa::/64
IPv6 address:aaaa:aaaa:aaaa:aaaa:aaaa:1

I already know that all addresses in the /64 subnet are available, I have added and verified them via ip addr.

The other machine only has IPv4, address is B.B.B.B

Because the subnet is already /64 length, so if I use v4tunnel assignment, it may not be accessable externally, what else can I do?

sibaper

if Your end goal to provide IPv6 is the IPv4 only VPS? then you can use VPN

mcgree

@sibaper said:
if Your end goal to provide IPv6 is the IPv4 only VPS? then you can use VPN

I have considered using WireGuard, but my goal is for the IPV6 assigned to the other VPS to be accessible to the Internet.

skorupion

hurricane electric tunnel i would reccomend

brueggus

@mcgree said:
I know there are free tunnels avablie, but I want to build my own to experiment.

@skorupion said:
hurricane electric tunnel i would reccomend

skorupion

@brueggus said:

@mcgree said:
I know there are free tunnels avablie, but I want to build my own to experiment.

@skorupion said:
hurricane electric tunnel i would reccomend

Look I'm not the only one that sometimes only glances over the post ok?

JeDaYoshi

You can use WireGuard to achieve this rather easily. You could even assign, say, a /80 IPv6 from the /64 for the IPv4-only VPS to use. You just need to make sure IPv6 forwarding is setup correctly and that you can forward things coming from the prefix.

---

Configurations like this would work, supposing the IPv6-enabled VPS has the prefix fd6b:4709:18ce:4320::/64, and we're giving the fd6b:4709:18ce:4320:a::/80 prefix: (sorry if there's something wrong, I am doing this from memory!)

IPv6-enabled VPS:

[Interface]
PrivateKey = <IPv6-enabled VPS private key>
Address = fd6b:4709:18ce:4320::1/128
ListenPort = 5353
PostUp = /usr/sbin/ip6tables -I FORWARD -s fd6b:4709:18ce:4320:a::/80 -j ACCEPT
PreDown = /usr/sbin/ip6tables -D FORWARD -s fd6b:4709:18ce:4320:a::/80 -j ACCEPT

[Peer]
PublicKey = <IPv4-only VPS public key>
PresharedKey = <pre-shared key>
Endpoint = vps.example.org:5353
AllowedIPs = fd6b:4709:18ce:4320:a::/80
PersistentKeepalive = 25

And the obvious on said VPS:

# Enable IPv6 forwarding
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

IPv4-only VPS:

[Interface]
PrivateKey = <IPv4-only VPS private key>
Address = fd6b:4709:18ce:4320:a::1/80
ListenPort = 5353

[Peer]
PublicKey = <IPv6-enabled VPS public key>
PresharedKey = <pre-shared key>
Endpoint = host.example.org:5353
AllowedIPs = ::/0
PersistentKeepalive = 25

Hope this helps

mcgree

@JeDaYoshi said:
You can use WireGuard to achieve this rather easily. You could even assign, say, a /80 IPv6 from the /64 for the IPv4-only VPS to use. You just need to make sure IPv6 forwarding is setup correctly and that you can forward things coming from the prefix.

---

Configurations like this would work, supposing the IPv6-enabled VPS has the prefix fd6b:4709:18ce:4320::/64, and we're giving the fd6b:4709:18ce:4320:a::/80 prefix: (sorry if there's something wrong, I am doing this from memory!)

IPv6-enabled VPS:
```
[Interface]
PrivateKey =
Address = fd6b:4709:18ce:4320::1/128
ListenPort = 5353
PostUp = /usr/sbin/ip6tables -I FORWARD -s fd6b:4709:18ce:4320:a::/80 -j ACCEPT
PreDown = /usr/sbin/ip6tables -D FORWARD -s fd6b:4709:18ce:4320:a::/80 -j ACCEPT

[Peer]
PublicKey =
PresharedKey =

<

pre-shared key>

Endpoint = vps.example.org:5353
AllowedIPs = fd6b:4709:18ce:4320:a::/80
PersistentKeepalive = 25

And the obvious on said VPS:

Enable IPv6 forwarding

echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

IPv4-only VPS:

[Interface]
PrivateKey =
Address = fd6b:4709:18ce:4320:a::1/80
ListenPort = 5353

[Peer]
PublicKey =
PresharedKey =

<

pre-shared key>

Endpoint = host.example.org:5353
AllowedIPs = ::/0
PersistentKeepalive = 25
```

Hope this helps

Unfortunately, this does have some errors, I don't know why yet, but it's a good idea.

When I use the WG NIC of the IPv4-only host to mtr outward, I can see the packets from the IPv6 host (from ip6tables), just not successfully forwarded.

Pixels

The kind of setup @JeDaYoshi suggests would need for the IPv6-enabled VPS to have a fully routed v6 block. Check if that is the case as it won't work "as is" otherwise.

ApeWeb

If I am correct about what I think you are wanting to do this could easily be setup using a gre tunnel. Hetzner have a good guide on how to set one up. https://community.hetzner.com/tutorials/linux-setup-gre-tunnel

easycomehost

You can configure tunneling right from ubuntu netplan configuration, refer to this article https://bugs.launchpad.net/netplan/+bug/1799487

yoursunny

@mcgree said:
my goal is for the IPV6 assigned to the other VPS to be accessible to the Internet.

I did exactly that yesterday.

vps9 is a WebHosting24 10x10x10 from @tomazu.
Its IPv4 address is 192.0.2.1/24.
Its routed IPv6 prefix is 2001:db8:e915::/48. This has to be a routed prefix, not an on-link prefix. See Routed IPv6 Hall of Fame to find providers that offer routed IPv6 prefix.

box5 is a @VirMach 120-day temporary chicken.
Its IPv4 address is 198.51.100.1/24.
Within the routed IPv6 prefix, I decide to assign 2001:db8:e915:9493::/64 to this server.

vps9 runs Ubuntu 20.04.
I added the following to /etc/netplan/01-netcfg.yaml:

network:
  version: 2
  tunnels:
    box5sit:
      mode: sit
      local: 192.0.2.1
      remote: 198.51.100.1
      addresses:
        - 2001:db8:e915:9493::0/127
      routes:
        - to: 2001:db8:e915:9493::/64
          via: 2001:db8:e915:9493::1

Then I added these firewall rules:

sudo ufw allow from 198.51.100.1 proto ipv6
sudo ufw route allow out on box5sit to 2001:db8:e915:9493::/64
sudo ufw route allow in on box5sit from 2001:db8:e915:9493::/64

box5 runs Debian 11.
I added the following to /etc/network/interfaces:

auto vps9-ipv6
iface vps9-ipv6 inet6 v4tunnel
  address 2001:db8:e915:9493::1
  netmask 127
  endpoint 192.0.2.1
  local 198.51.100.1
  ttl 255
  gateway 2001:db8:e915:9493::0

Then I added the following firewall rules:

sudo ufw allow from 192.0.2.1 proto ipv6

As a result:

• 2001:db8:e915:9493::0 is the default gateway and cannot be used on box5.
• 2001:db8:e915:9493::1 is the primary IPv6 address of box5.
• Any other address within 2001:db8:e915:9493::/64 can be used on box5 or in its Docker containers.
• These addresses are accessible from Internet. All traffic goes through vps9.
• ping traffic is allowed by default. To open ports or route into Docker containers, you will also need additional firewall rules.
• MTU of the tunnel interface is 20 less than MTU of the IPv4 interface. If you create a Docker network bridging on this tunnel, you should set its MTU to 1480. This problem does not affect you if you only use IPv6 on the box5 host itself.

It's best if both servers are in the same geographical area.
In my case, vps9 is in Munich and box5 is in Buffalo, so that it experiences high latency for sure, and GeoDNS works against me because ping ipv6.google.com would go to Munich then back to New York.