Comments

• st1905 Member

  April 10

  I got this tunnelbroker service to provide ipv6 addresses for all devices at home using openwrt. I was not able to use your wireguard option though, handshake never worked for some reason. I used SIT on my server elsewhere and then configured wireguard on the same server and used one of the /64 prefixes and then i was able to provide public ipv6 for all devices at home, this is very useful since i`m behind cgnat, i can now access every device/service at home remotely via ipv6 anywhere i go. Thank you.

  Thanked by 1elusiVeRPG
• elusiVeRPG Member, Host Rep

  April 10

  @st1905 said:
  I got this tunnelbroker service to provide ipv6 addresses for all devices at home using openwrt. I was not able to use your wireguard option though, handshake never worked for some reason. I used SIT on my server elsewhere and then configured wireguard on the same server and used one of the /64 prefixes and then i was able to provide public ipv6 for all devices at home, this is very useful since i`m behind cgnat, i can now access every device/service at home remotely via ipv6 anywhere i go. Thank you.

  This is weird, can you provide some logs why wg was not working I will investigate
• st1905 Member

  April 10

  The wireguard issue has nothing to do with your service. I`m living in a country where they block everything with DPI. Apparently they block the connection as soon as wireguard handshake starts. I use a kernel obfuscation module for all other wireguard connections i have here and they work fine.

  Thanked by 1elusiVeRPG
• whynotlearn Member

  April 10

  I had some idea similar to this sometime ago, good to see you work on it, I genuinely wish you the very best for this project @elusiVeRPG !

  Thanked by 3elusiVeRPG Starnberg buggedout
• tdy0923 Member

  April 10

  @elusiVeRPG said:

  🌐 Free IPv6 Tunnel Broker Service Launch!

  Hello LET community! 👋

  I'm excited to announce the launch of our free IPv6 tunnel broker service at tb.tahio.eu!

  📦 What We Offer:

  • Free IPv6-over-IPv4 tunneling service

  • Two tunnel types available:

    • 📡 SIT (Simple Internet Transition)
    • 🔄 GRE (Generic Routing Encapsulation)

  • 50 Mbit/s bandwidth per tunnel (both upload and download)

  • Three delegated /64 prefixes per tunnel (each from different ipv6 class)
  • Ready-to-use configuration commands for client side

  ⚡ Key Features:

  • Simple dashboard interface
  • Easy tunnel management
  • IP address update functionality
  • Automatic configuration generator

  ⚠️ Limitations:

  • Maximum 2 tunnels per account (lifetime limit)
  • No uptime or performance guarantees (but I'll do my best to maintain good service)
  • Basic security restrictions to protect infrastructure

  🛠️ Coming Soon:

  • NS record management for delegated prefixes (work in progress)
  • More management features

  🎯 Important Notes:

  • This is a completely free service with no strings attached
  • No warranties or guarantees provided
  • Zero tolerance for abuse
  • Development pace might be slow as I'm balancing this with work, family, and other free projects

  💡 Technical Details:

  • Fronted built with Next.js and Supabase
  • Backend built with Go.
  • Open signup - just create an account and start using
  • Simple API-driven backend
  • Automated tunnel provisioning

  Feel free to try it out and share your feedback! While this is a free service without guarantees, I'm committed to maintaining it as best as I can.

  🤝 Support

  Available on IRCnet #6to4 channel (my nickname there is kofany as I use here my "games" nickname

  Remember to set net.ipv6.conf.all.forwarding=1 in /etc/sysctl.conf to get your tunnel working 😊

  ---

  Note: Please be patient with feature updates - I'm juggling this project with work, family, and other community initiatives. The NS records management feature is currently under development!

  That's a great server. Does that mean my server will have its own IPv6 address? How long will this service be available?
• Monocle Member

  April 10

  Love the Wireguard integration! Thanks for the service.

  Would it be possible to add an API endpoint to update the client IP?
• elusiVeRPG Member, Host Rep

  April 10

  @Monocle said:
  Love the Wireguard integration! Thanks for the service.

  Would it be possible to add an API endpoint to update the client IP?

  Is in todo and I hope I will find some time over the weekend as I have also second endpoint ready.

  Thanked by 4Monocle whynotlearn st1905 Starnberg
• elusiVeRPG Member, Host Rep

  May 7

  🌐 Update: Dynamic DNS support is live!

  Hey LET! 👋

  Small but useful update for everyone running their tunnel from a home connection or any setup with a dynamic public IPv4: you no longer need to log into the dashboard every time your ISP renumbers you. The service now speaks dyndns2 natively, so your router or ddclient can keep the tunnel endpoint in sync on its own.

  🆕 What's new

  A headless endpoint at https://tb.tahio.eu/nic/update (with an alias at /api/dyndns/update) that follows the dyndns2 conventions: HTTP Basic auth, plain-text response codes (good <ip> / nochg <ip> / badauth / nohost / notfqdn / abuse / 911), ?hostname= and ?myip= query params. Exactly what every off-the-shelf DDNS client already speaks.

  ✅ Compatible with

  • Routers: Fritz!Box, MikroTik (RouterOS), OpenWrt (ddns-scripts), ASUS / Merlin, OPNsense, pfSense — anything with a "Custom DynDNS" form
  • Clients: ddclient, inadyn, ddupdate, or anything that takes protocol=dyndns2
  • Plain curl if you'd rather script it yourself

  🛠️ How to enable it

  1. Log into the dashboard, pick one of your SIT or GRE tunnels. (WireGuard peers learn the client endpoint automatically after handshake — DDNS isn't needed there, so the panel is hidden for wg.)
  2. Open the new Dynamic DNS panel on the tunnel card → click Generate DDNS token. Copy the token from the modal — it's shown only once.
  3. Paste the credentials into your router or client. The modal includes ready-to-copy snippets for Fritz!Box, ddclient, MikroTik, and OpenWrt.

  ddclient example:
  protocol=dyndns2
  use=web, web=https://ipv4.icanhazip.com
  server=tb.tahio.eu
  ssl=yes
  login=tun-XXXX-1
  password=ddns_
  tun-XXXX-1

  Bare curl, if you prefer:
  ```bash
  curl -u 'tun-XXXX-1:ddns_' \
  'https://tb.tahio.eu/nic/update?hostname=tun-XXXX-1&myip=auto'

  → good 1.2.3.4

  myip=auto (or no myip at all) makes the server use your source address — matches the behaviour of dyn.com / No-IP.

  🔒 Architecture, for the curious

  • Per-tunnel credentials. Each tunnel has its own token. Leak one → rotate that one, the other is unaffected.
  • Bcrypt at rest. Plaintext is shown to you exactly once at create / rotate. The server only ever stores bcrypt(token, cost=12) plus an 8-character prefix for UI recognition.
  • No new auth surface for the rest of the API. The dashboard still uses Supabase sessions; only the headless /nic/update route validates HTTP Basic + bcrypt itself, then proxies the IP change through the existing internal admin endpoint.
  • Rate-limited. 1 successful update per 30 s per token, 30 requests per minute per source IP — enough room for legit use, tight enough to make brute-forcing pointless.
  • Refuses private IPs. RFC1918, loopback, link-local and 0.0.0.0/8 all return 911 with a log entry — a "good" response is only ever issued for a routable public address.

  🐛 Found a problem?

  Reply here, or ping me on IRCnet #6to4 (nick kofany). End-to-end tested today with a live GRE tunnel before flipping the switch, but with hundreds of client interfaces in the wild and every flavour of router out there, I'd be surprised if no one finds an edge case. 🙏

  Thanked by 4yoursunny Greyhound st1905 Starnberg
• elusiVeRPG Member, Host Rep

  May 7

  @Monocle said:
  Love the Wireguard integration! Thanks for the service.

  Would it be possible to add an API endpoint to update the client IP?

  You have it ready, please test it

  Thanked by 1Monocle
• elusiVeRPG Member, Host Rep

  May 19

  Be prepared . RevDNS support is coming soon to our tunnel broker service . Stay tuned!

  Thanked by 3BasToTheMax yooz yoursunny
• cinwie Member

  May 20

  ty for your informations

  Thanked by 1elusiVeRPG
• Vovan32 Member

  May 20

  Thanks for Wireguard integration!

  Would it be possible to add an IPV6 endpoint to wireguard. It's will be expand client IP6 address range from one address to /64?

  Thanked by 2elusiVeRPG yoursunny
• elusiVeRPG Member, Host Rep

  May 20

  @Vovan32 said:
  Thanks for Wireguard integration!

  Would it be possible to add an IPV6 endpoint to wireguard. It's will be expand client IP6 address range from one address to /64?

  I will consider that in next update, when I ship RevDNS possibility. So I hope it will be ready this weekend.
• elusiVeRPG Member, Host Rep

  May 21

  @Vovan32 said:
  Thanks for Wireguard integration!

  Would it be possible to add an IPV6 endpoint to wireguard. It's will be expand client IP6 address range from one address to /64?

  You have it ready. WG supports now both ipv4 and ipv6 as endpoint. Please test it and let us know if all works like it should.
• elusiVeRPG Member, Host Rep

  May 21

  🧭 Update: Reverse DNS is live! 🎉

  Hey LET! 👋

  The one feature I've been promising since April 2025 (sorry for the wait — life got in the way more than once) is finally shipped. Every tunnel user can now manage reverse DNS for their delegated /64 prefixes straight from the dashboard, in two flavours:

  🆕 What's new

  • Own NS delegation per /64 — point the reverse zone of any of your /64s at your own authoritative nameservers. One mandatory ns1.example.com., optional ns2.example.com.. From that moment on you serve the PTR records, we just publish the NS delegation.
  • Hosted PTRs — don't want to run a nameserver? Just type the hostname for any IPv6 address you actually use. We host it on our authoritative servers (ns1.got.al / ns2.got.al). Cap of 100 PTRs per user, which should comfortably cover a small fleet of services.

  You can mix both per-/64 — delegate one /64 to your own NS, leave the others on our hosted PTRs. Toggle anytime; switching back from Own NS just reactivates whatever PTRs you had.

  🛠️ How to use it

  1. Log in to the dashboard at https://tb.tahio.eu.
  2. Click RevDNS in the sidebar.
  3. Own NS tab — flip the toggle for any /64, fill in ns1 / ns2 (must end with a .), save.
  4. PTR records tab — pick a prefix from your list, type the full IPv6 address you want labelled, type the FQDN (with the trailing dot), save. Edit / delete from the same view.

  Propagation is normally a few seconds end-to-end — backend cache + PowerDNS publish are surgical, so it shows up on ns1.got.al very quickly.

  ✅ What works

  • Both SIT/GRE and WireGuard tunnels — RevDNS is per-/64, tunnel type doesn't matter.
  • Standard ip6.arpa nibble-aligned zones; dig -x from anywhere returns your PTR right after save.
  • If you have multiple tunnels, every /64 you own shows up in one list, sorted by prefix.

  ⚠️ Notes

  • Address must be inside one of your assigned /64s (the UI refuses anything else).
  • When Own NS is enabled for a /64, our hosted PTRs for that /64 become unreachable by design — the delegation gives you full authority. Disable Own NS and the PTRs come back.
  • Only addresses inside our six managed prefix pools are accepted: 2a05:1083:bef0::/44, 2a12:bec0:2c0::/44, 2a05:1083:bee0::/44, 2a05:dfc1:3c10::/44, 2a03:94e0:2496::/48, 2a05:dfc1:3ccc::/48. If your tunnel is dual-prefix this is automatic.

  Also worth mentioning: yesterday's WireGuard dual-stack endpoint update (IPv4 and IPv6 endpoints, your pick) shipped alongside this, so the dashboard's WG config tab now has a small IPv4/IPv6 toggle above the download button. SIT/GRE stay IPv4-only by design.

  Big thanks to everyone who patiently kept asking for this — @ashish168527 and a few others originally floated the idea back in April. Test it, break it, file feedback in the thread. 🚀

  Thanked by 2st1905 torsurfer