Running a successful and reliable tunnel on Debian 6.0

[theckman]

Hello,

I drafted up and published a few articles on my blog over the past year or so explaining how to run a dual-stack network at home using a Debian 6.0 server (in my case a netbook).  The articles range from setting up the tunnel, to implementing some scripts to help keep the tunnel online in the case where you may have a dynamic IP at home.

The articles were written with Debian 6.0 as the system running underneath.  With little or no modification the instructions, and scripts, should work on Debian-derived distributions like Ubuntu and Linux Mint. With a little more work you could very easily port the instructions to Arch Linux, Gentoo, or even the RedHat-derived distributions.  

I recommend doing this on a system that's going to be powered 24/7.  In my case I used my old netbook as it had an SSD, low power consumption, and a built in battery backup ;D!

Hurricane Electric recently featured one of the articles on their Social Networking pages.  So I'd like to thank them for making the articles a little more visible as well as giving us all the opportunity to have IPv6 even if native may not be available right now:

- https://www.facebook.com/he.net/posts/349290275102711
- https://plus.google.com/101080388381040783378/posts/QDgJLt3CLVw

Here are the direct links to the articles, and a little bit of a summary of what the articles are about:

Hurricane Electric Tunnelbroker IPv6 Gateway
- This article gives you full instruction for getting an IPv6 tunnel online for your entire network.  This includes sending router advertisements across your network so that even you Android or iOS devices have IPv6 addresses assigned to them.  At the end your tunnel should come back to life even if the gateway system gets rebooted.

IPv6 Gateway Maintenance Perl Script
- This is my second script to maintain the gateway.  As with most residential broadband users your IPv4 address is not static.  This script checks your external IPv4 address, matches it against a cached version on disk, and updates the Hurricane Electric API if the IP address is different.  This does require some modules to be build from CPAN.  It also does the job a bit more cleanly than my shell script.  This script is more resilient if one, or more, of the sites used to obtain the external address are down.

IPv6 Gateway Maintenance Shell Script
- This was my original script to maintain the gateway.  There were some limitations I had to work around with this script, so it is kind of messy.  However, if you don't want to mess with compiling modules from CPAN it works.  This script doesn't have the resiliency of the Perl script.  I would recommend using the Perl script and just compile the needed modules.

Both of these scripts live on my Github account.

Let me know if you guys have any feedback or need any help with anything.  I can definitely do my best to help, even if it comes to playing with another distribution/OS.

There are a few ways to contact me:

https://twitter.com/theckman
https://github.com/theckman
https://plus.google.com/103975868064245571228

I look forward to your feedback!

-Tim

[steubentech]

This looks good to me. I've also set up an old laptop running Squeeze as a gateway.

One thing I noticed is that you don't cover firewall setup at all which would expose everything on the LAN that responds to a router announcement to the v6 internet without filtering.

I've written a similar blog post here that does cover firewall setup with ip6tables on the gateway.

http://steubentech.com/~talon/blog/blosxom.cgi/debian/ipv6

You can also find a really good presentation on IPv6 security here http://www.youtube.com/watch?v=Pk_5b25TLGU

The main thing I find of interest in that talk aside from all the fun you can have with RAs is the new methods developed to quickly scan
a V6 network in much less time than you might think could be done.

[steubentech]

Just wanted to mention that I found and fixed some problems with my ip6tables rules and posted it to the URL in my post above. just in case someone might have used that info as an example.