Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Sub tunneling?  (Read 4390 times)

minoss

  • Newbie
  • *
  • Posts: 3
Sub tunneling?
« on: May 08, 2012, 05:25:09 AM »

Hi all,

last week i was at an resort that offered free Internet access.
Snag however was, that they were doing NAT and there cable-modems gave an RFC-1918 address, all in the 10.x.y.z range.

I was wondering if i could get an tunnel through this.
After requesting a normal tunnel, tunnelbroker detected and reported the IPv4 end-point on the resort.
I could request a tunnel, but understandably it never worked.
In one of the threads people noted that if protocol-41 is n't forwarded, you are out of luck.

Assuming (!) one has a working IPv6 tunnel at home....

(IPv6)==[H.E.]---(IPv4)--[Home]
                    |
                 (IPv4)--[Resort]--(NATv4)--[Room]

I was wondering, if you could setup an OpenVPN-tunnel between your current location and home,
would it be possible to forward "protocol 41",

(IPv6)==[H.E.]---(IPv4)
                    |
                 (IPv4)---------------------[Home]
                    |                         ||
                    |                       (OpenVPN-IPv4)
                    |                         ||
                 (IPv4)--[Resort]--(NATv4)--[Room]

..and build your own "sub-tunnel"...

(IPv6)==[H.E.]---(IPv4)---[Home]===(openVPN)===[room]

And route at home the resulting V6-traffic?

Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 965
Re: Sub tunneling?
« Reply #1 on: May 08, 2012, 07:18:12 AM »

I could request a tunnel, but understandably it never worked.
In one of the threads people noted that if protocol-41 is n't forwarded, you are out of luck.
Through some NAT units it works out of the box, but restrictions in the service provided by HE will limit you to at most one tunnel. If another person behind that NAT had the same idea as you HE will not support it.

Through some NAT units it requires configuration of the NAT unit to decide which IPv4 address on the LAN gets to use protocol 41.

Through some NAT units it just wont work.

Quote
I was wondering, if you could setup an OpenVPN-tunnel between your current location and home,
would it be possible to forward "protocol 41"
If that is the way you want to go, then you should only use protocol 41 between your home and HE. Your laptop connecting to your home from various locations should not be using protocol 41 at all. It should use some other protocol suitable for communicating with your home. Most likely you'll only get it working if you use something that runs over UDP.

I don't know if OpenVPN covers your needs. You need a VPN system that can tunnel IPv6 over UDPv4. There is no connection between what protocol is used on the inside and the outside of a VPN connection. So any decent VPN software that can work on top of UDPv4 can tunnel IPv6 on the inside.

If you get the VPN connection working, then your gateway at home just need to route IPv6 packets between the two tunnels. And if you request a /48 from HE, then you can easily set aside a /60 for your laptop such that your laptop could even be configured to offer IPv6 routing for the network it is present on, if you choose to do so.

As long as your laptop gets addresses in a subnet of the address assigned to tunnel going to your home that implies IPv6 traffic to and from the laptop also takes that path. Depending on the bandwidth you have a home that may be acceptable. Unfortunately the solutions I could offer for that have other drawbacks.

Instead of routing all IPv6 traffic from your laptop through your gateway at home, you could setup your laptop to use Teredo, which is designed to tunnel IPv6 traffic through a NAT. The drawback from this is that reliability isn't great. You can however do something to at least get the connection between your laptop and your home to work quite reliable. The approach is to setup a Teredo client on your laptop and just keep it in the standard configuration. On your gateway at home you then setup a Teredo relay that is responsible for all communication where one endpoint is within your home and the other endpoint is a Teredo client.

On Linux (and other unix systems) the miredo software can be used for both the client and relay functionality. By default it acts as client but with a minor configuration change it acts as relay. Don't try to setup a Teredo server yourself, just use whatever public Teredo server your Teredo client use by default. If you are using Windows, then recent versions have a builtin Teredo client. I don't know if Windows has a Teredo relay as well, but I would guess it does.

I have setup such a configuration myself, but it is too early for me to say much about my experience with it.

Finally you can consider a different tunnel provider. I have heard that SixXS have tunnels that don't require protocol 41, so they may be more suited for your laptop. I just haven't had the opportunity to test it, I gave up on the bureaucracy involved in registering with them.

If you use a SixXS tunnel on your laptop and a HE tunnel at home, then traffic between your laptop and home will take a detour. So in that case you might still want to consider the original tunnel options just to get a shortcut back home. Then you would just only use that tunnel for traffic between the laptop and home instead of all IPv6 traffic on the laptop.
Logged

minoss

  • Newbie
  • *
  • Posts: 3
Re: Sub tunneling?
« Reply #2 on: May 08, 2012, 09:42:38 AM »

btw, perhaps i did not made it clear enough, but i do not want to offer IPv6 tunnels to others.
I just want to have access to the whole Internet, even when i am not at home.

Got [off-forum] a nice suggestion from David Sommertseth, that in the upcoming release 2.3 from openvpn,
they will decently support the transit of ipv6 through their VPN.
And as openvpn is capable of penetrating most firewalls, works behind NAT, through HTTP-proxys,
it will just enlarge my own home network, which is good enough for me.

Only draw-back (for other people) might be that you need a server up-and-running while not at home...
Logged

jtcloe

  • Newbie
  • *
  • Posts: 48
Re: Sub tunneling?
« Reply #3 on: May 08, 2012, 12:39:09 PM »

If I'm not mistaken, openVPN supports ipv6 directly (if it doesn't there are others like tinc that do).

At that point, protocol-41 becomes irrelevant.  You use the 6in4 tunnel (protocol 41) between your "home server" and HE, then you use openvpn (or really any vpn solution) between your "home server" and your remote client (your laptop).

There's a couple ways to do it, but probably the easiest would be to get a /48, then carve a /64 out of that /48 and let openvpn or whatever else have that for itself.

OpenVPN only uses a pretty nat-friendly single udp port setup, so as long as you can get an outbound udp connection, you can probably get openvpn to work (unless you are behind some mis-guided security attempt at only allowing 80, 443, etc).

TINC is basically the same except it uses a single udp and single tcp port.

With OpenVPN, the port numbers can be changed pretty easily if you hit a paranoid firewall, not sure with tinc but I would assume the same.
Logged