Ipv6 Tunnel | @sskaje

By @sskaje
Link: https://sskaje.me/2016/01/create-your-own-tunnelbroker-net-iproute2/

IPv4下连IPv6有无数种解决方案，传统的6to4, 6in4, TEREDO…没兴趣讲优缺点，可以在wikipedia的页面上看看各家都用了啥。

TunnelBroker.net 应该是没IPv6的地方最流行的上IPv6的解决方案了。
如果你觉得它不爽，其实自己搞一个也没那么难。

上边wikipedia页面里说HE的技术实现是Unknown。其实自己试过一次大概都能知道应该往哪个方向去研究它的技术实现了。

贴一个我路由器上的IPv6 Tunnel信息。

tun0      Link encap:IPv6-in-IPv4  
          inet6 addr: fe80::c0a8:b01/64 Scope:Link
          inet6 addr: 2001:470:23:1xx::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:900942 errors:0 dropped:0 overruns:0 frame:0
          TX packets:905985 errors:4 dropped:0 overruns:0 carrier:4
          collisions:0 txqueuelen:0 
          RX bytes:559785922 (533.8 MiB)  TX bytes:179756964 (171.4 MiB)

tun0 Link encap:IPv6-in-IPv4

inet6 addr: fe80::c0a8:b01/64 Scope:Link

inet6 addr: 2001:470:23:1xx::2/64 Scope:Global

UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1

RX packets:900942 errors:0 dropped:0 overruns:0 frame:0

TX packets:905985 errors:4 dropped:0 overruns:0 carrier:4

collisions:0 txqueuelen:0

RX bytes:559785922 (533.8 MiB) TX bytes:179756964 (171.4 MiB)

首先，UBNT给我创建的interface是tun0；其次 Link encapsulation 是 IPv6-in-IPv4，也就是传说中的 6in4；再往下看，POINTOPOINT。
再加上TunnelBroker的Example Configurations里给了一个iproute2的配置方法：

modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 74.82.46.6 local xx.xx.xx.xx ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:23:1xx::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr

modprobe ipv6

ip tunnel add he-ipv6 mode sit remote 74.82.46.6 local xx.xx.xx.xx ttl 255

ip link set he-ipv6 up

ip addr add 2001:470:23:1xx::2/64 dev he-ipv6

ip route add ::/0 dev he-ipv6

ip -f inet6 addr

思路很简单了。

假设服务器端为S，用户路由为R，则两边的参数逻辑应该是：
S:
Remote: R.ipv4 Local: S.ipv4 V6 IP: S.ipv6 Route: v6子网/CIDR

R:
Remote: S.ipv4 Local: R.ipv4 V6 IP: R.ipv6 Route: ::/0 即默认路由

具体来说，假设你S的IP为1.1.1.1，可支配的IPv6 pool为 2400:1234:5678:9abc::/64，R的IP为2.2.2.2，上述的配置可能是：
S.ipv4 = 1.1.1.1 S.ipv6 = 2400:1234:5678:9abc:1000::1/80


v6子网/CIDR = 2400:1234:5678:9abc:2000::/80
R.ipv4 = 2.2.2.2

R.ipv6 = 2400:1234:5678:9abc:1000::2/80

命令还不会的，可以阅读Setup of point-to-point tunnel

接下来还有一个问题，我的公网不是固定IP怎么办？
简单。
对于S端来说，Remote依旧是R.ipv4，必须是确定的IP。
对于R端来说，Local可以是0.0.0.0。
每次R更换IP后，需要通知S来更新Remote。

再搞不定？
没问题，看我的github项目：https://github.com/sskaje/6in4

另外，Linode 可以申请IPv6的池子，可以是 /56 或者 /64，可以自建tunnel玩。

自建 6in4 Tunnel Server (iproute2) by @sskaje: https://sskaje.me/2016/01/create-your-own-tunnelbroker-net-iproute2/

Incoming search terms:

By @sskaje
Link: https://sskaje.me/2015/05/tunnelbroker-edgerouter-lite/

创建隧道

在北京联通这种不给IPv6网络的ISP下生存，总有走v6翻墙的欲望。
免费的Tunnel服务很多，最出名莫过HE.net的TunnelBroker

首先申请一个Tunnel。
访问：

https://tunnelbroker.net/new_tunnel.php

1	https://tunnelbroker.net/new_tunnel.php

注册登录之后，创建并输入当前路由公网IP “YOUR.ROUTER.INTERNET.IP”。

创建成功后会被跳转到

https://tunnelbroker.net/tunnel_detail.php?tid=XXXXX

1	https://tunnelbroker.net/tunnel_detail.php?tid=XXXXX

XXXXX的部分是一串数字，所谓的Tunnel ID.

在这个页面上选择第二个标签页 “Example Configurations”
选择 “Vyatta / Ubiquiti EdgeMAX”

文本框会自动生成如下配置：

configure
edit interfaces tunnel tun0
set encapsulation sit
set local-ip YOUR.ROUTER.INTERNET.IP
set remote-ip 74.82.46.6
set address 2001:470:23:XXXX::XX/64
set description "HE.NET IPv6 Tunnel"
exit
set protocols static interface-route6 ::/0 next-hop-interface tun0
commit

configure

edit interfaces tunnel tun0

set encapsulation sit

set local-ip YOUR.ROUTER.INTERNET.IP

set remote-ip 74.82.46.6

set address 2001:470:23:XXXX::XX/64

set description "HE.NET IPv6 Tunnel"

exit

set protocols static interface-route6 ::/0 next-hop-interface tun0

commit

remote-ip是创建时选择的远端服务器IP，local-ip是本地当前的出口IP。
鉴于ISP给的IP都是动态的，所以local-ip改成如下‘0.0.0.0’。

如果之前有配置过tunnel，需要重新配置，则先删除既有的：

delete interfaces tunnel tun0

1	delete interfaces tunnel tun0

下面开始命令配置tunnel

configure
# tun to ipv6
edit interfaces tunnel tun0
set encapsulation sit
set local-ip 0.0.0.0
set remote-ip 74.82.46.6
set address 2001:470:23:XXXX::XX/64
set description "HE.NET IPv6 Tunnel"
exit
set protocols static interface-route6 ::/0 next-hop-interface tun0
commit
save

configure

# tun to ipv6

edit interfaces tunnel tun0

set encapsulation sit

set local-ip 0.0.0.0

set remote-ip 74.82.46.6

set address 2001:470:23:XXXX::XX/64

set description "HE.NET IPv6 Tunnel"

exit

set protocols static interface-route6 ::/0 next-hop-interface tun0

commit

save

Router Advert

配置完tunnel，就得配局域网内的配置了，毕竟只有路由能上v6是不够的

interfaces {
    ethernet eth0 {               
        address 192.168.11.1/24   
        duplex auto               
        ipv6 {                    
            address {             
                autoconf           
            }                     
            dup-addr-detect-transmits 1
            router-advert {                        
                cur-hop-limit 64  
                link-mtu 0        
                managed-flag false
                max-interval 600  
                other-config-flag false
                prefix 2001:470:24:xxx::/64 {
                    autonomous-flag true
                    on-link-flag true       
                    valid-lifetime 2592000         
                }                 
                radvd-options "RDNSS 2001:470:20::2  {} ;"
                reachable-time 0  
                retrans-timer 0   
                send-advert true  
            }                     
        }                         
        speed auto                          
    } 
...
}

interfaces {

ethernet eth0 {

address 192.168.11.1/24

duplex auto

ipv6 {

address {

autoconf

}

dup-addr-detect-transmits 1

router-advert {

cur-hop-limit 64

link-mtu 0

managed-flag false

max-interval 600

other-config-flag false

prefix 2001:470:24:xxx::/64 {

autonomous-flag true

on-link-flag true

valid-lifetime 2592000

}

radvd-options "RDNSS 2001:470:20::2 {} ;"

reachable-time 0

retrans-timer 0

send-advert true

}

speed auto

}

...

}

如果你本地的DNS规则有过配置，radvd-options 的配置一定要把ipv6地址设成路由器的v6地址

实践证明，我之前折腾了好久的dhcpv6没用，但是配置也可以贴出来

...
service { 
...                     
    dhcpv6-server {                              
        shared-network-name LAN_DEAD {   
            name-server 2001:4860:4860::8888
            name-server 2001:4860:4860::8844 
            subnet 2001:470:23:xxxx:dead::/80 {   
                address-range {         
                    start 2001:470:23:xxxx:dead::1000 {
                        stop 2001:470:23:xxxx:dead::8000
                    }                            
                }                       
                name-server 2001:4860:4860::8888 
                name-server 2001:4860:4860::8844
                prefix-delegation {              
                    start 2001:470:23:xxxx:dead::1000 {
                        prefix-length 80
                    }                  
                }                          
            }                           
        }                               
    }  
}

...

service {

...

dhcpv6-server {

shared-network-name LAN_DEAD {

name-server 2001:4860:4860::8888

name-server 2001:4860:4860::8844

subnet 2001:470:23:xxxx:dead::/80 {

address-range {

start 2001:470:23:xxxx:dead::1000 {

stop 2001:470:23:xxxx:dead::8000

}

name-server 2001:4860:4860::8888

name-server 2001:4860:4860::8844

prefix-delegation {

start 2001:470:23:xxxx:dead::1000 {

prefix-length 80

}

自动更新IP

之前一片EdgeRouter Lite相关的配置文章里，我把He.net提供的DDNS配置好了。Dynamic DNS on HE.net, HE.net Dynamic DNS on Ubiquiti Router.

脚本更新

首先按如下路径生成ddns专用的key

TunnelBroker.net -> Tunnel Details -> Advanced -> Update Key

1	TunnelBroker.net -> Tunnel Details -> Advanced -> Update Key

尝试过好多次，EdgeRouter Lite无法通过配置参数添加多个同类型的ddns配置。所以先提供一个简单粗暴的方法。

参考 https://forums.he.net/index.php?topic=1994.0 的说明，有如下的客户端语法：

https://<USERNAME>:<PASSWORD>@ipv4.tunnelbroker.net/nic/update?hostname=<TUNNEL_ID>
https://ipv4.tunnelbroker.net/nic/update?username=<USERNAME>&password=<PASSWORD>&hostname=<TUNNEL_ID>

https://<USERNAME>:<PASSWORD>@ipv4.tunnelbroker.net/nic/update?hostname=<TUNNEL_ID>&myip=<IP ADDRESS>
https://ipv4.tunnelbroker.net/nic/update?username=<USERNAME>&password=<PASSWORD>&hostname=<TUNNEL_ID>&myip=<IP ADDRESS>

http[s]://[TB_USER:TB_PASS@]tunnelbroker.net/nic/update?[username=TB_USER&password=TB_PASS&]hostname=<TUNNEL_ID|tunnelTUNNEL_ID.tunnelbroker.net|TB_USER-TUNNEL_LABEL.tserv#.LOC#.ipv6.he.net>[&myip=IPV4]

https://<USERNAME>:<PASSWORD>@ipv4.tunnelbroker.net/nic/update?hostname=<TUNNEL_ID>

https://ipv4.tunnelbroker.net/nic/update?username=<USERNAME>&password=<PASSWORD>&hostname=<TUNNEL_ID>

https://<USERNAME>:<PASSWORD>@ipv4.tunnelbroker.net/nic/update?hostname=<TUNNEL_ID>&myip=<IP ADDRESS>

https://ipv4.tunnelbroker.net/nic/update?username=<USERNAME>&password=<PASSWORD>&hostname=<TUNNEL_ID>&myip=<IP ADDRESS>

http[s]://[TB_USER:TB_PASS@]tunnelbroker.net/nic/update?[username=TB_USER&password=TB_PASS&]hostname=<TUNNEL_ID|tunnelTUNNEL_ID.tunnelbroker.net|TB_USER-TUNNEL_LABEL.tserv#.LOC#.ipv6.he.net>[&myip=IPV4]

新增文件 /etc/ppp/ip-up.d/update-tunnelbroker-ip
内容如下：

#!/bin/sh

TB_USER="sskaje"
TB_PASS="P4s5W0Rd"
TB_TUNNELID="xxxxx"

IFACE="$1"
if [[ $IFACE =~ ^pppoe ]];
then
        /usr/bin/curl --silent "https://ipv4.tunnelbroker.net/nic/update?username=${TB_USER}&password=${TB_PASS}&hostname=${TB_TUNNELID}" >/dev/null 2>&1 ;
fi

# EOF

#!/bin/sh

TB_USER="sskaje"

TB_PASS="P4s5W0Rd"

TB_TUNNELID="xxxxx"

IFACE="$1"

if [[ $IFACE =~ ^pppoe ]];

then

/usr/bin/curl --silent "https://ipv4.tunnelbroker.net/nic/update?username=${TB_USER}&password=${TB_PASS}&hostname=${TB_TUNNELID}" >/dev/null 2>&1 ;

# EOF

完成后给执行权限

chmod +x /etc/ppp/ip-up.d/update-tunnelbroker-ip

1	chmod +x /etc/ppp/ip-up.d/update-tunnelbroker-ip

复用ddclient配置

早先在配置DDNS的时候做过一些尝试，结果发现删除配置时 /etc/ddclient/ 目录下自动生成的配置并未被删除。
而tunnelbroker的IP更新协议跟ddns一样都是用了dyndns风格的。
所以第二个思路是自己写个配置文件（未验证）
参考模板

daemon=1m
syslog=yes
ssl=yes
pid=/var/run/ddclient/ddclient_pppoe0_.pid
cache=/var/cache/ddclient/ddclient_pppoe0_.cache
use=if, if=pppoe0


server=dyn.dns.he.net,protocol=dyndns2
max-interval=28d
login=sskaje
password='P4s5W0Rd'
xxxxx

daemon=1m

syslog=yes

ssl=yes

pid=/var/run/ddclient/ddclient_pppoe0_.pid

cache=/var/cache/ddclient/ddclient_pppoe0_.cache

use=if, if=pppoe0

server=dyn.dns.he.net,protocol=dyndns2

max-interval=28d

password='P4s5W0Rd'

xxxxx

奇葩问题

从开始配置Tunnel到最终写这篇文章，中间隔了估计有好几个月，一直在更新IP（手动或者自动）时被提示无法连接到我的路由，HE的测试IP是 66.220.2.74。
还发邮件问过那边，也怀疑了几种可能，但是确认中国的其他IP都没问题。

就在刚才，突然想到可能是路由表错了。
因为之前整理过 Google/Twitter/Facebook 的IP段(Google IP Address Ranges, EdgeOS PPTP VPN客户端配置)，简单粗暴地直接把零散的IP段合并成一个个CIDR 16的网段，然后指向了我的pptpc0。
其中就有

network 66.220.0.0/16

1	network 66.220.0.0/16

核对了一下FB的网段，调整了路由：

# change firewall network group
delete firewall group network-group GFW-IPv4 network 66.220.0.0/16 
set firewall group network-group GFW-IPv4 network 66.220.128.0/17

# change route
delete protocols static interface-route 66.220.0.0/16 
set protocols static interface-route 66.220.128.0/17 next-hop-interface pptpc0 distance 10

# change firewall network group

delete firewall group network-group GFW-IPv4 network 66.220.0.0/16

set firewall group network-group GFW-IPv4 network 66.220.128.0/17

# change route

delete protocols static interface-route 66.220.0.0/16

set protocols static interface-route 66.220.128.0/17 next-hop-interface pptpc0 distance 10

TunnelBroker for EdgeRouter Lite by @sskaje: https://sskaje.me/2015/05/tunnelbroker-edgerouter-lite/

Tag: ipv6 tunnel

EdgeRouter Firewall Rule for HE TunnelBroker

Incoming search terms:

自建 6in4 Tunnel Server (iproute2)

Incoming search terms:

TunnelBroker for EdgeRouter Lite

创建隧道

Router Advert

自动更新IP

脚本更新

复用ddclient配置

奇葩问题

Incoming search terms: