Tunnel IPv6 over IPv4

Page content

let’s assume you need ipv6 connectifity somewhere … You can use some Tunnelbrokers or your run OpenBSD on your Boxes and want todo it on your own. Here some hints.

Server with DualStack

you need a Maschine out in the Internet which is DualStacked

stoege@dualstack$ i3
IPv4: 11.22.33.44
IPv6: 2001:db8:100::100

Host with IPv4 only

stoege@ipv4 host ~# i3
IPv4: 55.66.77.88
IPv6: !NETWORK

and you want to bring IPv4 to the second host

Configure GIF Interfaces

Server

cat << 'EOF' > /etc/hostname.gif0
# IPv4 Tunnel to Host
tunnel 11.22.33.44 55.66.77.88
inet6 alias 2001:db8::1 128
dest 2001:db8:::2
EOF

sh /etc/netstart gif0

IPv4 Host

cat << 'EOF' > /etc/hostname.gif0
# IPv4 Tunnel to Dualstack
tunnel 55.66.77.88 11.22.33.44
inet6 alias 2001:db8::2 128
dest 2001:db8:::1
!route -n add -inet6 default 2001:db8:::1
EOF

sh /etc/netstart gif0

Enable IPv4 and IPv6 Forwarding

you know, the sysctl stuff and so ..

stoege@nerd ...nolink.ch$ cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.tcp.ecn=1

Tweak pf.conf

Server

/etc/pf.conf

### DEFAULT SETTINGS ###

set block-policy drop
set limit states 500000
set optimization normal
set skip on { lo0 enc0 gif0 }                   <-- add you gif interface here
set syncookies adaptive (start 25%, end 12%)

--- snip ---

# Tunnel -> NAT66 outgoing (as we don't have public ip space there)
match out log on egress inet6 from 2001:db8:99::1 nat-to (egress)

### RULES ###
# Block all
block log
...

--- snip ---

# Allow IP Tunnel from IPv4 Host
pass in log quick inet            from  11.22.33.44   to (self)
pass    log quick inet6           from  2001:db8:::2  to any

Finally, let’s try again ..

Host with IPv4 only

stoege@ipv4 host ~# i3
IPv4: 55.66.77.88
IPv6: 2001:db8:100::100

and you will get the same IPv6 Address as the other Host does NAT66 …

have fun !


Any Comments ?

sha256: 7524bdd8ca31c09fb27166b143c7caa752293336fd8eb0a813aa29064903574c