Setting up an IPv6 Tunnel

Attention: open in a new window. PDFPrintE-mail

So, you want to access IPv6 websites, but your ISP does not provide native IPv6 access? Well, here are some instructions for setting up a 6in4 IPv6 tunnel with Hurricane Electric!

Now, these instructions are for RedHat based distro’s, and were specifically written using CentOS 6. This type of ipv6 tunnel won’t work behind NAT, so your machine must be connected directly to the internet with a public IP address (UPDATE: Thanks to KingKurly for pointing out that you can forward Protocol 41 to enable a tunnel through NAT, if your device supports it). If you are looking for something that will work behind NAT, an AYIYA tunnel from SixXS.net should work over NAT for you, and we’ll cover how to do this in a future article. But, for now, let us continue with our 6in4 ipv6 tunnel from Hurricane Electric.

First, go to Hurricane Electric and get your free tunnel.

Next, open up ping requests from Hurricane Electric. This step is important, as they won’t allocate a tunnel if they can’t ping your machine. I normally don’t respond to ping requests, so I had to use a firewall rule like the one below to allow their pings through.

-A INPUT -p icmp -m icmp -m limit -s 66.220.2.74/32 -i eth0 --icmp-type 8 --limit 1/sec -j ACCEPT

Don’t forget to restart your firewall after making changes, to make sure your changes are active! service iptables restart

Once you have an account you will want to create a regular tunnel. This is basically an IPv4 tunnel between your computer and Hurricane Electric which carries your IPv6 traffic. Enter your IPv4 address as the tunnel’s endpoint address. After entering your IPv4 address, the website will check to make sure that it can ping your machine. If it cannot ping your machine, you will get an error like the one below:
ipv6 tunnel create error

If this happens, go back and check your firewall rules, and make sure that you can ping your machine from the outside. If all else fails, try a more relaxed firewall rule, like this:

-A INPUT -p icmp -m icmp -s 66.220.2.74/32 -j ACCEPT

Or, even more relaxed:

-A INPUT -p icmp -m icmp -j ACCEPT

The first rule accepts all ICMP traffic from 66.220.2.74, while the second accepts all ICMP traffic from everyone.

Once everything is ready, you should see a message like this:
ipv6 tunnel create success

Now, it is time to configure our tunnel! Go to the Tunnel Details page of your tunnel, and start entering information. Give your tunnel a description, which can be anything you want. Then, assign a Routed /48, so we can have a larger block of addresses to play with. Finally, set up your rDNS delegations, by entering your DNS servers in the provided spaces. When you are all done, it should look something like this:
ipv6 tunnel details

Next, it is time to configure the ipv6 tunnel on our server! We need to create an interface file for our IPv6 tunnel, so create the /etc/sysconfig/network-scripts/ifcfg-sit1 file and put the following in it:

# Hurricane Electric V6V4 ipv6 tunnel
ipv4a=209.51.xxx.xxx          # Server IPv4 Address from configuration above
ipv4b=66.228.xxx.xxx          # Client IPv4 Address from configuration above
ipv6a=2001:db8:xxxx:xxxx::1   # Server IPv6 Address from configuration above
ipv6b=2001:db8:xxxx:xxxx::2   # Client IPv6 Address from configuration above

NAME="Hurricane Electric SIT"
DEVICE=sit1
ONBOOT=yes
USERCTL=yes
BOOTPROTO=none
PEERDNS=no

IPV6INIT=yes
IPV6_AUTOTUNNEL=yes
IPV6ADDR="$ipv6b/64"
IPV6_ROUTER=yes
IPV6_AUTOCONF=no

IPV6_CONTROL_RADVD=yes
IPV6TUNNELIPV4=$ipv4a
IPV6TUNNELIPV4LOCAL=$ipv4b

PHYSDEV=eth0
TYPE=sit
DEVICETYPE=sit
NM_CONTROLLED=no

NETWORKING_IPV6
IPV6_DEFAULTGW=$ipv6a
IPV6_DEFAUTLDEV=sit1

Don’t forget to change the IP addresses at the top of the file to match yours!

Now, all that is left is to assign some IPv6 addresses to our interfaces! In your /etc/sysconfig/network-scripts/ifcfg-eth0 file, you can add a few lines like the following:

#HE.net ipv6 tunnel config
IPV6INIT=yes
IPV6ADDR=2001:db8:xxxx:xxxx::1/64
IPV6ADDR_SECONDARIES="2001:db8:xxxx:xxxx::1/64 2001:db8:xxxx:xxxx::1/64"

Make sure you change the IPv6 addresses to match what you have been given by Hurricane Electric!

After restarting your network (with service network restart), you should be up and running! You can browse to an IPv6 website or try to ping an IPv6 address, to see if your IPv6 setup is working.

Next, you can configure your forward and reverse DNS zones with the necessary records to show off your shiny new IPv6 addresses!