Home Server Add a IPv6 tunnel



14-Jun-2011: initial release.
22-Mar-2012: update ipv6 module loading.
28-Jul-2012: configuration updates.
06-Jan-2013: adjusted for Slackware.
21-Nov-2013: 'requiretls true' may now be used.
18-Apr-2015: Fixed new name of the network-scripts-ipv6 package.



Our Home Server with it’s virtual gateway server is now IPv4 only. Because most Internet Service Providers do not deliver IPv6 access, we will have to do that ourself using a tunnel broker like SixXS or Hurricane Electric. Hurricane Electric seems easier with providing access, but their service depends on the fact that your modem and Internet Service Provider are not blocking IP protocol number 41. Only some Fritz modems seem to be IPv6 ready. SixXS uses a little daemon that uses regular IPv4 connection. This solution works in almost all cases, so this is what I use. We will install that daemon on our virtual gateway server because that is the most logical place. To get a tunnel from SixXS you need to create an account and then request a tunnel. Mostly after a day you receive your tunnel.

Before you request your tunnel, check out all the so called PoP’s in your country, check using IPv4 traceroutes which one is the nearest to you (least hops) and has the lowest ping roundtrip times.


Prepare the system for IPv6.

First upgrade the network-scripts package with the package network-scripts-ipv6 from this server. This package has support for IPv6 in the network configuration and extra hooks for additional /etc/rc.d scripts. The extra hooks are to start and stop the SixXS tunnel, vde networks and virtual box servers. Note that you must upgrade the /etc/rc.d/rc.inet1.conf file with the new one, it has a number of new settings for IPv6.

All network interfaces have some sysctl settings to enable or disable some IPv6 settings. On network interfaces that don’t have any IPv6 configuration, IPv6 is completely disabled.

You must also build and install the aiccu package, this is the SixXS tunnel daemon.


Creating the tunnel.

Edit or create /etc/aiccu.conf:

# AICCU Configuration

# Login information (defaults: none)
username ABCDE-SIXXS/T63029
password mysecret

# Protocol and server to use for setting up the tunnel (defaults: none)
protocol tic
server tic.sixxs.net

# Interface names to use (default: aiccu)
# ipv6_interface is the name of the interface that will be used as a tunnel interface
# On *BSD the ipv6_interface should be set to gifX (eg gif0) for proto-41 tunnels
# or tunX (eg tun0) for AYIYA tunnels.
ipv6_interface six0

# The tunnel_id to use (default: none)
# (only required when there are multiple tunnels in the list)
tunnel_id T63029

# Be verbose? (default: false)
verbose true

# Daemonize? (default: true)
# Set to false if you want to see any output
# When true output goes to syslog
# WARNING: never run AICCU from DaemonTools or a similar automated
# 'restart' tool/script. When AICCU does not start, it has a reason
# not to start which it gives on either the stdout or in the (sys)log
# file. The TIC server *will* automatically disable accounts which
# are detected to run in this mode.
daemonize true

# Automatic Login and Tunnel activation?
automatic true

# Require TLS?
# When set to true, if TLS is not supported on the server
# the TIC transaction will fail.
# When set to false, it will try a starttls, when that is
# not supported it will continue.
# In any case if AICCU is build with TLS support it will
# try to do a 'starttls' to the TIC server to see if that
# is supported.
requiretls true

# PID File
pidfile /var/run/aiccu.pid


Of course you need to set your own username, tunnel id and password in this file. You can start the tunnel with /etc/rc.d/aiccu start. With the ifconfig command you should see that there is now a six0 network interface that has a IPv6 tunnel address. Then do some additional tests to see that it works:

root@gateway:~# chmod 755 /etc/rc.d/rc.aiccu
root@gateway:~# /etc/rc.d/rc.aiccu start
Starting aiccu daemon done.
root@gateway:~# ifconfig six0
six0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
 inet6 addr: fe80::18f8:fe00:2ab:2/64 Scope:Link
 inet6 addr: 2001:1af8:fe00:2ab::2/64 Scope:Global
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:500
 RX bytes:0 (0.0 b)  TX bytes:144 (144.0 b)

root@gateway:~# sysctl net.ipv6.conf.eth1.disable_ipv6=1
net.ipv6.conf.eth1.disable_ipv6 = 1
root@gateway:~# traceroute6 ipv6.google.com
traceroute to ipv6.l.google.com (2a00:1450:8005::63) from 2001:1af8:fe00:2ab::2, ..
 1  gw-684.haa-01.nl.sixxs.net (2001:1af8:fe00:2ab::1)  25.846 ms  25.908 ms  24 ..
 2  2001:1af8:4050::1 (2001:1af8:4050::1)  25.157 ms  24.042 ms  24.28 ms
 3  be25.crs.evo.leaseweb.net (2001:1af8::19)  27.385 ms  21.261 ms  25.19 ms
 4  swissix.google.com (2001:7f8:24::4a)  53.065 ms  53.09 ms  100.408 ms
 5  2001:4860::1:0:11 (2001:4860::1:0:11)  54.785 ms  47.18 ms  47.819 ms
 6  2001:4860::1:0:4b3 (2001:4860::1:0:4b3)  47.97 ms  49.343 ms  48.955 ms
 7  2001:4860::8:0:2db0 (2001:4860::8:0:2db0)  49.47 ms  51.133 ms  60.873 ms
 8  2001:4860::2:0:66e (2001:4860::2:0:66e)  52.442 ms  51.332 ms  51.575 ms
 9  2001:4860:0:1::69 (2001:4860:0:1::69)  61.118 ms  58.74 ms  53.254 ms
10  ey-in-x63.1e100.net (2a00:1450:8005::63)  54.345 ms  54.742 ms  54.015 ms


If you get this far, then this part of the IPv6 installation is finished. You now need to earn enough credits (ISK) to request your own IPv6 subnet, that will take a week.



See the download page for the script and configuration files.