注意:

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Funtoo:User Services/IPv6 Tunnel

From Funtoo
Jump to navigation Jump to search

Some Funtoo Linux datacenters do not have native IPv6 support, so we rely on IPv6 tunnel services provided by he.net.

This page will document how to reliably set up an IPv6 tunnel under Funtoo Linux. This particular configuration is focused on setting up a tunnel router, which means that it's not just about providing IPv6 to a single server. Instead, the server we will configure will provide IPv6 for an entire bridged network.

To follow these exact steps, you will need to visit https://tunnelbroker.net and register for an account. This process is free. You may be required to complete some IPv6 training first. Once you have done this, you should be able to configure a tunnel, which will have settings similar to this one:

tunnelbroker.net example tunnel

To make sense of the critical settings of this tunnel, let's talk a bit about how this IPv6 tunnel works. For those who are impatient, here is the actual file we will use to bring up the tunnel -- but please note that additional configuration is required to get the tunnel working properly!

   /etc/netif.d/ipv6-tunnel-router (bash source code)
#!/bin/sh

netif_pre_up() {
    try ip tunnel add $interface mode sit remote $endpoint_remote local $endpoint_local ttl 255
    try ip link set $interface up
    try ip addr add $tunnel_local_ipv6 dev $interface
}

netif_post_up() {
    # all IPv6 traffic should go out the tunnel:
    try ip route add ::/0 dev $interface
    # ...except traffic to our assigned IPv6 block, which all sits on $route_interface:
    try ip route add $route_assigned_block dev $route_interface
}

netif_pre_down() {
    ip route del $route_assigned_block dev $route_interface
    ip route del ::/0 dev $interface
}

netif_post_down() {
    ip tunnel del $interface
}

Since we don't have IPv6, and are relying on IPv4 to create our tunnel, we need to link both ends of the tunnel. The tunnelbroker.net end is the "Server IPv4 Address" ($endpoint_remote, above), and our end is the "Client IPv4 Address" $endpoint_local, above.

Once the tunnel is set up, we have to deal with IPv6, so let's talk about that. Tunnelbroker.net gives us a "slash 64" (/64), which is a block of 2^64 IPv6 addresses. All these addresses are expected to exist on "our side" of the tunnel.

In addition, there is a second IPv6 network, which is used exclusively by the tunnel itself. This is a frequent source of confusion.

   /etc/radvd.conf
interface brwan {
        AdvSendAdvert on;
        AdvHomeAgentFlag off;
        MinRtrAdvInterval 30;
        MaxRtrAdvInterval 100;
        prefix 2001:470:1f0f:24b::/64 { 
            AdvOnLink on; 
            AdvAutonomous on; 
            AdvRouterAddr on; 
        };
};


   /etc/conf.d/netif.brwan (bash source code)
template=bridge
slaves=netif.eth0
# see https://ipv6.he.net/presentations/ra-radvd.pdf page 5 -- we want the first IP in our
# routed range to be on the LAN interface of the router. Please note that the IPv6 address
# we add here is NOT what you assume -- you take the **Routed /64** and add a <code>::1</code>,
# so this is the FIRST address of your private routed /64. It is NOT the server IPv6 address,
# which is the tunnelbroker.net side of the tunnel. Instead, it is the FIRST address from
# the routed /64 that radvd is advertising for us. This is ESSENTIAL so that responses can
# be received by radvd to router advertisements. Otherwise, your devices will get IPv6 
# addresses but they will lose their address in a few minutes due to inability to communicate
# with radvd.
ipaddr="172.97.103.202/24 2001:470:1f0f:24b::1/64"
gateway=172.97.103.1
nameservers="1.1.1.1 1.0.0.1"
domain=funtoo.org
multicast=no