Slashdot Mirror
Home Server On IPv6-only Internet Connection?
RandyOo writes "I've recently learned that our neighborhood is getting a fiber optic network, with a 100Mbps connection in each subscriber's home. IPv6 connectivity is included, but unfortunately, the only IPv4 connectivity they offer is Carrier Grade NAT, due to the exhaustion of IPv4 addresses in RIPE. I travel a lot, and I've become accustomed to accessing my home network via SSH, VNC, etc. It appears uPNP and PMP are unsupported by CGN. So, without a publicly-routed IPv4 address, I'll be unable to reach devices on my home network from an IPv4-only connection, such as the one provided by my cellular carrier (which also appears to be behind some kind of NAT, by the way). If the ISP isn't willing or able to sell me an IPv4 address, what alternatives do I have? I'd be willing to pay a small monthly fee for, say, a VPN service that would allow me to accept incoming connection requests on a range of ports on their Internet-facing IPv4 address. Does such a service exist?"
I'm glad you asked this question. The simple answer is no, there's no possible way that you'll be able to connect to your home server while on the internet. There aren't any services that provide an IPv4 address that you can do what you want with. So it's good you didn't waste time searching on the internets.
I've been using LogMeIn's Hamachi system to accomplish this. It's a virtual LAN solution that links machines behind firewalls or CGN devices. The down side is that it has to be installed on all devices that access the virtual LAN, and they don't have any mobile clients (yet), but if you need access from a device you can't install the Hamachi client on, you can always get a cheap VPS, install the linux client on it, and set up some port forwarding - the Hamachi IPs are static, so each machine always gets the same one.
There are some limitations with the free version (5 machines in a virtual LAN, connection only works with a logged in user on desktop clients), but the $30ish it costs per year for a 32 user license is very reasonable. And it supports IPv6 and IPv4 across the VLAN, too.
-PhaseBurn Welcome to Linux country. On quiet nights, you can hear windows reboot.
also, if you're using t-mobile and have a newer phone, you can get IPv6. https://sites.google.com/site/tmoipv6/lg-mytouch
A cheap Linux based VPS (Virtual Private Server) will do what you want. You can set up a VPN connection between your home server and the VPS, and then connect to the VPS on its public IP and have it route to your home. I haven't set up such a thing myself, and it will be a bit laggy, but it should works for what you need.
Nobodies Prefect
Tidbits for Techs Technology Blog
Have you tried Toredo? (apt-get install miredo)
It goes through relays, so you will probably want to only use it for small transfers. Alternatively, you can use a Linode VPS, which have IPv6 enabled by default, so you can configure an ipsec tunnel or equivalent from there.
Every system I've seen has some form of IPV6 tunneling that allows you to call out to an IPV6 server. The only time it fails is if you're trying to host an IPV6 server which will fail due to NAT but connecting to an IPV6 always works. The fact that you've got an IPV6 server means you're set. Run Teredo/Miredo on your clients and connect away.
Go setup teredo/miredo and connect away.
Take a look at Hurricane Electric, they offer free tunnel, dns hosting, etc. ;)
Oh, and an awesome IPv6 training program for which you can get a t-shirt if you finish it!
You can be up and running on an IPv6 tunnel from anywhere in 30 seconds!
Like tunnelbroker.net or broker.aarnet.edu.au
then gogoc (or similar) to connect you to the IPv6 tunnel when on the greater internet, then ssh to your ipv6 address
I believe AirVPN allows you to map up to 20 ports.
As one other comment suggested, get a cheap VPS and setup a VPN so that you can connect to your network. DigitalOcean has one for $5/month (I'm in no way affiliated) https://www.digitalocean.com/ and you can then have your router connect to the VPN. Setup the routes correctly and any VPN user can access every device at home.
However you won't always want to load up the VPN on your phone, and if there's just 1 computer you want to access you can use a VPS with a remote SSH tunnel. Have the computer on your network connect to the VPS and forward some high numbered port, say 4222, to port 22: ssh -R 4222:localhost:22 user@vps. Then you can ssh into your VPS on port 4222 and it will go directly to your home computer. Just made sure you add "GatewayPorts yes" to /etc/ssh/sshd_config or the remote port will only bind to localhost.
Couple this with autossh and the home computer will always keep the connection open and re-establish it as necessary.
Sure, there's a little overhead, but I've never really noticed it. I use this trick so that my phone and tablet can always ssh into my laptop no matter where the laptop is (home network, friend's house, coffee shop, etc)... no need to find the IP address and worry about port forwarding.
SSH into the Virtual private server, then SSH from the virtual private server to your LAN's IPv6 address
For VNC, open SSH back to your remote computer from inside your LAN in remote tunnel mode, using the -R option, to tunnel the port to the local VNC at the remote end, then connect to that local port on your local computer with VNC for remote access to your home.
For me, the cheapest way to go was to have the machine behind NAT automatically connect to a second server and bring up an IP tunnel through pppd-ssh.
The second server has a public IP and I connect to it when I want to access the machine behind NAT. You can also do port redirection on the public IP server so you can log directly into your home computer with the public IP.
Everything I write is lies, read between the lines.
Your ISP should at least be giving you a block of static ports on a static public IPv4 address so that you can just map them on your home router afterwards. It's called "port block allocation". See this slide deck for more details.
Port control protocol is also very close to being reality. It's a bit like a combination of UPnP and DHCP that allows static IPv4 ports to be requested by and allocated to an end user like IP addresses are now.
You should pester your ISP about these two services monthly until they have a satisfactory response for you. Frankly it's irresponsible on their part if they don't have a FAQ explaining this stuff and a policy for helping customers deal with these things. To do otherwise is demeaning to their customers.
You are an idiot. His problem is that he has to connect from networks which are not under his control and which (currently) only provide IPv4. This is not the submitters fault.
Did you even read the question all the way through? The guy doesn't have any problem with IPv6 itself. He wants to connect to his network on the go from his cellphone(probably tethers from the way it's worded). His cell's connection is some v4 NAT that won't even connect to a v6 address. He's looking for a solution.that doesn't involve convincing his cell provider to overhaul it's entire system.
Only setup AAAA records in DNS, instead of A records, that way your server will only be reached through IPv6.
http://en.wikipedia.org/wiki/NAT64
Interestingly, it was discussed in a forum topic on Tunnelbroker:
http://www.tunnelbroker.net/forums/index.php?topic=2419.0
Don't bother with any 3rd parties like most suggestions are advising. OpenVPN supports tunneling IPv4 and IPv6 over either of them. You can use a laptop or anything else that supports IPv6 to connect to your server at home over IPv6 via a bridged tap tunnel interface and then anything you connect to the laptop via layer 2 will be able to communicate with your home over IPv4.
Get:
Then do:
now we need to go OSS in diesel cars
http://pagekite.net/ Their open-source client is super easy to setup. You get 1 month free, after that the service is only $18 for 6 months. I've installed Pagekite's client even on machines behind corporate firewalls, and never had any problems whatsoever. I'm not affiliated to them in any way; just a satisfied customer.
It's always been enough for me to have a dyndns.org domain that is automatically updated to whatever IP the ISP gives me. It's free for all I need it for.
Just dump the IP addresses entirely for your applications. Anonymizing networks like Tor and I2P do this automatically, switching the 'address' to a node identification key. If your node has the key, then any other node looking for that key will find you, no matter what your current IP address is. The key validates 'who' your systems are, so the IP address or domain doesn't even matter.
Tor cannot do this as seamlessly as I2P for a couple or reasons:
1) Tor is really only designed for browsing and doesn't handle non-TCP, non-HTTP protocols well. I2P supports UDP as well as TCP, and has the topology for larger, non-Web page data flows.
2) You can easily set the number of hops in I2P... all the way down to zero. This actually makes the (usually slower & anonymized) I2P connection faster than some of the above mentioned solutions involving the expense of a relay system (which is 1-hop, and assuming SSH gets balky more often due to the way TCP deals with latency)... (I think with Tor, you are forced to go through their anonymizing relays).
The down side is that -- although I2P handles IP sockets -- its not the same thing, so you need to take a couple steps to make SSH or other programs utilize it (similar to using torify as a wrapper). Also, the only mobile platform I2P runs on is Android. And remember that using I2P like this bestows no anonymity on your SSH connection (although that limit would not extend to other apps you use with I2P, as long as you don't also configure them to use 0 hops-- the default is 3 hops).
CGN or as I like to call it Internet-Cancer, SUCKS! There is no way to "call-in". The only way to access your hardware is through 3rd party services such as Teamviewer(which I highly recommend) or LogMeIn. This however isn't you logging in to your stuff, you meet by a proxy that is a Teamviewer server, and then establish a direct connection. Teamviewer also has some plugins which let you establish a VPN to the network that the Teamviewer server is connected to. Another solution is to have a Cisco router connected to the CGN'd internet connection, and have the router automatically VPN (I personally use Cisco's DMVPN technology ) to another internet connection that you DO have access to. An example would be an employee's router that VPNs to HQ. If they VPN'd properly establishes the connection to HQ the IT guys can then SSH,FTP or whatever into the employee's house. They are not connecting directly, but through the VPN from HQ. With some sneaky NATting and routing you can achieve an effect that is very similar to having direct access from the internet to the inside a CGN'd network.
Running home servers for non-LAN use is usually a waste of money. If your hardware needs are not huge, just get a super cheap VPS from a location that is suitable for you.
http://www.lowendbox.com/ lists about a gazillion super cheap VPS providers all over the world and has new special offers all the time.
I think https://X4B.org could do something like this.
I know they offer IPv6 gateways for IPv4 hosts.
If skype works then both showmypc and gotomypc will work.
Teredo(IPv6 over UDP) is easy to set up - if your Windows is Vista or later, it works automatically. For Linux it depends on the distro. If you happen to be in a non-NATted environment for once, 6to4 works great too.
So just enjoy the IPv6.
If you have devices at home that don't support IPv6, you can set up a NAT64 within your home network.
Serious question, no interest in flamebait or trolls. Why is mobile not on IPv6?
It's a place where I would expect it. Quick turnaround of devices, new networks all the time. It made sense for 2G and GRPS to be IPv4 at the time. But 3G and even 4G apparently are still using IPv4.
It's hard to believe the phones are not up to the task. It's all in the software, not too hard to require v6 on 3G and later, Older devices that are v4 only can't use 3G networks anyway. Users don't need to know their IP address, ever. This are devices, and there is a huge number of it, exactly what v6 was meant to support. Carriers have full control over their networks, start to finish, so that part of switching to v6 is also not an issue. They of course have to provide a gateway to access v4-only web sites, but that shouldn't be too much harder than maintaining a NAT like they have to do now to keep everyone on v4.
Honestly, I just don't get it.
It's such a stark contrast with that fibre provider that is basically IPv6, while providing a v4 compatibility layer for older devices that still need it.
That does not make sense. Per OP, he/she is outside IPv6 and is on IPv4. OpenVPN cannot provide the described "magic" tunnel unless there is a way to map the target server's IPv6 via IPv4. That requires the carrier to do the mapping (such as port mapping as already described).
I've been using logmein for many years now. It's free and it just works. I'm living in China now, and my pc's at home are behind a DD-WRT router running OpenVPN with a dynamic (not-fixed) US IP address. Even when the VPN drops out, and everything ends up on a Chinese IP address, it still works. There is even an android client that works from my single core 7" lenovo tablet with China Unicom 3G service. Amazingly, it j u s t w o r k s.
While the title may have been less in your face, why is this modded down? AC is right - with IPv6, he has no shortage of addresses, so he could configure a DHCP6 server and set it up that way.
It would have helped if this was dual stacked, but since it isn't, one thing he should consider is asking his cell phone carrier whether they do IPv6, and getting that end IPv6 supported. Another option might be to set up a DS-lite configuration for services needing IPv4. That way, he uses his IPv4 cellphone to access those services, while providing them seamlessly from IPv6. Or else tunnel the requests from the IPv4 end.
All the other options posted so far are valid, but perhaps as you mostly travel and to keep costs down, what about a shell account at a provider with IPv6 support? http://blinkenshell.org/wiki/Info/IPv6
It's not greed. It doesn't make sense to give back v4 IPs, when the rest of the world is dragging its feet on IPv6 adaption. In fact, giving back v4 IPs is not a solution at all - if it's given back before the widespread adaption of IPv6, then the giver will be left with shortages. If it's given back after the widespread adaption of IPv6, it will be useless and unneeded. Fact is that even if an organization fully embraces IPv6, they still need to be dual stacked to provide services to IPv4 customers, so they'll still need those 'unused' v4 addresses.
But imagine the effort needed to determine who needs how many addresses. Spending that sort of time on a technology that's all set to be replaced does no good. Instead, governments should aggressively push IPv6 adaption, and at some point, announce a cutoff of all IPv4 services. That thing won't go away unless and until someone takes the initiative and pulls that plug. Once they do, anyone who wants to deal w/ them will be forced to adapt IPv6, and after that, there will be no shortages
ssh -R 2022:localhost:22 -oGatewayPorts=yes mypi.edis.at
You can call this script from
Then, when on the road, to connect to your home network, just do ssh -p 2022 mypi.edis.at on your phone.
A suitable server may be a raspberry pi hosted for free at Edis, Austria. Just send them your pi, and they'll host it for free.
Another option is checking with a friend. A group of us rent a server running Arch Linux but any distro will do. This lets us host some websites, mumble, virtual machines, do ssh tunneling to get by work firewalls or get free internet at hotels, private file sharing and proxying/tunneling like you're wanting. If you have a friend like this and his server hoster hasn't given him ipv6 get him to ask and they will probably give him more than he could ever use like ours did. Then he can set up what ever method you want.
We got a decent server for $50 a month split 4 ways.
https://pagekite.net/ seems to be 36 EUR for one year.
Check out sixxs.net for a decent tunnel broker. They're also a good starting point to find ISPs who can provide native IPv6 routing (those same ISPs would also be likely to be have the infrastructure in place to provide the standard services you require).
If you're UK based, Goscomb are v6 native, provide static addressing (free & by default) & FTTC, don't perform any traffic shaping & offer 30-day rolling contracts.
Their caps are a little low for me, but it's a good service & I get what I pay for.
My provider actually is T-Mobile Germany, and surprisingly, they don't plan to deploy IPv6 until next year!
You can either get a VPS that supports IPv6, and log in from there ... another solution that works fairly well.
You use a reverse tunnel, created on demand based on an HTTP request. Here's what you do: /sshtunnel it gets served your current data, and your machines connects to wherever you are. All you have to do now is ssh user@localhost -p {remote_port}.
Run a script on your machine that checks yourpage.com/sshtunnel, if it gets, say, NO_TUNNEL, it does nothing (or even better, make that a script and return 404 or some other header to signify FALSE). If, instead, it gets a json or csv, or whatever else you want (I used JSON) with an IP address, a port, and which username it should use, your machine will create a tunnel to that destination. Like this: ssh -f -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -nNT -R {remote_port}:127.0.0.1:22 {remote_user}@{remote_host}. So, if where you can expose a port on your laptop, you just fill out a form on your website, and when your machine next checks
If wherever you are, you don't have access to port forwarding, you can have a cheap VPS (there are many available for as low as 5 bucks a month), and have your machine connect there, this will increase your latency, but it'll be barely noticeable if you choose your VPS location wisely (i.e as close to your home as possible).
The userknownhostfile and stricthostkeychecking disabling are required since you will be using key authentication against a machine that moves around all the time.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Step 1:
Buy domain name from namecheap.com, like say... mywebsite.com
Step 2: /logs/log-@.txt "http://dynamicdns.park-your-domain.com/update?domain=mywebsite.com&password=[DYNAMIC_IP_PASSWORD_FROM_NAMECHEAP]&host=@"
Set a cron job that runs the following every 5 minutes on one of your computers at home:
curl -s -o
Step 3:
SSH into myswebsite.com
Voilà!
it's only going to get worse. enjoy!
E.g. adding ip4.sixxs.org to the ipv6 address, http://ipv6.google.com.ipv4.sixxs.org/
Don't know if any allow numerical addresses. Is the ISP providing DNS service for adding your own AAAA records to your routed subnet?
Get a free tunnel from SixXS and install the AICCU programme on your laptop. This should work fine and is easy enough to set up. I used SixXS (for a different purpose) for a few years until I got native IPv6 on my ADSL.
There are two solutions I can think of, depending on what you need and how much work you're willing to put in.
First, you could use something like LogMeIn or GoToMyPC. You leave the agent running on a PC on your network then you can login to that PC remotely and access the network resources from there.
The second solution, and what I do, is use VPN. In my case, I have a dynamic IP address from my ISP and I don't care to remember it. I also want to be able to directly address hosts on my LAN rather than play port forwarding games. I have a VPN tunnel built from my home network to a firewall I have colo'ed. That firewall has a static IP and when I'm working remotely, I just fire up Cisco VPN client and establish a remote access VPN session to that firewall, which then tunnels my traffic through the colo'ed firewall back to my home network so I can address my hosts at home via their internal IP addresses.
I happen to have the ability to colo a personal firewall at work and give it a static IP address at no cost, but you may not. If that's the case, I would look into something like a micro instance in Amazon EC2 that could perform the same function. Free for a year, then probably $20/mo.
This may be overkill as many people have suggested just using a linux VPS. But we are using a VPS from arpnetworks to host an instance of pfSense (FreeBSD based firewall distro). This is connected to our main site's firewall via a VPN tunnel. We have a /29 on the arpnetworks side to get a few extra public IPs (we need them to host SSL web sites). We then route traffic from those IPs over the tunnel to our internal network. There's no reason you couldn't do the same thing for a single address. I think it costs us $10/month +5/month for the /29 (single IP would be free).
"We are what we pretend to be, so we must be careful about what we pretend to be." --Kurt Vonnegut
Actually, the smaller you slice v4 addresses, the more you lose, since you have smaller subnets that each have a network & broadcast address each, which can't be used for anything else. Yeah, there won't be ONE subnet, but neither will there be 4096. So there will still be plenty of addresses that will either be pooled, or could be used in PAT overloading. Another thing - some of the earliest IPv4 implementations did NOT support subnets or their implementations
Hurricane Electric has been doing ths stuff for years, Check them out, Even my ISP (Teksavvy) has been using them to provide IPv6 to its clients. Not sure what they are using now.
So, if you just need to access by ssh for just some checks and so on, I think you can setup one of those free VPNs like proxpn.com If you would like to have direct connectivity (for example for bandwith reasons) I have another proposal: It's not so easy to set-up, but I think that the best solution is to use the ICE protocol (http://tools.ietf.org/html/rfc5245) for NAT traversal. It is used for establishing p2p connection on SIP for VoIP calls (also skype use it!), but actually you can use for anything else. It gives you a UDP tunnel between two peers and it works even if both the peers are behind NAT. The only case in which it does not work is when you can't use UDP or both peers are behind a symmetric-NAT (a kind of NAT used on some corporate networks). *Usually* ISP tries to follow some NAT requirements ( http://tools.ietf.org/html/rfc4787 ) so that this kind of NAT traversal techniques works.. Few weeks ago I've created a tool based on libpjproject for doing a tunnel using ICE: https://github.com/Otacon22/icetunnel the only thing is that you need some way for exchanging the SDP informations. For example you could: 1. connect both peers to a free VPN 2. Connect to the home peer on ssh over the VPN 3. Start my icetunnel tool on both peers, copy SDP data and paste to the other host 4. Open a VPN over the UDP tunnel created by ICE Sorry if the description is not so clear but I'm still developing it! P.s: also the new WebRTC uses ICE!