Slashdot Mirror
Home Server On IPv6-only Internet Connection?
RandyOo writes "I've recently learned that our neighborhood is getting a fiber optic network, with a 100Mbps connection in each subscriber's home. IPv6 connectivity is included, but unfortunately, the only IPv4 connectivity they offer is Carrier Grade NAT, due to the exhaustion of IPv4 addresses in RIPE. I travel a lot, and I've become accustomed to accessing my home network via SSH, VNC, etc. It appears uPNP and PMP are unsupported by CGN. So, without a publicly-routed IPv4 address, I'll be unable to reach devices on my home network from an IPv4-only connection, such as the one provided by my cellular carrier (which also appears to be behind some kind of NAT, by the way). If the ISP isn't willing or able to sell me an IPv4 address, what alternatives do I have? I'd be willing to pay a small monthly fee for, say, a VPN service that would allow me to accept incoming connection requests on a range of ports on their Internet-facing IPv4 address. Does such a service exist?"
I've been using LogMeIn's Hamachi system to accomplish this. It's a virtual LAN solution that links machines behind firewalls or CGN devices. The down side is that it has to be installed on all devices that access the virtual LAN, and they don't have any mobile clients (yet), but if you need access from a device you can't install the Hamachi client on, you can always get a cheap VPS, install the linux client on it, and set up some port forwarding - the Hamachi IPs are static, so each machine always gets the same one.
There are some limitations with the free version (5 machines in a virtual LAN, connection only works with a logged in user on desktop clients), but the $30ish it costs per year for a 32 user license is very reasonable. And it supports IPv6 and IPv4 across the VLAN, too.
-PhaseBurn Welcome to Linux country. On quiet nights, you can hear windows reboot.
Next up on ask slashdot:
I've grown tired of the rolling meadow background on my Xp desktop. Does slashdot have any advice on how I might change it? And what should I change it to?
also, if you're using t-mobile and have a newer phone, you can get IPv6. https://sites.google.com/site/tmoipv6/lg-mytouch
A cheap Linux based VPS (Virtual Private Server) will do what you want. You can set up a VPN connection between your home server and the VPS, and then connect to the VPS on its public IP and have it route to your home. I haven't set up such a thing myself, and it will be a bit laggy, but it should works for what you need.
Nobodies Prefect
Tidbits for Techs Technology Blog
Have you tried Toredo? (apt-get install miredo)
It goes through relays, so you will probably want to only use it for small transfers. Alternatively, you can use a Linode VPS, which have IPv6 enabled by default, so you can configure an ipsec tunnel or equivalent from there.
Every system I've seen has some form of IPV6 tunneling that allows you to call out to an IPV6 server. The only time it fails is if you're trying to host an IPV6 server which will fail due to NAT but connecting to an IPV6 always works. The fact that you've got an IPV6 server means you're set. Run Teredo/Miredo on your clients and connect away.
Go setup teredo/miredo and connect away.
Take a look at Hurricane Electric, they offer free tunnel, dns hosting, etc. ;)
Oh, and an awesome IPv6 training program for which you can get a t-shirt if you finish it!
You can be up and running on an IPv6 tunnel from anywhere in 30 seconds!
Like tunnelbroker.net or broker.aarnet.edu.au
then gogoc (or similar) to connect you to the IPv6 tunnel when on the greater internet, then ssh to your ipv6 address
I believe AirVPN allows you to map up to 20 ports.
As one other comment suggested, get a cheap VPS and setup a VPN so that you can connect to your network. DigitalOcean has one for $5/month (I'm in no way affiliated) https://www.digitalocean.com/ and you can then have your router connect to the VPN. Setup the routes correctly and any VPN user can access every device at home.
However you won't always want to load up the VPN on your phone, and if there's just 1 computer you want to access you can use a VPS with a remote SSH tunnel. Have the computer on your network connect to the VPS and forward some high numbered port, say 4222, to port 22: ssh -R 4222:localhost:22 user@vps. Then you can ssh into your VPS on port 4222 and it will go directly to your home computer. Just made sure you add "GatewayPorts yes" to /etc/ssh/sshd_config or the remote port will only bind to localhost.
Couple this with autossh and the home computer will always keep the connection open and re-establish it as necessary.
Sure, there's a little overhead, but I've never really noticed it. I use this trick so that my phone and tablet can always ssh into my laptop no matter where the laptop is (home network, friend's house, coffee shop, etc)... no need to find the IP address and worry about port forwarding.
SSH into the Virtual private server, then SSH from the virtual private server to your LAN's IPv6 address
For VNC, open SSH back to your remote computer from inside your LAN in remote tunnel mode, using the -R option, to tunnel the port to the local VNC at the remote end, then connect to that local port on your local computer with VNC for remote access to your home.
For me, the cheapest way to go was to have the machine behind NAT automatically connect to a second server and bring up an IP tunnel through pppd-ssh.
The second server has a public IP and I connect to it when I want to access the machine behind NAT. You can also do port redirection on the public IP server so you can log directly into your home computer with the public IP.
Everything I write is lies, read between the lines.
Your ISP should at least be giving you a block of static ports on a static public IPv4 address so that you can just map them on your home router afterwards. It's called "port block allocation". See this slide deck for more details.
Port control protocol is also very close to being reality. It's a bit like a combination of UPnP and DHCP that allows static IPv4 ports to be requested by and allocated to an end user like IP addresses are now.
You should pester your ISP about these two services monthly until they have a satisfactory response for you. Frankly it's irresponsible on their part if they don't have a FAQ explaining this stuff and a policy for helping customers deal with these things. To do otherwise is demeaning to their customers.
You are an idiot. His problem is that he has to connect from networks which are not under his control and which (currently) only provide IPv4. This is not the submitters fault.
Buy a VPS. Create an open ended ssh tunnel commencing that opens a port on the VPS IP4 address. Use a utility like autossh to automatically maintain the ssh connection. Connect to port 80 on the VPS IP and get routed to your home web server.
http://en.wikipedia.org/wiki/NAT64
Interestingly, it was discussed in a forum topic on Tunnelbroker:
http://www.tunnelbroker.net/forums/index.php?topic=2419.0
Don't bother with any 3rd parties like most suggestions are advising. OpenVPN supports tunneling IPv4 and IPv6 over either of them. You can use a laptop or anything else that supports IPv6 to connect to your server at home over IPv6 via a bridged tap tunnel interface and then anything you connect to the laptop via layer 2 will be able to communicate with your home over IPv4.
If his IPv6 is dynamic, he will want to look into DynDNS like service. For $30 a year, they offer "Dyn Standard DNS" service which will support AAAA records.
Problem is, there are still many ISPs out there that don't support IPv6 yet. And even as are coming online, the client most likely doesn't have an IPv6 router yet. There are many broken segments that need to be brought up to spec before we can start enjoying a reliable end-to-end IPv6 network. It will happen, but honestly, not for another few years at best. Say, four years at the most from now (pulling educated guess out of thin air).
Life is not for the lazy.
Get:
Then do:
now we need to go OSS in diesel cars
http://pagekite.net/ Their open-source client is super easy to setup. You get 1 month free, after that the service is only $18 for 6 months. I've installed Pagekite's client even on machines behind corporate firewalls, and never had any problems whatsoever. I'm not affiliated to them in any way; just a satisfied customer.
No need for v6 to be dynamic. There's plenty of addresses.
now we need to go OSS in diesel cars
Just dump the IP addresses entirely for your applications. Anonymizing networks like Tor and I2P do this automatically, switching the 'address' to a node identification key. If your node has the key, then any other node looking for that key will find you, no matter what your current IP address is. The key validates 'who' your systems are, so the IP address or domain doesn't even matter.
Tor cannot do this as seamlessly as I2P for a couple or reasons:
1) Tor is really only designed for browsing and doesn't handle non-TCP, non-HTTP protocols well. I2P supports UDP as well as TCP, and has the topology for larger, non-Web page data flows.
2) You can easily set the number of hops in I2P... all the way down to zero. This actually makes the (usually slower & anonymized) I2P connection faster than some of the above mentioned solutions involving the expense of a relay system (which is 1-hop, and assuming SSH gets balky more often due to the way TCP deals with latency)... (I think with Tor, you are forced to go through their anonymizing relays).
The down side is that -- although I2P handles IP sockets -- its not the same thing, so you need to take a couple steps to make SSH or other programs utilize it (similar to using torify as a wrapper). Also, the only mobile platform I2P runs on is Android. And remember that using I2P like this bestows no anonymity on your SSH connection (although that limit would not extend to other apps you use with I2P, as long as you don't also configure them to use 0 hops-- the default is 3 hops).
CGN or as I like to call it Internet-Cancer, SUCKS! There is no way to "call-in". The only way to access your hardware is through 3rd party services such as Teamviewer(which I highly recommend) or LogMeIn. This however isn't you logging in to your stuff, you meet by a proxy that is a Teamviewer server, and then establish a direct connection. Teamviewer also has some plugins which let you establish a VPN to the network that the Teamviewer server is connected to. Another solution is to have a Cisco router connected to the CGN'd internet connection, and have the router automatically VPN (I personally use Cisco's DMVPN technology ) to another internet connection that you DO have access to. An example would be an employee's router that VPNs to HQ. If they VPN'd properly establishes the connection to HQ the IT guys can then SSH,FTP or whatever into the employee's house. They are not connecting directly, but through the VPN from HQ. With some sneaky NATting and routing you can achieve an effect that is very similar to having direct access from the internet to the inside a CGN'd network.
Agreed. Though there's nothing stopping your local ISP from maintaining a two tier agreement where having a static IP is still only for business class users.
Life is not for the lazy.
If skype works then both showmypc and gotomypc will work.
Teredo(IPv6 over UDP) is easy to set up - if your Windows is Vista or later, it works automatically. For Linux it depends on the distro. If you happen to be in a non-NATted environment for once, 6to4 works great too.
So just enjoy the IPv6.
If you have devices at home that don't support IPv6, you can set up a NAT64 within your home network.
Conversely, get a tunnel from a tunnel broker to use whilst on the road vpn style (essentially tunnel into ipv6 network via local ipv4) and access your systems over ipv6 when on the road.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Serious question, no interest in flamebait or trolls. Why is mobile not on IPv6?
It's a place where I would expect it. Quick turnaround of devices, new networks all the time. It made sense for 2G and GRPS to be IPv4 at the time. But 3G and even 4G apparently are still using IPv4.
It's hard to believe the phones are not up to the task. It's all in the software, not too hard to require v6 on 3G and later, Older devices that are v4 only can't use 3G networks anyway. Users don't need to know their IP address, ever. This are devices, and there is a huge number of it, exactly what v6 was meant to support. Carriers have full control over their networks, start to finish, so that part of switching to v6 is also not an issue. They of course have to provide a gateway to access v4-only web sites, but that shouldn't be too much harder than maintaining a NAT like they have to do now to keep everyone on v4.
Honestly, I just don't get it.
It's such a stark contrast with that fibre provider that is basically IPv6, while providing a v4 compatibility layer for older devices that still need it.
I've been using logmein for many years now. It's free and it just works. I'm living in China now, and my pc's at home are behind a DD-WRT router running OpenVPN with a dynamic (not-fixed) US IP address. Even when the VPN drops out, and everything ends up on a Chinese IP address, it still works. There is even an android client that works from my single core 7" lenovo tablet with China Unicom 3G service. Amazingly, it j u s t w o r k s.
While the title may have been less in your face, why is this modded down? AC is right - with IPv6, he has no shortage of addresses, so he could configure a DHCP6 server and set it up that way.
It would have helped if this was dual stacked, but since it isn't, one thing he should consider is asking his cell phone carrier whether they do IPv6, and getting that end IPv6 supported. Another option might be to set up a DS-lite configuration for services needing IPv4. That way, he uses his IPv4 cellphone to access those services, while providing them seamlessly from IPv6. Or else tunnel the requests from the IPv4 end.
All the other options posted so far are valid, but perhaps as you mostly travel and to keep costs down, what about a shell account at a provider with IPv6 support? http://blinkenshell.org/wiki/Info/IPv6
But imagine the effort needed to determine who needs how many addresses. Spending that sort of time on a technology that's all set to be replaced does no good. Instead, governments should aggressively push IPv6 adaption, and at some point, announce a cutoff of all IPv4 services. That thing won't go away unless and until someone takes the initiative and pulls that plug. Once they do, anyone who wants to deal w/ them will be forced to adapt IPv6, and after that, there will be no shortages
ssh -R 2022:localhost:22 -oGatewayPorts=yes mypi.edis.at
You can call this script from
Then, when on the road, to connect to your home network, just do ssh -p 2022 mypi.edis.at on your phone.
A suitable server may be a raspberry pi hosted for free at Edis, Austria. Just send them your pi, and they'll host it for free.
Another option is checking with a friend. A group of us rent a server running Arch Linux but any distro will do. This lets us host some websites, mumble, virtual machines, do ssh tunneling to get by work firewalls or get free internet at hotels, private file sharing and proxying/tunneling like you're wanting. If you have a friend like this and his server hoster hasn't given him ipv6 get him to ask and they will probably give him more than he could ever use like ours did. Then he can set up what ever method you want.
We got a decent server for $50 a month split 4 ways.
https://pagekite.net/ seems to be 36 EUR for one year.
You should change your desktop background to this
Check out sixxs.net for a decent tunnel broker. They're also a good starting point to find ISPs who can provide native IPv6 routing (those same ISPs would also be likely to be have the infrastructure in place to provide the standard services you require).
If you're UK based, Goscomb are v6 native, provide static addressing (free & by default) & FTTC, don't perform any traffic shaping & offer 30-day rolling contracts.
Their caps are a little low for me, but it's a good service & I get what I pay for.
You know, I honestly did spend some time searching Google without coming up with useful results. I certainly could have spent a lot more time searching, but sometimes, it's a lot easier to ask someone with expertise and experience. I debated asking the question here, but I also found it interesting (and perhaps news and discussion-worthy) that ISPs are rolling out IPv6-only deployments (on synchronous 100Mbit fiber, even!), and thought others here might find that interesting, as well.
My provider actually is T-Mobile Germany, and surprisingly, they don't plan to deploy IPv6 until next year!
You can either get a VPS that supports IPv6, and log in from there ... another solution that works fairly well.
You use a reverse tunnel, created on demand based on an HTTP request. Here's what you do: /sshtunnel it gets served your current data, and your machines connects to wherever you are. All you have to do now is ssh user@localhost -p {remote_port}.
Run a script on your machine that checks yourpage.com/sshtunnel, if it gets, say, NO_TUNNEL, it does nothing (or even better, make that a script and return 404 or some other header to signify FALSE). If, instead, it gets a json or csv, or whatever else you want (I used JSON) with an IP address, a port, and which username it should use, your machine will create a tunnel to that destination. Like this: ssh -f -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -nNT -R {remote_port}:127.0.0.1:22 {remote_user}@{remote_host}. So, if where you can expose a port on your laptop, you just fill out a form on your website, and when your machine next checks
If wherever you are, you don't have access to port forwarding, you can have a cheap VPS (there are many available for as low as 5 bucks a month), and have your machine connect there, this will increase your latency, but it'll be barely noticeable if you choose your VPS location wisely (i.e as close to your home as possible).
The userknownhostfile and stricthostkeychecking disabling are required since you will be using key authentication against a machine that moves around all the time.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Ask yourself whether you need a server, or you simply need to access your home computer.
If you just need to access your home computer to see files/etc., then a service like LogMeIn or TeamViewer would probably work for you. They work through NAT and don't require a publicly routable IP address to access specific equipment.
rent a VPS , install you favourite linux flavour on it , run an openVPN server on it.
run a VPN client on your home server and have it connect to the VPS VPN server.
connect to the VPN server and route to your home network
...I obey the laws of physics....
Whenever I see that rolling meadow, I have visions of a vast droid army just about to appear over the hills. Sadly, I'm stuck with a corporately mandated propoganda page.
When our name is on the back of your car, we're behind you all the way!
There are only two answers to this:
1. Install Linux
2. Buy a Mac
Is it bad that I was hoping it was Goatse.cx?
it's only going to get worse. enjoy!
E.g. adding ip4.sixxs.org to the ipv6 address, http://ipv6.google.com.ipv4.sixxs.org/
Don't know if any allow numerical addresses. Is the ISP providing DNS service for adding your own AAAA records to your routed subnet?
Get a free tunnel from SixXS and install the AICCU programme on your laptop. This should work fine and is easy enough to set up. I used SixXS (for a different purpose) for a few years until I got native IPv6 on my ADSL.
The way it works, you get allocated a PREFIX. Not a single IP. Generally a /56 or a /48. So you have several trillion IPv4 internets worth of IP to play with behind your home DSL. Typically you'll configure your router to be xxxx::1, and then behind that its up to you. So yes, you'll get a static IPv6 prefix, thats the whole point. I'm running IPv6 native here through internode.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
There are two solutions I can think of, depending on what you need and how much work you're willing to put in.
First, you could use something like LogMeIn or GoToMyPC. You leave the agent running on a PC on your network then you can login to that PC remotely and access the network resources from there.
The second solution, and what I do, is use VPN. In my case, I have a dynamic IP address from my ISP and I don't care to remember it. I also want to be able to directly address hosts on my LAN rather than play port forwarding games. I have a VPN tunnel built from my home network to a firewall I have colo'ed. That firewall has a static IP and when I'm working remotely, I just fire up Cisco VPN client and establish a remote access VPN session to that firewall, which then tunnels my traffic through the colo'ed firewall back to my home network so I can address my hosts at home via their internal IP addresses.
I happen to have the ability to colo a personal firewall at work and give it a static IP address at no cost, but you may not. If that's the case, I would look into something like a micro instance in Amazon EC2 that could perform the same function. Free for a year, then probably $20/mo.
Yes... Why did you need to ask?
The problems with most of those services that quickly come to mind:
1) You don't own them, so you ultimately have no control over them
2) You have to trust when they claim they're using XYZ to encrypt they actually are
3) That can change the terms of service anytime
4) some one can do something illegal with those sites and your data gets siezed by the feds too with no recourse
4.1) I know your solution, just spend even more money above and beyond your home connection and you're already proposed solution to have a backup solution
5) hackers can never get this stuff, right?
You're a jackass for even proposing he pay for a different solution on top of a solution he's already paying for. Sometimes the best solution is the simplest one - host it at home. We live in the 21st century for christ's sake and many are IT professionals, if everyone's solutions is just "pay someone else to do it for you", we might as well just open the H1-B flood gates...dumb ass
This may be overkill as many people have suggested just using a linux VPS. But we are using a VPS from arpnetworks to host an instance of pfSense (FreeBSD based firewall distro). This is connected to our main site's firewall via a VPN tunnel. We have a /29 on the arpnetworks side to get a few extra public IPs (we need them to host SSL web sites). We then route traffic from those IPs over the tunnel to our internal network. There's no reason you couldn't do the same thing for a single address. I think it costs us $10/month +5/month for the /29 (single IP would be free).
"We are what we pretend to be, so we must be careful about what we pretend to be." --Kurt Vonnegut
I'd second this suggestion.
But you'll probably need to use dynamic DNS from some place like FREEDNS.AFRAID.NET to be able to locate your home server. I haven't done that (yet).
(note: At least one IPv6 tunnel broker DOES IPv6 DNS - but I'm not sure if you could leverage your HOME there.)
Actually, the smaller you slice v4 addresses, the more you lose, since you have smaller subnets that each have a network & broadcast address each, which can't be used for anything else. Yeah, there won't be ONE subnet, but neither will there be 4096. So there will still be plenty of addresses that will either be pooled, or could be used in PAT overloading. Another thing - some of the earliest IPv4 implementations did NOT support subnets or their implementations
I find it interesting as well, particularly for a RIPE based ISP. But normally, it would be easy to explain why, say, an Asian ISP would go IPv6 only - simply b'cos Asia has run out of IPv4 addresses
If his home server is on IPv6 and he has to worry about dynamic IP's, his ISP is doing something terribly, terribly wrong.
Here's my solution (though mine is all IPv4 instead of IPv6 simply because my carrier hasn't yet entered the 21st century).
I have a Linode... cheap one. It has a static IPv4 address. I put OpenVPN at each end and set up the Linode as my server, and my home server as a client. Then any services I want to present, I just proxy using the Linode (mostly web-based stuff... use Apache proxying). Works like a champ, doesn't require me to set the default gateway to my VPN (that would be a pain) and means that my address is completely static even if my own home address changes.
For bonus points, I use the dazzle script / sparkleshare combo as my own "dropbox" using this, and the repo is stored on my home server while my gateway to the repo is my Linode.
If you want more details, I am reachable by the same user name at Y... yeah I still have one of THOSE addresses, and while it's mostly a spam-sink I do check it.
That's not going to be of any use when the ISP doesn't give him any IP address at all.
Do you care about the security of your wireless mouse?
Step 3: SSH into myswebsite.com
Voilà!
And you'll get a connection refused because port 22 is not forwarded by the CGN.
Do you care about the security of your wireless mouse?
Hurricane Electric has been doing ths stuff for years, Check them out, Even my ISP (Teksavvy) has been using them to provide IPv6 to its clients. Not sure what they are using now.
I second this. This is what I do.
So, if you just need to access by ssh for just some checks and so on, I think you can setup one of those free VPNs like proxpn.com If you would like to have direct connectivity (for example for bandwith reasons) I have another proposal: It's not so easy to set-up, but I think that the best solution is to use the ICE protocol (http://tools.ietf.org/html/rfc5245) for NAT traversal. It is used for establishing p2p connection on SIP for VoIP calls (also skype use it!), but actually you can use for anything else. It gives you a UDP tunnel between two peers and it works even if both the peers are behind NAT. The only case in which it does not work is when you can't use UDP or both peers are behind a symmetric-NAT (a kind of NAT used on some corporate networks). *Usually* ISP tries to follow some NAT requirements ( http://tools.ietf.org/html/rfc4787 ) so that this kind of NAT traversal techniques works.. Few weeks ago I've created a tool based on libpjproject for doing a tunnel using ICE: https://github.com/Otacon22/icetunnel the only thing is that you need some way for exchanging the SDP informations. For example you could: 1. connect both peers to a free VPN 2. Connect to the home peer on ssh over the VPN 3. Start my icetunnel tool on both peers, copy SDP data and paste to the other host 4. Open a VPN over the UDP tunnel created by ICE Sorry if the description is not so clear but I'm still developing it! P.s: also the new WebRTC uses ICE!
Europe has run out as well.
Do you care about the security of your wireless mouse?
I'm glad someone took the time to give an honest answer to your question.. If, however,those first replies you got made the slightest effort , to look at your /. number they'd have noticed you as one of the most long standing members here and maybe backed off the rudeness.... Good job on such a restrained response from you!
A /64 for home. A /60 for business. Pay more to get shorter.
now we need to go OSS in diesel cars
One thing I've wondered about this - in IPv4, x.x.x.0 is the network address, while x.x.x.255 is the broadcast address. Now, while we don't have explicit broadcast addresses in IPv6 (a multicast to the local-link is the substitute), what exactly is the network address of an IPv6 network? If the address was something like 2001:1234:5678:9abc:1234:5678:9abc:def0, what would be its network address? Would it be 2001:1234:5678:9abc:: or something else? In fact, would 2001:1234:5678:9abc::0 be a valid address that could be assigned to the IPv6 gateway?