Home Server On IPv6-only Internet Connection?

RandyOo writes "I've recently learned that our neighborhood is getting a fiber optic network, with a 100Mbps connection in each subscriber's home. IPv6 connectivity is included, but unfortunately, the only IPv4 connectivity they offer is Carrier Grade NAT, due to the exhaustion of IPv4 addresses in RIPE. I travel a lot, and I've become accustomed to accessing my home network via SSH, VNC, etc. It appears uPNP and PMP are unsupported by CGN. So, without a publicly-routed IPv4 address, I'll be unable to reach devices on my home network from an IPv4-only connection, such as the one provided by my cellular carrier (which also appears to be behind some kind of NAT, by the way). If the ISP isn't willing or able to sell me an IPv4 address, what alternatives do I have? I'd be willing to pay a small monthly fee for, say, a VPN service that would allow me to accept incoming connection requests on a range of ports on their Internet-facing IPv4 address. Does such a service exist?"

Hamachi

[PhaseBurn]

I've been using LogMeIn's Hamachi system to accomplish this. It's a virtual LAN solution that links machines behind firewalls or CGN devices. The down side is that it has to be installed on all devices that access the virtual LAN, and they don't have any mobile clients (yet), but if you need access from a device you can't install the Hamachi client on, you can always get a cheap VPS, install the linux client on it, and set up some port forwarding - the Hamachi IPs are static, so each machine always gets the same one.

There are some limitations with the free version (5 machines in a virtual LAN, connection only works with a logged in user on desktop clients), but the $30ish it costs per year for a 32 user license is very reasonable. And it supports IPv6 and IPv4 across the VLAN, too.

Re:Hamachi

Hamachi squats on valid address space, and may cause problems.

Re:Hamachi

[PhaseBurn]

There's downsides to everything. I don't use anything in the 25.0.0.0/8 range, as the entire block is owned by the Ministry of Defense in GB. I'd wager that nobody who reads this article has ever connected to a 25/8 IP, including you, and the user inquiring about a solution to his CGN conundrum.

Re:Hamachi

[JWSmythe]

That's not the only large block. There are *lots* of blocks just like it. I was exposed to a /16 that uses maybe 4 /24's in it.

Even in blocks as (relatively) small as a /24, there is lots of dead space. Rarely do places properly plan ahead, You're *suppose* to only ask for your next /24 when you are at 80% *and* you expect to reach it in the near future.

I've seen shops put every unused IP on machines, just so they can say they're fully utilized, and get more blocks.

It's not utilization that is hurting IPv4, it's greed. No one gives back IPs. They just keep asking for more.

Re:Hamachi

[danpbrowning]

They finally fixed that? Good. They previously used 5.0.0.0/8 and it took a *long* time to figure out why certain users can't access certain web servers.

Re:Hamachi

[rs79]

Beware that 84% of Hamachi sold is actually butterfish which can cause anal leakage, so be careful.
http://blog.medellitin.com/2008/12/escolar-world-most-dangerous-fish.html

I'd like to hear more about changing the rolling meadow desktop thing, too.

Re:Hamachi

[marka63]

Actually it is utilisation. IPv4 ran out of addresses over a decade ago when NAT no longer became optional for the majority of users of the Internet. Ever since then we have been in stopgap mode. Unfortunately most users have never experience the real Internet when everyone can be both a producer and a consumer.

Re:Hamachi

[AlphaWolf_HK]

On the subject of tunnels, I'd say just go with a 6 to 4 broker on your remote end. There are a bunch of free ones such as hurricane electric. If you do that, then you've effectively got "end to end" (I'm doing air quotes) ipv6 access to your home server, even if your client side doesn't support ipv6. It's really very seamless if you set up a dynamic DNS.

Virtually all modern operating systems support 6to4 tunnels, you can even do it from the command prompt in windows vista and up (usally three to four lines of code.)

There are various android apps that do this as well, but I have no experience with iOS or windows phone (I'm a bit dubious of those two since a six to four tunnel actually requires being able to move v6 traffic over the v4 stack, and as far as I'm aware you can't do that sort of thing with those platforms due to anti-hacking restrictions - but I'm quite possibly wrong.)

Re:Hamachi

[AlphaWolf_HK]

Well many have been giving back, though those who do are usually private entities. IBM gave a few /12 blocks back to IANA a few years ago, with Microsoft doing about the same.

Re:Hamachi

[Guspaz]

The advantage of Hamachi, though, is that it's a direct connection between your two machines, with the only overhead being udp headers. Any tunnel is going to be bouncing you off some router who knows where, lengthening your route and possibly hitting congestion (I'd worry particularly about the free ones).

I can't speak to the current version of Hamachi, as I've not used it in years, but last time I did there was a console Linux version to go with the Mac and windows versions. It was very popular at the time as a way of playing LAN-only games over the Internet with minimal latency ( since every peer connects directly to every other peer). For example, I believe IPX games worked over it.

Re:You've come to the right place.

Next up on ask slashdot:

I've grown tired of the rolling meadow background on my Xp desktop. Does slashdot have any advice on how I might change it? And what should I change it to?

proxy on an amazon ec2 instance?

[yincrash]

also, if you're using t-mobile and have a newer phone, you can get IPv6. https://sites.google.com/site/tmoipv6/lg-mytouch

Re:proxy on an amazon ec2 instance?

[MtHuurne]

T-Mobile is part of Deutsche Telekom: Germany is where they started from.

Cheap Linux VPS and a VPN to home

[toygeek]

A cheap Linux based VPS (Virtual Private Server) will do what you want. You can set up a VPN connection between your home server and the VPS, and then connect to the VPS on its public IP and have it route to your home. I haven't set up such a thing myself, and it will be a bit laggy, but it should works for what you need.

Re:Cheap Linux VPS and a VPN to home

[don.g]

Yes but EC2 costs way more than a cheapo VPS of the type advertised on lowendbox.com

Re:Cheap Linux VPS and a VPN to home

[Deekin_Scalesinger]

He can get a free year of EC2 hosting. Windowz and Linux both. Amazon may be a Big Corporation but this ain't bad

Re:Cheap Linux VPS and a VPN to home

[sortius_nod]

Not only that, you can just keep signing up for free tier every year. I've done it myself, & all I needed to do was transfer configs to my local machine, close down my AWS account, open a new one, upload, off I go again.

It may only be a year, but they don't check names, credit card details, or address, just email address.

Re:Cheap Linux VPS and a VPN to home

[negge]

I do something similir to this to access my work computer from anywhere. The company doesn't provide VPN access so I've connected my work PC to my home network via VPN. In turn I can access my home network via the same VPN (just different credentials). The only downside is that if my work computer is rebooted I have to be there to initiate the VPN connection.

You can always get to IPV6 on the out

[SpazmodeusG]

Every system I've seen has some form of IPV6 tunneling that allows you to call out to an IPV6 server. The only time it fails is if you're trying to host an IPV6 server which will fail due to NAT but connecting to an IPV6 always works. The fact that you've got an IPV6 server means you're set. Run Teredo/Miredo on your clients and connect away.

Go setup teredo/miredo and connect away.

Re:You can always get to IPV6 on the out

[JimboJoe]

I would definitely try Teredo first, though it does depend on the NAT design used by your ISP (you want remote IPv4 hosts to repeatedly see the same source address after repeated connections -- if the reported address changes, Teredo won't work for you).

The protocol doesn't require explicit ISP support, though NAT design can certainly break it and ISPs can filter it if they choose. When it works, the net effect is that any two hosts running Teredo clients can connect to each other via their client's IPv6 addresses, even if an IPv4 network sits between them.

Under the hood, it tunnels on top of NAT'd UDP over IPv4, using a 3rd party public IPv4 server to mediate the connection start-up (needed for NAT busting) -- but all of that is transparently handled by the Teredo client, so using it seems exactly the same as connecting to any other IPv6 host. There's a small privacy aspect present since that other server sees your source and destination trying to start a connection, but all the real traffic is direct, peer-to-peer.

Since the effect is to allow connections despite a NAT, you should make sure you are suitably firewalled, patched up, hardened, etc. Some teredo clients may also require you to explicitly enable in-bound connections on the interface.

HE.net?

[alexandre]

Take a look at Hurricane Electric, they offer free tunnel, dns hosting, etc.
Oh, and an awesome IPv6 training program for which you can get a t-shirt if you finish it! ;)
You can be up and running on an IPv6 tunnel from anywhere in 30 seconds!

Re:HE.net?

[FridayBob]

Take a look at Hurricane Electric, they offer free tunnel, dns hosting, etc. Oh, and an awesome IPv6 training program for which you can get a t-shirt if you finish it! ;) You can be up and running on an IPv6 tunnel from anywhere in 30 seconds!

You misunderstand: the only native IP addresses he has are IPv6. For IPv4 he only has one or more RFC1918 addresses (private range addresses behind a carrier-grade NAT). AFAIK Hurricane Electric only offers IPv6 addresses tunneled over IPv4. What he wants is the opposite: a public IPv4 address tunneled over IPv6. If there are not currently any services available that offer this, I'm sure there will be soon, but I doubt they will come free of charge.

Re:HE.net?

[gman003]

You aren't looking at the full picture.

What he needs is a way to connect to his (IPv6) home computers, from presumably-IPv4 remote locations. There are two ways he could do this - by finding a way to use IPv4 on his home machines, or by finding a way to use IPv6 on the remote connections. Tunneling IPv6 over IPv4 would work on the remote side, just as tunneling IPv4 over IPv6 would work on the home side.

Re:HE.net?

[marka63]

Which is basically down to lack of experience rather than actual gaps in protocol coverage.

Most ISP's are only now starting to ask "how do I do this". They should have been asking this question 7 to 8 years, if not longer, ago.

Re:HE.net?

[kasperd]

You had one job to do ietf, and this is what it's come to?

IETF completed their job on time. Other people had a job to do as well, but they all decided to wait until after the deadline before even start to think about it. There are ISPs still saying IPv6 isn't going to take off, and IPv4 will be fine for many years to come.

Looking back there are things that could have made a difference. 10-15 years ago I started wondering why nobody was doing anything, because the entire upgrade process was stuck in a deadlock already back then with nobody wanting to make a move until everybody else had started moving already. Back then it was clear that the only way to give sufficiently strong incentive to deploy IPv6 was through regulation. Nobody had the guts to do the regulation.

Instead of waiting until 98% of IPv4 address space was used before rationing the remaining address space, IANA should have been rationing at 50% usage. At that point they should simply have said 50% is used, we will not allow the installed base of IPv4 only hosts to grow any larger. The remaining 50% of IPv4 address space should have been assigned only to dual stack deployments, or to providers which have previously demonstrated, that they are converting IPv4 only deployments to dual stack.

If that had been done, then by the time IPv4 space was consumed, the installed base of dual stack would have been as large as the installed base of IPv4 only. In that case it wouldn't have made sense to stay IPv4 only from a business viewpoint.

IPv6 Tunnel Broker

[strange_tractor]

Like tunnelbroker.net or broker.aarnet.edu.au

then gogoc (or similar) to connect you to the IPv6 tunnel when on the greater internet, then ssh to your ipv6 address

Reverse SSH Tunnel

[Ingenium13]

As one other comment suggested, get a cheap VPS and setup a VPN so that you can connect to your network. DigitalOcean has one for $5/month (I'm in no way affiliated) https://www.digitalocean.com/ and you can then have your router connect to the VPN. Setup the routes correctly and any VPN user can access every device at home.

However you won't always want to load up the VPN on your phone, and if there's just 1 computer you want to access you can use a VPS with a remote SSH tunnel. Have the computer on your network connect to the VPS and forward some high numbered port, say 4222, to port 22: ssh -R 4222:localhost:22 user@vps. Then you can ssh into your VPS on port 4222 and it will go directly to your home computer. Just made sure you add "GatewayPorts yes" to /etc/ssh/sshd_config or the remote port will only bind to localhost.

Couple this with autossh and the home computer will always keep the connection open and re-establish it as necessary.

Sure, there's a little overhead, but I've never really noticed it. I use this trick so that my phone and tablet can always ssh into my laptop no matter where the laptop is (home network, friend's house, coffee shop, etc)... no need to find the IP address and worry about port forwarding.

Any VPS provider with dual-stack

[mysidia]

SSH into the Virtual private server, then SSH from the virtual private server to your LAN's IPv6 address

For VNC, open SSH back to your remote computer from inside your LAN in remote tunnel mode, using the -R option, to tunnel the port to the local VNC at the remote end, then connect to that local port on your local computer with VNC for remote access to your home.

Here is what I do

[ls671]

For me, the cheapest way to go was to have the machine behind NAT automatically connect to a second server and bring up an IP tunnel through pppd-ssh.

The second server has a public IP and I connect to it when I want to access the machine behind NAT. You can also do port redirection on the public IP server so you can log directly into your home computer with the public IP.

Port block allocation & PCP

[funkboy]

Your ISP should at least be giving you a block of static ports on a static public IPv4 address so that you can just map them on your home router afterwards. It's called "port block allocation". See this slide deck for more details.

Port control protocol is also very close to being reality. It's a bit like a combination of UPnP and DHCP that allows static IPv4 ports to be requested by and allocated to an end user like IP addresses are now.

You should pester your ISP about these two services monthly until they have a satisfactory response for you. Frankly it's irresponsible on their part if they don't have a FAQ explaining this stuff and a policy for helping customers deal with these things. To do otherwise is demeaning to their customers.

Re:Port block allocation & PCP

[thegarbz]

Port control protocol is also very close to being reality. It's a bit like a combination of UPnP and DHCP that allows static IPv4 ports to be requested by and allocated to an end user like IP addresses are now.

Humans' ability to create complex and convoluted workarounds for problems that have been foreseen for 20 years and have had a solution for equally as long simply waiting for a bit of investment in infrastructure amazes me. If people spent even half the amount of effort in implementing IPv6 as they do finding assbackwards workarounds to easily solvable problems then the world would be a much better place.

Re:You've come to the right place.

[biggknifeparty]

Buy a VPS. Create an open ended ssh tunnel commencing that opens a port on the VPS IP4 address. Use a utility like autossh to automatically maintain the ssh connection. Connect to port 80 on the VPS IP and get routed to your home web server.

Tunnel directly

[phizi0n]

Don't bother with any 3rd parties like most suggestions are advising. OpenVPN supports tunneling IPv4 and IPv6 over either of them. You can use a laptop or anything else that supports IPv6 to connect to your server at home over IPv6 via a bridged tap tunnel interface and then anything you connect to the laptop via layer 2 will be able to communicate with your home over IPv4.

Why not just use tunneled IPv6?

[Zarhan]

Teredo(IPv6 over UDP) is easy to set up - if your Windows is Vista or later, it works automatically. For Linux it depends on the distro. If you happen to be in a non-NATted environment for once, 6to4 works great too.

So just enjoy the IPv6.

If you have devices at home that don't support IPv6, you can set up a NAT64 within your home network.

Re:You've come to the right place.

[smash]

Conversely, get a tunnel from a tunnel broker to use whilst on the road vpn style (essentially tunnel into ipv6 network via local ipv4) and access your systems over ipv6 when on the road.

Why is mobile data not on IPv6?

[wvmarle]

Serious question, no interest in flamebait or trolls. Why is mobile not on IPv6?

It's a place where I would expect it. Quick turnaround of devices, new networks all the time. It made sense for 2G and GRPS to be IPv4 at the time. But 3G and even 4G apparently are still using IPv4.

It's hard to believe the phones are not up to the task. It's all in the software, not too hard to require v6 on 3G and later, Older devices that are v4 only can't use 3G networks anyway. Users don't need to know their IP address, ever. This are devices, and there is a huge number of it, exactly what v6 was meant to support. Carriers have full control over their networks, start to finish, so that part of switching to v6 is also not an issue. They of course have to provide a gateway to access v4-only web sites, but that shouldn't be too much harder than maintaining a NAT like they have to do now to keep everyone on v4.

Honestly, I just don't get it.

It's such a stark contrast with that fibre provider that is basically IPv6, while providing a v4 compatibility layer for older devices that still need it.

Re:Why is mobile data not on IPv6?

[unixisc]

Actually, LTE deprecates IPv4 and mandates IPv6, so 4G is very much IPv6 only. He is probably using a 2G or 3G carrier, where such a mandate doesn't exist.

IPv6 is right - plus some DS-lite or tunneling

[unixisc]

While the title may have been less in your face, why is this modded down? AC is right - with IPv6, he has no shortage of addresses, so he could configure a DHCP6 server and set it up that way.

It would have helped if this was dual stacked, but since it isn't, one thing he should consider is asking his cell phone carrier whether they do IPv6, and getting that end IPv6 supported. Another option might be to set up a DS-lite configuration for services needing IPv4. That way, he uses his IPv4 cellphone to access those services, while providing them seamlessly from IPv6. Or else tunnel the requests from the IPv4 end.

Re:Toredo

[DarkOx]

No very much the opposite actually. Remember you are tcp or Udp inside the tunnel as well. For the inner Udp a lost packet is simply a lost packet like any other, the application will have been designed to handle that because its the nature of Udp. For tcp a lost tunnel packet will result in the inner tcp seeing a lost packet, there will be no ack and it will do what tcp always does a retransmit, the outer tunnel layer will encapsulate it in a new Udp packet and things will work fine.

Often tcp tunneled in tcp performs badly on lossy links. What happens if the stacks have not worked out the window sizes just right you get BOTH the inner and otter tcp doing a retransmit. This results in the inner tcp ultimately experiencing lots of duplicate packets; which it will handle, but you end up sending lots of useless traffic down the tunnel which is just like more overhead.

Re:You've come to the right place.

[hackertourist]

You should change your desktop background to this

Re:You've come to the right place.

[RandyOo]

You know, I honestly did spend some time searching Google without coming up with useful results. I certainly could have spent a lot more time searching, but sometimes, it's a lot easier to ask someone with expertise and experience. I debated asking the question here, but I also found it interesting (and perhaps news and discussion-worthy) that ISPs are rolling out IPv6-only deployments (on synchronous 100Mbit fiber, even!), and thought others here might find that interesting, as well.

Bingo.

[RandyOo]

My provider actually is T-Mobile Germany, and surprisingly, they don't plan to deploy IPv6 until next year!

Re:You've come to the right place.

[realityimpaired]

Ask yourself whether you need a server, or you simply need to access your home computer.

If you just need to access your home computer to see files/etc., then a service like LogMeIn or TeamViewer would probably work for you. They work through NAT and don't require a publicly routable IP address to access specific equipment.