Home Server On IPv6-only Internet Connection?

RandyOo writes "I've recently learned that our neighborhood is getting a fiber optic network, with a 100Mbps connection in each subscriber's home. IPv6 connectivity is included, but unfortunately, the only IPv4 connectivity they offer is Carrier Grade NAT, due to the exhaustion of IPv4 addresses in RIPE. I travel a lot, and I've become accustomed to accessing my home network via SSH, VNC, etc. It appears uPNP and PMP are unsupported by CGN. So, without a publicly-routed IPv4 address, I'll be unable to reach devices on my home network from an IPv4-only connection, such as the one provided by my cellular carrier (which also appears to be behind some kind of NAT, by the way). If the ISP isn't willing or able to sell me an IPv4 address, what alternatives do I have? I'd be willing to pay a small monthly fee for, say, a VPN service that would allow me to accept incoming connection requests on a range of ports on their Internet-facing IPv4 address. Does such a service exist?"

Hamachi

[PhaseBurn]

I've been using LogMeIn's Hamachi system to accomplish this. It's a virtual LAN solution that links machines behind firewalls or CGN devices. The down side is that it has to be installed on all devices that access the virtual LAN, and they don't have any mobile clients (yet), but if you need access from a device you can't install the Hamachi client on, you can always get a cheap VPS, install the linux client on it, and set up some port forwarding - the Hamachi IPs are static, so each machine always gets the same one.

There are some limitations with the free version (5 machines in a virtual LAN, connection only works with a logged in user on desktop clients), but the $30ish it costs per year for a 32 user license is very reasonable. And it supports IPv6 and IPv4 across the VLAN, too.

Re:Hamachi

Hamachi squats on valid address space, and may cause problems.

Re:Hamachi

[danpbrowning]

They finally fixed that? Good. They previously used 5.0.0.0/8 and it took a *long* time to figure out why certain users can't access certain web servers.

Re:Hamachi

[rs79]

Beware that 84% of Hamachi sold is actually butterfish which can cause anal leakage, so be careful.
http://blog.medellitin.com/2008/12/escolar-world-most-dangerous-fish.html

I'd like to hear more about changing the rolling meadow desktop thing, too.

Re:Hamachi

[marka63]

Actually it is utilisation. IPv4 ran out of addresses over a decade ago when NAT no longer became optional for the majority of users of the Internet. Ever since then we have been in stopgap mode. Unfortunately most users have never experience the real Internet when everyone can be both a producer and a consumer.

Re:Hamachi

[AlphaWolf_HK]

On the subject of tunnels, I'd say just go with a 6 to 4 broker on your remote end. There are a bunch of free ones such as hurricane electric. If you do that, then you've effectively got "end to end" (I'm doing air quotes) ipv6 access to your home server, even if your client side doesn't support ipv6. It's really very seamless if you set up a dynamic DNS.

Virtually all modern operating systems support 6to4 tunnels, you can even do it from the command prompt in windows vista and up (usally three to four lines of code.)

There are various android apps that do this as well, but I have no experience with iOS or windows phone (I'm a bit dubious of those two since a six to four tunnel actually requires being able to move v6 traffic over the v4 stack, and as far as I'm aware you can't do that sort of thing with those platforms due to anti-hacking restrictions - but I'm quite possibly wrong.)

Re:You've come to the right place.

Next up on ask slashdot:

I've grown tired of the rolling meadow background on my Xp desktop. Does slashdot have any advice on how I might change it? And what should I change it to?

proxy on an amazon ec2 instance?

[yincrash]

also, if you're using t-mobile and have a newer phone, you can get IPv6. https://sites.google.com/site/tmoipv6/lg-mytouch

Cheap Linux VPS and a VPN to home

[toygeek]

A cheap Linux based VPS (Virtual Private Server) will do what you want. You can set up a VPN connection between your home server and the VPS, and then connect to the VPS on its public IP and have it route to your home. I haven't set up such a thing myself, and it will be a bit laggy, but it should works for what you need.

Re:Cheap Linux VPS and a VPN to home

[Deekin_Scalesinger]

He can get a free year of EC2 hosting. Windowz and Linux both. Amazon may be a Big Corporation but this ain't bad

Re:Cheap Linux VPS and a VPN to home

[sortius_nod]

Not only that, you can just keep signing up for free tier every year. I've done it myself, & all I needed to do was transfer configs to my local machine, close down my AWS account, open a new one, upload, off I go again.

It may only be a year, but they don't check names, credit card details, or address, just email address.

You can always get to IPV6 on the out

[SpazmodeusG]

Every system I've seen has some form of IPV6 tunneling that allows you to call out to an IPV6 server. The only time it fails is if you're trying to host an IPV6 server which will fail due to NAT but connecting to an IPV6 always works. The fact that you've got an IPV6 server means you're set. Run Teredo/Miredo on your clients and connect away.

Go setup teredo/miredo and connect away.

Re:You can always get to IPV6 on the out

[JimboJoe]

I would definitely try Teredo first, though it does depend on the NAT design used by your ISP (you want remote IPv4 hosts to repeatedly see the same source address after repeated connections -- if the reported address changes, Teredo won't work for you).

The protocol doesn't require explicit ISP support, though NAT design can certainly break it and ISPs can filter it if they choose. When it works, the net effect is that any two hosts running Teredo clients can connect to each other via their client's IPv6 addresses, even if an IPv4 network sits between them.

Under the hood, it tunnels on top of NAT'd UDP over IPv4, using a 3rd party public IPv4 server to mediate the connection start-up (needed for NAT busting) -- but all of that is transparently handled by the Teredo client, so using it seems exactly the same as connecting to any other IPv6 host. There's a small privacy aspect present since that other server sees your source and destination trying to start a connection, but all the real traffic is direct, peer-to-peer.

Since the effect is to allow connections despite a NAT, you should make sure you are suitably firewalled, patched up, hardened, etc. Some teredo clients may also require you to explicitly enable in-bound connections on the interface.

HE.net?

[alexandre]

Take a look at Hurricane Electric, they offer free tunnel, dns hosting, etc.
Oh, and an awesome IPv6 training program for which you can get a t-shirt if you finish it! ;)
You can be up and running on an IPv6 tunnel from anywhere in 30 seconds!

Re:HE.net?

[gman003]

You aren't looking at the full picture.

What he needs is a way to connect to his (IPv6) home computers, from presumably-IPv4 remote locations. There are two ways he could do this - by finding a way to use IPv4 on his home machines, or by finding a way to use IPv6 on the remote connections. Tunneling IPv6 over IPv4 would work on the remote side, just as tunneling IPv4 over IPv6 would work on the home side.

Reverse SSH Tunnel

[Ingenium13]

As one other comment suggested, get a cheap VPS and setup a VPN so that you can connect to your network. DigitalOcean has one for $5/month (I'm in no way affiliated) https://www.digitalocean.com/ and you can then have your router connect to the VPN. Setup the routes correctly and any VPN user can access every device at home.

However you won't always want to load up the VPN on your phone, and if there's just 1 computer you want to access you can use a VPS with a remote SSH tunnel. Have the computer on your network connect to the VPS and forward some high numbered port, say 4222, to port 22: ssh -R 4222:localhost:22 user@vps. Then you can ssh into your VPS on port 4222 and it will go directly to your home computer. Just made sure you add "GatewayPorts yes" to /etc/ssh/sshd_config or the remote port will only bind to localhost.

Couple this with autossh and the home computer will always keep the connection open and re-establish it as necessary.

Sure, there's a little overhead, but I've never really noticed it. I use this trick so that my phone and tablet can always ssh into my laptop no matter where the laptop is (home network, friend's house, coffee shop, etc)... no need to find the IP address and worry about port forwarding.

Port block allocation & PCP

[funkboy]

Your ISP should at least be giving you a block of static ports on a static public IPv4 address so that you can just map them on your home router afterwards. It's called "port block allocation". See this slide deck for more details.

Port control protocol is also very close to being reality. It's a bit like a combination of UPnP and DHCP that allows static IPv4 ports to be requested by and allocated to an end user like IP addresses are now.

You should pester your ISP about these two services monthly until they have a satisfactory response for you. Frankly it's irresponsible on their part if they don't have a FAQ explaining this stuff and a policy for helping customers deal with these things. To do otherwise is demeaning to their customers.

Re:Port block allocation & PCP

[thegarbz]

Port control protocol is also very close to being reality. It's a bit like a combination of UPnP and DHCP that allows static IPv4 ports to be requested by and allocated to an end user like IP addresses are now.

Humans' ability to create complex and convoluted workarounds for problems that have been foreseen for 20 years and have had a solution for equally as long simply waiting for a bit of investment in infrastructure amazes me. If people spent even half the amount of effort in implementing IPv6 as they do finding assbackwards workarounds to easily solvable problems then the world would be a much better place.

Re:You've come to the right place.

[biggknifeparty]

Buy a VPS. Create an open ended ssh tunnel commencing that opens a port on the VPS IP4 address. Use a utility like autossh to automatically maintain the ssh connection. Connect to port 80 on the VPS IP and get routed to your home web server.

Re:You've come to the right place.

[smash]

Conversely, get a tunnel from a tunnel broker to use whilst on the road vpn style (essentially tunnel into ipv6 network via local ipv4) and access your systems over ipv6 when on the road.

Re:Toredo

[DarkOx]

No very much the opposite actually. Remember you are tcp or Udp inside the tunnel as well. For the inner Udp a lost packet is simply a lost packet like any other, the application will have been designed to handle that because its the nature of Udp. For tcp a lost tunnel packet will result in the inner tcp seeing a lost packet, there will be no ack and it will do what tcp always does a retransmit, the outer tunnel layer will encapsulate it in a new Udp packet and things will work fine.

Often tcp tunneled in tcp performs badly on lossy links. What happens if the stacks have not worked out the window sizes just right you get BOTH the inner and otter tcp doing a retransmit. This results in the inner tcp ultimately experiencing lots of duplicate packets; which it will handle, but you end up sending lots of useless traffic down the tunnel which is just like more overhead.

Re:You've come to the right place.

[RandyOo]

You know, I honestly did spend some time searching Google without coming up with useful results. I certainly could have spent a lot more time searching, but sometimes, it's a lot easier to ask someone with expertise and experience. I debated asking the question here, but I also found it interesting (and perhaps news and discussion-worthy) that ISPs are rolling out IPv6-only deployments (on synchronous 100Mbit fiber, even!), and thought others here might find that interesting, as well.