Tunnelbroker.net - IPv6 Connectivity через Hurricane Electric
Tunnelbroker.net - IPv6 Connectivity через Hurricane Electric
Настройка IPv6 connectivity через Hurricane Electric Tunnelbroker.net с использованием SIT (Simple Internet Transition) туннеля на VyOS.
Описание сценария
Use Case
Получение IPv6 connectivity для сетей, где провайдер не предоставляет native IPv6. Tunnelbroker.net предоставляет бесплатные IPv6 туннели для всех желающих.
Применимость:
- Home networks без native IPv6
- Small office без IPv6 от ISP
- Cloud VMs (Yandex Cloud, VK Cloud) для IPv6 connectivity
- Testing и development IPv6 приложений
- Dual-stack deployments
Преимущества Hurricane Electric Tunnelbroker
- Бесплатно: Free IPv6 tunnel service
- Глобальная сеть: Tunnel endpoints по всему миру
- /48 IPv6 блок: Достаточно адресов для любой сети
- BGP опция: Для advanced users (собственный ASN)
- Стабильность: Hurricane Electric - tier 1 IPv6 provider
Топология сети
Internet (IPv4)
│
│
┌──────▼──────┐
│ VyOS │
│ Router │
│ │
WAN ───────┤ eth0 │ Public IPv4: 203.0.113.1
│ │ (Dynamic DHCP)
│ │
│ tun0 │◄──── SIT Tunnel (6in4)
│ │ Local: 2001:470:1f1c:c8f::2/64
└──────┬──────┘ Remote: 2001:470:1f1c:c8f::1
│
┌──────▼──────┐
│ LAN (IPv6) │
eth1 ──────┤ │ 2001:470:1f1d:c8f::1/64
│ Router Adv │ (Routed /64)
└─────────────┘
│
┌──────▼──────────┐
│ IPv6 Clients │
│ (SLAAC) │
└─────────────────┘Параметры конфигурации
Получите эти параметры после регистрации tunnel на https://tunnelbroker.net/
| Параметр | Значение (пример) | Описание |
|---|---|---|
| Server IPv4 | 216.66.86.114 | HE tunnel endpoint |
| Client IPv4 | 203.0.113.1 | Ваш public IPv4 |
| Server IPv6 | 2001:470:1f1c:c8f::1/64 | Tunnel remote address |
| Client IPv6 | 2001:470:1f1c:c8f::2/64 | Tunnel local address |
| Routed /64 | 2001:470:1f1d:c8f::/64 | Для вашей LAN |
| Routed /48 | 2001:470:c8f::/48 | Опционально |
Регистрация на Tunnelbroker.net
1. Создание аккаунта
- Перейдите на https://tunnelbroker.net/
- Нажмите Register → Заполните форму
- Подтвердите email
2. Создание туннеля
После логина нажмите Create Regular Tunnel
Заполните форму:
IPv4 Endpoint (Your side): 203.0.113.1 (Ваш public IPv4 адрес) Available Tunnel Servers: Выберите ближайший (Например: Moscow, Russia для России)После создания вы получите:
- Server IPv4 Address: 216.66.86.114
- Server IPv6 Address: 2001:470:1f1c:c8f::1/64
- Client IPv6 Address: 2001:470:1f1c:c8f::2/64
- Routed IPv6 Prefixes:
- Routed /64: 2001:470:1f1d:c8f::/64
- Routed /48: 2001:470:c8f::/48 (опционально)
На вкладке Example Configurations → выберите VyOS для reference
3. Важные замечания
- Dynamic IP: Если ваш IPv4 dynamic (DHCP), используйте Update кнопку или API для обновления endpoint
- Firewall: Убедитесь что разрешен Protocol 41 (IPv6-in-IPv4)
- MTU: Рекомендуется 1480 для tunnel interface
Конфигурация VyOS
Сценарий 1: Single LAN (Простая конфигурация)
Полная конфигурация
configure
# Системные настройки
set system host-name vyos-ipv6-gateway
set system time-zone Europe/Moscow
# ===== WAN Interface (получает IPv4 от провайдера) =====
# DHCP client на WAN
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'WAN'
# ===== Hurricane Electric IPv6 Tunnel =====
# SIT tunnel (6in4)
set interfaces tunnel tun0 encapsulation 'sit'
set interfaces tunnel tun0 description 'HE.NET IPv6 Tunnel'
set interfaces tunnel tun0 source-address '203.0.113.1'
set interfaces tunnel tun0 remote '216.66.86.114'
set interfaces tunnel tun0 address '2001:470:1f1c:c8f::2/64'
set interfaces tunnel tun0 mtu '1480'
# ===== IPv6 Routing =====
# Default IPv6 route через tunnel
set protocols static route6 ::/0 interface tun0
# ===== LAN Interface (IPv6 для локальной сети) =====
# LAN с IPv6 из routed /64
set interfaces ethernet eth1 address '2001:470:1f1d:c8f::1/64'
set interfaces ethernet eth1 description 'LAN'
# IPv4 для dual-stack (опционально)
set interfaces ethernet eth1 address '192.168.1.1/24'
# ===== IPv6 Router Advertisement =====
# Enable Router Advertisement на LAN
set service router-advert interface eth1 prefix 2001:470:1f1d:c8f::/64
# DNS servers (HE и Google)
set service router-advert interface eth1 name-server '2001:470:20::2'
set service router-advert interface eth1 name-server '2001:4860:4860::8888'
# RA parameters
set service router-advert interface eth1 default-lifetime '10800'
set service router-advert interface eth1 max-interval '600'
set service router-advert interface eth1 reachable-time '0'
set service router-advert interface eth1 retrans-timer '0'
# ===== System DNS =====
# Добавить IPv6 DNS для самого роутера
set system name-server '2001:470:20::2'
set system name-server '2001:4860:4860::8888'
# IPv4 DNS (для dual-stack)
set system name-server '8.8.8.8'
# ===== Firewall для IPv6 (рекомендуется) =====
# Allow established/related
set firewall ipv6 name WAN6_LOCAL default-action 'drop'
set firewall ipv6 name WAN6_LOCAL rule 10 action 'accept'
set firewall ipv6 name WAN6_LOCAL rule 10 state established
set firewall ipv6 name WAN6_LOCAL rule 10 state related
# Allow ICMPv6
set firewall ipv6 name WAN6_LOCAL rule 20 action 'accept'
set firewall ipv6 name WAN6_LOCAL rule 20 protocol 'ipv6-icmp'
# Apply firewall
set interfaces tunnel tun0 firewall local ipv6-name 'WAN6_LOCAL'
# Firewall для WAN (разрешить Protocol 41)
set firewall name WAN_LOCAL default-action 'drop'
set firewall name WAN_LOCAL rule 10 action 'accept'
set firewall name WAN_LOCAL rule 10 state established
set firewall name WAN_LOCAL rule 10 state related
set firewall name WAN_LOCAL rule 20 action 'accept'
set firewall name WAN_LOCAL rule 20 protocol '41'
set firewall name WAN_LOCAL rule 20 description 'IPv6-in-IPv4'
set interfaces ethernet eth0 firewall local name 'WAN_LOCAL'
commit
saveСценарий 2: Multiple VLANs (Несколько сетей)
Использование /48 для множества подсетей:
configure
# Tunnel configuration (same as above)
set interfaces tunnel tun0 encapsulation 'sit'
set interfaces tunnel tun0 source-address '203.0.113.1'
set interfaces tunnel tun0 remote '216.66.86.114'
set interfaces tunnel tun0 address '2001:470:1f1c:c8f::2/64'
set protocols static route6 ::/0 interface tun0
# ===== VLAN 10 - Office Network =====
set interfaces ethernet eth1 vif 10 address '2001:470:c8f:10::1/64'
set interfaces ethernet eth1 vif 10 description 'Office VLAN'
set service router-advert interface eth1.10 prefix 2001:470:c8f:10::/64
set service router-advert interface eth1.10 name-server '2001:470:20::2'
# ===== VLAN 20 - Guest Network =====
set interfaces ethernet eth1 vif 20 address '2001:470:c8f:20::1/64'
set interfaces ethernet eth1 vif 20 description 'Guest VLAN'
set service router-advert interface eth1.20 prefix 2001:470:c8f:20::/64
set service router-advert interface eth1.20 name-server '2001:4860:4860::8888'
# ===== VLAN 30 - DMZ =====
set interfaces ethernet eth1 vif 30 address '2001:470:c8f:30::1/64'
set interfaces ethernet eth1 vif 30 description 'DMZ VLAN'
set service router-advert interface eth1.30 prefix 2001:470:c8f:30::/64
set service router-advert interface eth1.30 name-server '2001:470:20::2'
commit
saveСценарий 3: Dual-Stack (IPv4 + IPv6)
configure
# IPv6 tunnel (as above)
set interfaces tunnel tun0 encapsulation 'sit'
set interfaces tunnel tun0 source-address '203.0.113.1'
set interfaces tunnel tun0 remote '216.66.86.114'
set interfaces tunnel tun0 address '2001:470:1f1c:c8f::2/64'
set protocols static route6 ::/0 interface tun0
# ===== Dual-Stack LAN =====
# IPv4
set interfaces ethernet eth1 address '192.168.1.1/24'
# IPv6
set interfaces ethernet eth1 address '2001:470:1f1d:c8f::1/64'
# IPv4 DHCP Server
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router '192.168.1.1'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 name-server '192.168.1.1'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 start '192.168.1.100'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 stop '192.168.1.200'
# IPv6 Router Advertisement (SLAAC)
set service router-advert interface eth1 prefix 2001:470:1f1d:c8f::/64
set service router-advert interface eth1 name-server '2001:470:20::2'
# IPv4 NAT
set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 source address '192.168.1.0/24'
set nat source rule 100 translation address 'masquerade'
# DNS Forwarding (dual-stack)
set service dns forwarding listen-address '192.168.1.1'
set service dns forwarding listen-address '2001:470:1f1d:c8f::1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '2001:4860:4860::8888'
commit
saveDynamic IP Update
Проблема
Если ваш WAN IPv4 меняется (DHCP), tunnel перестанет работать.
Решение 1: Tunnelbroker Update Script
# Создать update script
sudo vi /config/scripts/update-he-tunnel.sh#!/bin/bash
# Hurricane Electric tunnel credentials
TUNNEL_ID="12345"
USERNAME="your-username"
PASSWORD="your-update-key"
# Get current public IP
CURRENT_IP=$(curl -s -4 ifconfig.me)
# Update tunnel endpoint
curl -s "https://ipv4.tunnelbroker.net/ixp/1000/update?username=${USERNAME}&password=${PASSWORD}&hostname=${TUNNEL_ID}&myip=${CURRENT_IP}"
echo "$(date): Updated HE tunnel endpoint to ${CURRENT_IP}"# Make executable
sudo chmod +x /config/scripts/update-he-tunnel.sh
# Add to task scheduler (run every 5 minutes)
configure
set system task-scheduler task update-he-tunnel executable path '/config/scripts/update-he-tunnel.sh'
set system task-scheduler task update-he-tunnel interval '5m'
commit
saveРешение 2: DDNS Integration
configure
# Use VyOS built-in DDNS с custom service
set service dns dynamic interface eth0 service he-tunnel protocol 'custom'
set service dns dynamic interface eth0 service he-tunnel host-name 'your-tunnel-id.tunnelbroker.net'
set service dns dynamic interface eth0 service he-tunnel username 'your-username'
set service dns dynamic interface eth0 service he-tunnel password 'your-update-key'
set service dns dynamic interface eth0 service he-tunnel server 'ipv4.tunnelbroker.net/ixp/1000'
commitИнтеграция с облачными платформами
Yandex Cloud IPv6 Connectivity
Topology
Hurricane Electric Tunnel
│
│ 6in4
│
VyOS VM в Yandex Cloud
│
Yandex Cloud VMs (IPv6)Особенности
VyOS VM в Yandex Cloud:
# Получить публичный IPv4 от Yandex Cloud # Настроить через Yandex Cloud Console или CLI # Yandex Cloud не предоставляет native IPv6 (пока) # Tunnelbroker решает эту проблемуКонфигурация:
# WAN interface = Yandex Cloud network interface set interfaces ethernet eth0 address '10.128.0.10/24' # Получить public IP через metadata # Или использовать Elastic IP # Tunnel source = Yandex Cloud public IP set interfaces tunnel tun0 source-address '<yandex-cloud-public-ip>'Yandex Cloud routing:
# Добавить IPv6 routes через VyOS # В Yandex Cloud routing table: # ::/0 → 10.128.0.10 (VyOS internal IP)Security Groups:
# Разрешить Protocol 41 (IPv6-in-IPv4) на VyOS VM # Yandex Cloud Security Group rule: # Protocol: OTHER # Protocol number: 41 # Source: 0.0.0.0/0
Yandex Cloud CLI
# Создать VM для VyOS
yc compute instance create \
--name vyos-ipv6-gateway \
--zone ru-central1-a \
--network-interface subnet-name=default-ru-central1-a,nat-ip-version=ipv4 \
--create-boot-disk image-folder-id=standard-images,image-family=vyos \
--ssh-key ~/.ssh/id_rsa.pub
# Получить public IP
PUBLIC_IP=$(yc compute instance get vyos-ipv6-gateway --format json | jq -r '.network_interfaces[0].primary_v4_address.one_to_one_nat.address')
# Использовать этот IP для tunnel registration на tunnelbroker.net
echo "Use this IP for HE tunnel: ${PUBLIC_IP}"
# Настроить Security Group для Protocol 41
yc vpc security-group update-rules default-sg-ru-central1-a \
--add-rule "direction=ingress,protocol=41,v4-cidrs=[0.0.0.0/0]"VK Cloud IPv6 Connectivity
Topology
Hurricane Electric Tunnel
│
│ 6in4
│
VyOS VM в VK Cloud
│
VK Cloud VMs (IPv6)Особенности
VyOS VM в VK Cloud:
# Floating IP от VK Cloud # VK Cloud также не имеет native IPv6 (пока)Конфигурация аналогична Yandex Cloud
Security Groups:
# VK Cloud portal → Security Groups # Добавить rule: # - Direction: Ingress # - Protocol: Custom # - Protocol Number: 41 # - Remote: 0.0.0.0/0
Проверка конфигурации
1. Проверка tunnel
# Проверить tunnel interface
show interfaces tunnel tun0
# Output должен показывать:
# tun0: <POINTOPOINT,NOARP,UP,LOWER_UP>
# inet6 2001:470:1f1c:c8f::2/64 scope global
# Ping HE tunnel endpoint (IPv6)
ping 2001:470:1f1c:c8f::1
# Ping Google IPv6 DNS
ping 2001:4860:4860::8888
# Traceroute через tunnel
traceroute6 google.com2. Проверка IPv6 routing
# Проверить IPv6 routes
show ipv6 route
# Output должен включать:
# ::/0 via :: dev tun0, metric 1024
# 2001:470:1f1d:c8f::/64 dev eth1, metric 256
# Проверить IPv6 connectivity
ping6 ipv6.google.com
ping6 2a00:1450:4010:c0e::713. Проверка Router Advertisement
# На VyOS
show service router-advert
# На Linux client в LAN
# Проверить что получен IPv6 через SLAAC
ip -6 addr show
# Output должен показывать global IPv6:
# inet6 2001:470:1f1d:c8f:xxxx:xxxx:xxxx:xxxx/64 scope global dynamic
# Ping from client
ping6 google.com4. Тест DNS
# На VyOS
nslookup -type=AAAA google.com
# На client
dig AAAA google.com @2001:470:20::25. Проверка на tunnelbroker.net
- Login → Your Tunnels → выбрать tunnel
- Tunnel Details должен показывать:
- Status: Active
- Endpoint: ваш current public IPv4
- Traffic graphs покажут usage
Troubleshooting
Проблема: Tunnel не поднимается
Симптомы:
show interfaces tunnel tun0
# State: DOWNРешение:
- Проверить source IP:
# Убедиться что source-address соответствует вашему public IP
show interfaces tunnel tun0
# Проверить actual public IP
curl -4 ifconfig.me
# Update tunnel если нужно
set interfaces tunnel tun0 source-address '<correct-public-ip>'
commit- Проверить firewall:
# Protocol 41 должен быть разрешен
show firewall name WAN_LOCAL
# Добавить если отсутствует
set firewall name WAN_LOCAL rule 20 action 'accept'
set firewall name WAN_LOCAL rule 20 protocol '41'
commit- Проверить connectivity до HE endpoint:
# Ping IPv4 endpoint
ping 216.66.86.114Проблема: Tunnel UP, но нет IPv6 connectivity
Решение:
- Проверить default route:
show ipv6 route
# Должен быть ::/0 через tun0
# Добавить если нет
set protocols static route6 ::/0 interface tun0
commit- Проверить DNS:
nslookup -type=AAAA google.com
# Если не резолвится, добавить IPv6 DNS
set system name-server '2001:4860:4860::8888'
commit- Ping test:
# Ping HE gateway
ping 2001:470:1f1c:c8f::1
# Ping external IPv6
ping 2001:4860:4860::8888Проблема: LAN clients не получают IPv6
Решение:
- Проверить Router Advertisement:
show service router-advert
# Убедиться что настроен для LAN interface
show configuration commands | grep router-advert
# Должно быть:
# set service router-advert interface eth1 prefix ...- На Linux client проверить RA:
sudo rdisc6 eth0
# Должен показать RA от роутера- Проверить firewall:
# ICMPv6 должен быть разрешен для RA
show firewall ipv6
# Разрешить если нужно
set firewall ipv6 name WAN6_IN rule 10 action 'accept'
set firewall ipv6 name WAN6_IN rule 10 protocol 'ipv6-icmp'
commitПроблема: High latency или packet loss
Решение:
- MTU optimization:
# Уменьшить MTU на tunnel
set interfaces tunnel tun0 mtu '1280'
commit
# MSS clamping для TCP
set interfaces tunnel tun0 ip adjust-mss '1240'
commit- Выбрать ближайший tunnel server:
# На tunnelbroker.net → Delete tunnel
# Create new tunnel с другим endpoint
# Выбрать geographic closer serverBest Practices
Security
IPv6 Firewall обязателен:
# IPv6 - это не NAT, все devices публично доступны # Firewall критически важен set firewall ipv6 name LAN6_IN default-action 'drop' set firewall ipv6 name LAN6_IN rule 10 action 'accept' set firewall ipv6 name LAN6_IN rule 10 state established set firewall ipv6 name LAN6_IN rule 10 state related # Add specific allow rulesPrivacy Extensions:
# На clients enable IPv6 privacy extensions # Linux: net.ipv6.conf.all.use_tempaddr = 2 # Windows: netsh interface ipv6 set privacy state=enabled
Performance
MTU Optimization:
# 1480 обычно оптимально для 6in4 set interfaces tunnel tun0 mtu '1480'Близкий endpoint:
- Выбирайте geographic близкий HE tunnel server
- Lower latency = better performance
Monitoring
Tunnel monitoring:
# Ping HE gateway каждую минуту # Alert если down #!/bin/bash while true; do ping6 -c 1 2001:470:1f1c:c8f::1 > /dev/null if [ $? -ne 0 ]; then echo "$(date): HE tunnel down!" | mail -s "IPv6 Alert" admin@example.com fi sleep 60 doneTraffic statistics:
show interfaces tunnel tun0 # Проверять RX/TX bytes
Дополнительные ресурсы
- Hurricane Electric Tunnelbroker
- HE IPv6 Certification - Бесплатные курсы по IPv6
- VyOS IPv6 Documentation
- IPv6 Best Practices
Tested on: VyOS 1.4 (Sagitta LTS), VyOS 1.5 (Circinus), Hurricane Electric Tunnelbroker Last updated: 2025-10-14