IPv6 setup Hurricane Electric Tunnel Broker

From DD-WRT Wiki

Revision as of 04:12, 1 March 2012 by Ac1115 (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

Contents

[edit] About

This will...
Set up HE's tunnel broker service.
Automatically finds your wan ip at boot using whatismyip.com
Automatically updates HE's endpoint on boot
Generates a radvd.conf on boot, and applies it automatically
Generates a executable file that can be used with cron to keep HE's endpoint up-to-date if you have a dynamic IP


My setup for reference.
Optimum Online Cable ISP
WRT610Nv2
v24-sp2 (Aug 12, 2010)
build 14929

You should have an account and tunnel created on the website. This post will not cover that. Install steps are below the script. This script will only work with /64 tunnels/addresses. Don't use it if you're using /48

[edit] Script

#v1.4 Feb 29, 2012
#***************************
#Settings start here
#***************************

#basic connection settings
SERVER_IP4_ADDR="enter ip here"
CLIENT_IPV6_ADDR="enter ip here"
ROUTED_64_ADDR="enter ip here"

#account info to auto update endpoint
USERID="enter your hex user id. NOT text username"
PASSWD="your plain text password"
TUNNELID="your numeric tunnel id"

#####Optional/Advanced Settings######

#IPv6 OpenDNS IPv6 Resolver
ENABLE_OPENDNS_IPV6_DNS=1

#HE's endpoint verificiation server ip to add to whitelist
HE_VERIFY_SERVER_IP="66.220.2.74"

#WAN IP Source settings
#Set below to 1 to use  internal NVRAM wan address instead of fetching it from a site
USE_NVRAM_WAN_ADDR_INSTEAD=1
WAN_IP_SOURCE_ADDR="http://automation.whatismyip.com/n09230945.asp"

#logging settings (set to /dev/null for no logging)
STARTUP_SCRIPT_LOG_FILE="/tmp/ipv6.log"
CRON_STATUS_LOG_FILE="/tmp/lastHEUpdate.log"

#Enable this to generate a .wanup script to automatically update local tunnel endpoint address on wan change
ENABLE_WANUP_SCRIPT=1
WANUP_SCRIPT_FILE_PATH="/tmp/etc/config/tunnelUpdate.wanup"

#Generated files paths
CRON_JOB_FILE="/tmp/report.sh"
RADVD_CONFIG="/tmp/radvd.conf"

#***************************
#Settings end here
#***************************

echo "" >> $STARTUP_SCRIPT_LOG_FILE
echo "HE IPv6 Script started" >> $STARTUP_SCRIPT_LOG_FILE

insmod ipv6
sleep 10

#get a hash of the plaintext password
MD5PASSWD=`echo -n $PASSWD | md5sum | sed -e 's/  -//g'`
echo `date` >> $STARTUP_SCRIPT_LOG_FILE

#cut out the "/64" if user typed it in
ROUTED_64_ADDR=`echo $ROUTED_64_ADDR|cut -f1 -d/`
SERVER_IP4_ADDR=`echo $SERVER_IP4_ADDR|cut -f1 -d/`
CLIENT_IPV6_ADDR=`echo $CLIENT_IPV6_ADDR|cut -f1 -d/`
echo "User added addresses cleaned/checked" >> $STARTUP_SCRIPT_LOG_FILE

#get wan ip for our own use
if [ $USE_NVRAM_WAN_ADDR_INSTEAD -eq 1 ]
then
  echo "Fetching WAN IP from NVRAM" >> $STARTUP_SCRIPT_LOG_FILE
  WANIP=$(nvram get wan_ipaddr);
else
  echo "Fetching WAN IP from External Site: " $WAN_IP_SOURCE_ADDR >> $STARTUP_SCRIPT_LOG_FILE
  WANIP=`wget $WAN_IP_SOURCE_ADDR -O - 2>/dev/null`
fi

echo "External IP detected as:" $WANIP >> $STARTUP_SCRIPT_LOG_FILE
if [ -n $WANIP ]
then
echo "configuring tunnel" >> $STARTUP_SCRIPT_LOG_FILE


#update HE endpoint
#need to alllow wan ping or HE will not validate new endpoint
iptables -I INPUT 2 -s $HE_VERIFY_SERVER_IP -p icmp -j ACCEPT
echo -e wget -q "http://ipv4.tunnelbroker.net/ipv4_end.php?ip=$WANIP&pass=$MD5PASSWD&apikey=$USERID&tid=$TUNNELID" -O $CRON_STATUS_LOG_FILE  >>$CRON_JOB_FILE
chmod +x $CRON_JOB_FILE
echo "Cron script created, sending endpoint update request to HE" >> $STARTUP_SCRIPT_LOG_FILE
etime=`date +%s`
wget -q "http://ipv4.tunnelbroker.net/ipv4_end.php?ip=$WANIP&pass=$MD5PASSWD&apikey=$USERID&tid=$TUNNELID" -O /tmp/wget.tmp.$etime
cat /tmp/wget.tmp.$etime >> $STARTUP_SCRIPT_LOG_FILE
echo "" >> $STARTUP_SCRIPT_LOG_FILE
rm /tmp/wget.tmp.$etime


# The following commands are straight from HE's website
ip tunnel add he-ipv6 mode sit remote $SERVER_IP4_ADDR local $WANIP ttl 255
ip link set he-ipv6 up
ip addr add $CLIENT_IPV6_ADDR/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr
TEMP_ADDR=`echo $ROUTED_64_ADDR'1'`

# These commands aren't on HE's website, but they're necessary for the tunnel to work
ip -6 addr add $TEMP_ADDR/64 dev br0
ip route add 2000::/3 dev he-ipv6

#Enable IPv6 forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

# make sure to accept proto-41
iptables -I INPUT 2 -p ipv6 -i vlan1 -j ACCEPT

#make sure to not NAT proto-41
iptables -t nat -A POSTROUTING --proto ! 41 -o eth0 -j MASQUERADE
echo "creating radvd conf" >> $STARTUP_SCRIPT_LOG_FILE

if [ $ENABLE_OPENDNS_IPV6_DNS -eq 1 ]
then
  echo "Open DNS ipv6 enabled" >> $STARTUP_SCRIPT_LOG_FILE
  echo "nameserver 2620:0:ccc::2" >> /tmp/resolv.dnsmasq
  echo "nameserver 2620:0:ccd::2" >> /tmp/resolv.dnsmasq
fi

#generate wanup script
if [ $ENABLE_WANUP_SCRIPT -eq 1 ]
then
	echo "WANUP script being generated" >> $STARTUP_SCRIPT_LOG_FILE
	dirname $WANUP_SCRIPT_FILE_PATH  | xargs mkdir
	echo 'echo "WANUP script triggered on `date`" >>' $STARTUP_SCRIPT_LOG_FILE > $WANUP_SCRIPT_FILE_PATH
	if [ $USE_NVRAM_WAN_ADDR_INSTEAD -eq 1 ]
	then
		echo -e 'WANIP=$(nvram get wan_ipaddr);' >> $WANUP_SCRIPT_FILE_PATH
	else
		echo -e 'WANIP=`wget $WAN_IP_SOURCE_ADDR -O - 2>/dev/null`' >> $WANUP_SCRIPT_FILE_PATH
	fi
	echo -e wget -q 'http://ipv4.tunnelbroker.net/ipv4_end.php?ip=$WANIP'"&pass=$MD5PASSWD&apikey=$USERID&tid=$TUNNELID"  >> $WANUP_SCRIPT_FILE_PATH
	echo 'ip tunnel change he-ipv6 local $WANIP'>>  $WANUP_SCRIPT_FILE_PATH
	chmod +x $WANUP_SCRIPT_FILE_PATH
fi	

#creating radvd.conf
echo "#generated by startup script" > $RADVD_CONFIG
echo "interface br0 {" >> $RADVD_CONFIG
echo "AdvSendAdvert on;" >> $RADVD_CONFIG
echo "prefix "$ROUTED_64_ADDR"/64 {" >> $RADVD_CONFIG
echo "AdvOnLink on;" >> $RADVD_CONFIG
echo "AdvAutonomous on;" >> $RADVD_CONFIG
echo "AdvRouterAddr on;" >> $RADVD_CONFIG
echo "};" >> $RADVD_CONFIG
echo "};" >> $RADVD_CONFIG

echo "starting radvd" >> $STARTUP_SCRIPT_LOG_FILE
radvd -C $RADVD_CONFIG &
fi

[edit] Install Steps

Installation steps:

  • Change the settings in the beginning of the above script to your settings.
  • Copy personalized script into Administration > Commands. Save as startup script
  • Go into Administration > Management
  • enable IPv6 and radvd. Leave the config box empty
  • (Optional) enable cron and enter this into "Additional Cron Jobs"

Code:

* 4 * * * root /tmp/report.sh

The above line will auto update the endpoint daily at 4am. Change to personal taste

  • Apply settings, wait for reboot


[edit] OpenDNS Setting

This setting will append the following two entries into /tmp/resolv.dnsmasq

 nameserver 2620:0:ccc::2
 nameserver 2620:0:ccd::2

These will give dnsmasq access to the OpenDNS Sandbox DNS servers. These will give access to IPv6 only dns entries. (And will also give you double 10s on test-ipv6.com ;) )

Dnsmasq must be enabled (DHCP Server) or this will not work!

Also dnsmasq needs to be used for DNS.

On my working box, I have...
Under Setup...
Static DNS1 - 208.67.222.222 (OpenDNS ipv4 dns server, not required)
Static DNS2 - 208.67.220.220 (OpenDNS ipv4 dns server, not required)
Use DNSMasq for DHCP - Checked
Use DNSMasq for DNS - Checked
DHCP-Authoritative - Checked

Under Services...
DNSMasq - Enabled
Local DNS - Enabled
No DNS Rebind - Disabled


All clients have only 1 dns entry : 192.168.1.1 (My router's IP Address)

[edit] Reducing Script Size

The script size is increasing as new features and error checking is added. Your NVRAM might be too small to hold this script along with the other settings your router uses.

To get around this you could move the script to your jffs or usb partition then reference the script in Administrator > Command instead of copying the entire script.

If you do not have a JFFS or USB partition, you can remove all the comments from the script and you can replace all the variable names with single letters. Both of these will significantly reduce the size of the script.


[edit] See Also

Test the setup with e.g.:
http://ipv6.google.com
http://aaaa.test-ipv6.com/

Forum link:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=81060

Example of Basic Connection settings syntax

SERVER_IP4_ADDR="0.0.0.0"
CLIENT_IPV6_ADDR="0000:000:0000:000::0"
ROUTED_64_ADDR="0000:000:0000:000::0"