Slightly misleading title, this is more “getting to the IPv4 internet via an IPv6 tunnel through a VPS”. Also just called 4in6.
Interesting nonetheless!
We find at our ISP that if we break something with IPv4 we experience a very different type of support issue to if we break IPv6. Breaking v4 results in, broadly, a pretty hard “down” state. While folks are unhappy, it is at least simple. Breaking v6 results in weird, and a partial down, which manifests for the users as partial outages, slow starts due to fall back, etc. Especially if their gateways believe there is v6 when there isn’t.
If you ever need a quick hack to get v4 connectivity over a true v6 only setup, you can use a public DNS64+NAT64 Gateway. You can find a list at https://nat64.net/public-providers. So for most regular use, all you are doing is changing DNS servers.
This is the combo.
** 1. DNS64
Synthesis of AAAA DNS records for things that don't have them to a NAT64 box.
$ dig +short @2a00:1098:2c::1 AAAA github.com
2a01:4f8:c2c:123f:64:5:141a:9cd7
** 2. NAT64.
Will take this traffic thats been sent to it because of DNS64 and protocol translate + NAT it for you.
So, those mythical IPv6-only internet users actually exist :) That's some great network engineering.
I once needed something like that for the perhaps more common inverse purpose, to work on something IPv6 from within my happy IPv4-only connection. A more limited, but quicker solution given full control of a server - I set up a SOCKS5 proxy, using:
ssh -D 1080 -N myserver
and set my browser to use it. I think that it could also be set system-wide, but wonder if that might break the original ssh connection, holding it all up :)
I'm in the same situation myself. It's quite frustrating, since 2 weeks I have been told that "the ticket is open and the technicians will take a look soon". Not sure if stuff like this has a low priority since IPv6 works and it's not considered a total outtage? In Germany there are laws to grant consumers compensation in those cases, but I'll see if this counts soon enough.
One problem with the solution in this blog post is that various endpoints block datacenter IP ranges entirely or make you go through various captcha hoops, but no good way around that. Same for common VPN providers.
Since I wanted to fix this for my entire home network I also had to do this on my router - in those cases it's quite beneficial to have a non-standard device like an Ubiquiti EdgeRouter, not sure how I would have set up all the Wireguard routing and nat rules on something like a FritzBox. The only downside is that the Router isn't powerful enough to handle a lot of connections, so I'll have to switch to IPSec which is supported by hardware offloading.
One thing I appreciate about Apple’s App Store rules is that they require all apps to work on IPv6-only networks. They’ve had that rule in place for many years. It’s a little surprising as a developer the first time you run into it, but I’m glad it’s there as a user.
- I am using alternative search engines, and it seems most do not provide IPv6 connectivity (when they are not wrecked by big tech gigantic network resources, you know "AI"... how to conveniently DDOS alternatives...)
- github.com: zero ipv6 last time I did check. This is microsoft, do not expect anything good, actually expect the worst, for instance they broke recently noscript/basic (x)html for the issues. Can we still create a account with a noscript/basic (x)html browser and self-hosted emails with IP(v6) literals (mailbox@[ipv6:...])?
- steam? games? Did not check lately. I think many CDNs/game servers or good chunks of them are still IPv4 only.
- many email servers: additionnally many blocks self-hosted email servers (often due to the usage of clumsy and inappropriate block lists from spamhaus, a shaddy company from Switzerland and Andore), with a DNS (SPF) or ip literals (even if it is much stronger than SPF).
- A lot of network applications do not leverage the power of IPv6: for instance for the client-server applications (web for instance), a client-server session should be using a randomly generated IPv6 address, if the ISP provides a not to big prefix. Mobile internet IPv6 ISPs seem to provide random IPv6/128 addresses (in their prefixes), but should provide a stable prefix (probably 96bits) in order to let the terminal applications choose "fixed" ipv6 addresses for direct audio/video calls (no central and online name resolution required). A new user-level OS service is required for user application IPv6 address coordination (beware of brain damaged complexity which some vendors and developer will force upon users and app devs for lock-in).
I'm operating a few IPv6-only VPNs at work, for access to internal infrastructure.
The biggest problem so far is that Windows and macOS clients need a v6 DNS server.
Otherwise, they won't even try to resolve v6onlyhost.vpn.example.com.
Because the client may or may not be in a v6-enabled network, I have to run a DNS server inside the VPN and push that to the client, which can lead to all kinds of problems when the VPN disconnects but the Wireguard app for some reason fails to reset the DNS to the original one.
After all these years I still don’t see a compelling reason to spend days pulling my hair out switching all my machines and home lab to ipv6. I just find port forwarding and firewall rules more intuitive vs the prospect of spending weeks troubleshooting everything, reconfiguring firewalls, renunbering my network.
I have strong opinions about ipv4, especially since I'm forced to use an ipv4 isp. The lack of ipv6 adoption should be considered one of the great failures of tech. Who actually is responsible? Is it router manufacturers writing poor quality firmware, ipv4 advocates in leadership positions at isps, ipv4 address speculators, poor training of network engineers and tech support staff? I think we all need to have a much greater discussion with the internet at large and not just on isolated web posts and subreddits.
For comparison, the internet mostly transitioned off of TLS 1.0 just fine, why can't we do the same for transitioning off ipv4? Maybe AI powered proxies for legacy code perhaps?
When you want to use a public address over a tunnel, IPv6 makes things easier. Instead of setting up a tunnel to a specific IPv4, deleting your default route, adding that deleted route as the other endpoint's IPv4 route, then adding the tunnel's other end's IPv4 as a default route, you can just connect to the tunnel endpoint via IPv6, and all the IPv4 is configured just in the tunnel.
I use this often because IPv6 on phone networks is invariably the same as the author's - native IPv6 plus carrier grade NAT IPv4, and most NAT implementations suck (they time out, for instance).
I haven't tried with WireGuard(r) yet, but I will soon (using NetBSD's clean reimplentation). With tinc [1] though, it's a piece of cake.
I run my own tailnet (headscale as the coordinator server). Tailscale stack is essentially built on top of wireguard.
I have an exit node setup with dual stack IPv4/IPv6 addresses. So in theory if my ISPs CG-NAT failed or IPv4 was inaccessible, then configuring my device to use my exit node to reroute traffic _should_ work without having to mess with WG internals like the author in this article.
I suppose there are some caveats here since I have discovered many services do tend to flag IPs originating from VPS ASNs as "spammy" (ie, pretty much any service front loaded by CloudFlare). Maybe Hetzner is better in this aspect?
There's an IPv6 article that's been on the front page for the better part of a day and to my incredulity, the "IPv6 sucks; why don't we just add more segments to the IPv4 address" guys haven't shown up yet. Where the hell are you, dudes? Do you take the weekend off?
ipv6 only machine still reaches ipv4 sites because dns64 upstream is just faking AAAA records ,makes it look like everything is native ipv6. this part of the trick is happening somewhere else which's not controllable. if dns64 breaks or stops doing the mapping properly then this might break
Why would I ever need IPv6 at home or in my office? Explain to me logically why I need it in my house or in my office?
I do not care about using up the last internet address because that is akin to the 'think of the children' crap used to justify things on an emotional level in order to manipulate people.
There's no way I'll exhaust the private address spaces and I not not see NAT as a negative.
I do not want my fridge or toaster on the internet. I do not want my phone always on the internet. Nor do I carry a smrt phone or use WiFi as everything in my house is hard-wired.
So it seems like all I would ever need is a 4-to-6 gateway solution of some sort . Devices in my house or office will not ever really need IPv6 or a 'dual-stack' and all that extra complexity is a waste of time... what problem is it supposed to be solving exactly?
A few months ago, one of the Linux distros I used released a kernel update with a bug that killed IPv4 connectivity. I tried to set up some kind of VPN to my basement server to work around that, but it didn't work. I even installed WireGuard, so I wasn't too far off. I gave up and decided to use the older not-buggy kernel.
Slightly misleading title, this is more “getting to the IPv4 internet via an IPv6 tunnel through a VPS”. Also just called 4in6.
Interesting nonetheless!
We find at our ISP that if we break something with IPv4 we experience a very different type of support issue to if we break IPv6. Breaking v4 results in, broadly, a pretty hard “down” state. While folks are unhappy, it is at least simple. Breaking v6 results in weird, and a partial down, which manifests for the users as partial outages, slow starts due to fall back, etc. Especially if their gateways believe there is v6 when there isn’t.
If anyone wants to try / use IPv6, but their ISP does not provide it, Hurricane Electric (HE) has offered a tunnel service for many years now:
* https://tunnelbroker.net
* https://ipv6.he.net
There are scrips available to bring up a tun device on your system (or router) and route traffic over it:
* https://fedoraproject.org/wiki/IPv6_tunnel_via_Hurricane_Ele...
* https://brandonrozek.com/blog/obtaining-ipv6-address-hurrica...
* https://wiki.dd-wrt.com/wiki/index.php/IPv6_setup_Hurricane_...
* https://forum.mikrotik.com/t/auto-update-script-for-hurrican...
* https://docs.rockylinux.org/guides/network/hurricane_electri...
If you ever need a quick hack to get v4 connectivity over a true v6 only setup, you can use a public DNS64+NAT64 Gateway. You can find a list at https://nat64.net/public-providers. So for most regular use, all you are doing is changing DNS servers.
This is the combo.
** 1. DNS64
Synthesis of AAAA DNS records for things that don't have them to a NAT64 box.
$ dig +short @2a00:1098:2c::1 AAAA github.com
2a01:4f8:c2c:123f:64:5:141a:9cd7
** 2. NAT64.
Will take this traffic thats been sent to it because of DNS64 and protocol translate + NAT it for you.
$ curl --resolve github.com:443:[2a01:4f8:c2c:123f:64:5:141a:9cd7] https://github.com/
<loads github>
So, those mythical IPv6-only internet users actually exist :) That's some great network engineering.
I once needed something like that for the perhaps more common inverse purpose, to work on something IPv6 from within my happy IPv4-only connection. A more limited, but quicker solution given full control of a server - I set up a SOCKS5 proxy, using:
and set my browser to use it. I think that it could also be set system-wide, but wonder if that might break the original ssh connection, holding it all up :)I'm in the same situation myself. It's quite frustrating, since 2 weeks I have been told that "the ticket is open and the technicians will take a look soon". Not sure if stuff like this has a low priority since IPv6 works and it's not considered a total outtage? In Germany there are laws to grant consumers compensation in those cases, but I'll see if this counts soon enough.
One problem with the solution in this blog post is that various endpoints block datacenter IP ranges entirely or make you go through various captcha hoops, but no good way around that. Same for common VPN providers.
Since I wanted to fix this for my entire home network I also had to do this on my router - in those cases it's quite beneficial to have a non-standard device like an Ubiquiti EdgeRouter, not sure how I would have set up all the Wireguard routing and nat rules on something like a FritzBox. The only downside is that the Router isn't powerful enough to handle a lot of connections, so I'll have to switch to IPSec which is supported by hardware offloading.
One thing I appreciate about Apple’s App Store rules is that they require all apps to work on IPv6-only networks. They’ve had that rule in place for many years. It’s a little surprising as a developer the first time you run into it, but I’m glad it’s there as a user.
If anyone else runs into this, it's very easy to set up an ssh proxy: ssh -D 8080 user@hostname
Once that connection is set up, point your browser to use localhost:8080 as a socks proxy.
Blockers for switching off IPv4:
- I am using alternative search engines, and it seems most do not provide IPv6 connectivity (when they are not wrecked by big tech gigantic network resources, you know "AI"... how to conveniently DDOS alternatives...)
- github.com: zero ipv6 last time I did check. This is microsoft, do not expect anything good, actually expect the worst, for instance they broke recently noscript/basic (x)html for the issues. Can we still create a account with a noscript/basic (x)html browser and self-hosted emails with IP(v6) literals (mailbox@[ipv6:...])?
- steam? games? Did not check lately. I think many CDNs/game servers or good chunks of them are still IPv4 only.
- many email servers: additionnally many blocks self-hosted email servers (often due to the usage of clumsy and inappropriate block lists from spamhaus, a shaddy company from Switzerland and Andore), with a DNS (SPF) or ip literals (even if it is much stronger than SPF).
- A lot of network applications do not leverage the power of IPv6: for instance for the client-server applications (web for instance), a client-server session should be using a randomly generated IPv6 address, if the ISP provides a not to big prefix. Mobile internet IPv6 ISPs seem to provide random IPv6/128 addresses (in their prefixes), but should provide a stable prefix (probably 96bits) in order to let the terminal applications choose "fixed" ipv6 addresses for direct audio/video calls (no central and online name resolution required). A new user-level OS service is required for user application IPv6 address coordination (beware of brain damaged complexity which some vendors and developer will force upon users and app devs for lock-in).
I'm operating a few IPv6-only VPNs at work, for access to internal infrastructure. The biggest problem so far is that Windows and macOS clients need a v6 DNS server. Otherwise, they won't even try to resolve v6onlyhost.vpn.example.com. Because the client may or may not be in a v6-enabled network, I have to run a DNS server inside the VPN and push that to the client, which can lead to all kinds of problems when the VPN disconnects but the Wireguard app for some reason fails to reset the DNS to the original one.
After all these years I still don’t see a compelling reason to spend days pulling my hair out switching all my machines and home lab to ipv6. I just find port forwarding and firewall rules more intuitive vs the prospect of spending weeks troubleshooting everything, reconfiguring firewalls, renunbering my network.
What am I missing?
I have strong opinions about ipv4, especially since I'm forced to use an ipv4 isp. The lack of ipv6 adoption should be considered one of the great failures of tech. Who actually is responsible? Is it router manufacturers writing poor quality firmware, ipv4 advocates in leadership positions at isps, ipv4 address speculators, poor training of network engineers and tech support staff? I think we all need to have a much greater discussion with the internet at large and not just on isolated web posts and subreddits.
For comparison, the internet mostly transitioned off of TLS 1.0 just fine, why can't we do the same for transitioning off ipv4? Maybe AI powered proxies for legacy code perhaps?
Ha, I actually had to do this last year while setting up Arch Linux on my desktop.
I have to use this wifi dongle, but using IWD to connect somehow only gave me an ipv6 IP.
Most of the big sites worked, but trying to click links from a search engine was a 50/50 chance.
Thankfully, the Arch wiki was accessible, so I got it sorted out pretty quickly.
It's weird some major sites like Github still don't support IPv6. There is no excuse.
When you want to use a public address over a tunnel, IPv6 makes things easier. Instead of setting up a tunnel to a specific IPv4, deleting your default route, adding that deleted route as the other endpoint's IPv4 route, then adding the tunnel's other end's IPv4 as a default route, you can just connect to the tunnel endpoint via IPv6, and all the IPv4 is configured just in the tunnel.
I use this often because IPv6 on phone networks is invariably the same as the author's - native IPv6 plus carrier grade NAT IPv4, and most NAT implementations suck (they time out, for instance).
I haven't tried with WireGuard(r) yet, but I will soon (using NetBSD's clean reimplentation). With tinc [1] though, it's a piece of cake.
[1] https://www.tinc-vpn.org
It would be so cool, and so much cheaper, if I could route all my non-critical websites to my homelab instead of cloud services.
I can’t guarantee five nines but my power almost never goes out, and that’s plenty for a blog and even many online stores
I run my own tailnet (headscale as the coordinator server). Tailscale stack is essentially built on top of wireguard.
I have an exit node setup with dual stack IPv4/IPv6 addresses. So in theory if my ISPs CG-NAT failed or IPv4 was inaccessible, then configuring my device to use my exit node to reroute traffic _should_ work without having to mess with WG internals like the author in this article.
I suppose there are some caveats here since I have discovered many services do tend to flag IPs originating from VPS ASNs as "spammy" (ie, pretty much any service front loaded by CloudFlare). Maybe Hetzner is better in this aspect?
If you only need outbound connectivity then you can use a public NAT64 gateway. You can find a list at https://nat64.xyz/
Past 10 years I just do ssh -R to the vps and use that as a socks5 proxy. Takes 2 seconds to set up.
Why not just add the VPS to the Tailscale network and use it as an exit node?
The irony of posting this on GitHub which remains shamefully without IPv6
I would just hook up a router to any VPN service that is reachable via ipv6. Done.
This is interesting at all but couldn't you just pay five bucks and use Mullvad.
There's an IPv6 article that's been on the front page for the better part of a day and to my incredulity, the "IPv6 sucks; why don't we just add more segments to the IPv4 address" guys haven't shown up yet. Where the hell are you, dudes? Do you take the weekend off?
ipv6 only machine still reaches ipv4 sites because dns64 upstream is just faking AAAA records ,makes it look like everything is native ipv6. this part of the trick is happening somewhere else which's not controllable. if dns64 breaks or stops doing the mapping properly then this might break
Why would I ever need IPv6 at home or in my office? Explain to me logically why I need it in my house or in my office?
I do not care about using up the last internet address because that is akin to the 'think of the children' crap used to justify things on an emotional level in order to manipulate people.
There's no way I'll exhaust the private address spaces and I not not see NAT as a negative.
I do not want my fridge or toaster on the internet. I do not want my phone always on the internet. Nor do I carry a smrt phone or use WiFi as everything in my house is hard-wired.
So it seems like all I would ever need is a 4-to-6 gateway solution of some sort . Devices in my house or office will not ever really need IPv6 or a 'dual-stack' and all that extra complexity is a waste of time... what problem is it supposed to be solving exactly?
A few months ago, one of the Linux distros I used released a kernel update with a bug that killed IPv4 connectivity. I tried to set up some kind of VPN to my basement server to work around that, but it didn't work. I even installed WireGuard, so I wasn't too far off. I gave up and decided to use the older not-buggy kernel.