There are some free IPv6 tunnel broker services such as the popular https://tunnelbroker.net from Hurricane Electric. It’s a great service that I used for years. But over time I ran into two major issues. First the performance of the only server in Canada had become pretty poor. And second, many services were blocking the prefixes uses by tunnelbroker.net making it less practical to use on a regular use network.
Looking for options I came across the unique ability on Linode to assign a virtual machine a /56 IPv6 prefix. Immediately the wheels started spinning and in a short amount of time I fully switched to using a small $5/month VM on Linode as my IPv6 tunnel “broker” service.
Setup your Linode
If you’re new to Linode, sign up using this link which tells them I referred you (thank you).
Create a new VM (also called a Linode), and my recommendation is to keep it simple with Debian 12, whatever region is nearest to you, and the Shared CPU Nanode 1 GB plan.
I won’t go into the little details of creating a VM, if you’re new to this I’d recommend going over “Create Your First Compute Instance” which will guide you through that process. My expectation is that you know the basics on how to use SSH, and at least some beginner Linux knowledge.
Once you have your Linode up and running, go to the Network tab, and click the Add an IP Address button.
You will want to select the IPv6 /56 prefix option, and hit Allocate.
Configure Network Stack
SSH into your Linode VM, and let’s do three things.
- Install WireGuard
- Enable IPv6 forwarding mode
- Manually configure network interface for IPv6
sudo apt install wireguard
sudo echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/99-sysctl.conf
Because the IPv6 forwarding prevents SLAAC from working properly, take note of your Linode’s SLAAC IPv6 address and we’ll manually configure it on the VM.
In your Linode settings, go to the Configurations tab, and click Edit for your boot config. Disable Auto-configure networking and Save Changes.
Now edit the file /etc/network/interfaces and modify the line iface eth0 inet6 auto replacing it with the following.
⚠️ Replacing the address with your IPv6 SLAAC address you noted earlier.
iface eth0 inet6 static
address 2001:db8::a01b:19ff:76:126d/64
gateway fe80::1
Now reboot your VM to apply settings and test to make sure everything continues to work. For eg. maybe run ping6 dns.quad9.net to ensure your v6 network is still functioning.
Divide your /56 subnet
You will need to separate your /56 IPv6 prefix provisioned by Linode to smaller /64 subnets that you can assign to your local networks. A simple calculator you can use is https://subnettingpractice.com/ipv6-subnet-calculator.html where you can paste in your /56, hit Calculate, select /64 and Calculate again to list out all the possible subnets you can use.
We will use the first subnet for the WireGuard tunnel interface, which is 2001:db8:b123:2100::/64 in the example shown here.
Configure WireGuard Tunnel on your Linode
At this point we’re ready to configure the server side of the WireGuard tunnel.
Start by creating a private and public key pair. We’ll need a key for both the Linode (server) and client (router) side.
wg genkey | tee linode_privatekey | wg pubkey > linode_publickey
wg genkey | tee client_privatekey | wg pubkey > client_publickey
Create your WireGuard Config
Use an editor to create /etc/wireguard/wg0.conf and save your config file using the example below. For example you may want to use nano if you are a beginner.
sudo nano /etc/wireguard/wg0.conf
⚠️ I am using <…> as placeholders below, use the contents of the files generated from the above two genkey commands in place. Also remember to replace the example IPv6 addresses with your own.
[Interface]
PrivateKey = <linode_privatekey>
Address = 2001:db8:b123:2100::1/64
ListenPort = 51820
[Peer]
PublicKey = <client_publickey>
AllowedIPs = 2001:db8:b123:2100::/56
Enable wg0 WireGuard Interface
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
# You should see interface: wg0 with a single peer from belows command output
sudo wg show
And that’s it, your Linode server side configuration is complete at this point.
Configuring Your Router
In the example below I am going to be using VyOS which is an open-source firewall OS that has a very good feature set.
We’ll be using the WireGuard keys generated above with the genkey commands.
SSH to VyOS and run the following configuration commands.
configure
set interfaces wireguard wg1 address '2001:db8:b123:2100::2/128'
set interfaces wireguard wg1 description 'Linode IPv6 Tunnel'
set interfaces wireguard wg1 peer linode address '<Your Linode IPv4 – Public address>'
set interfaces wireguard wg1 peer linode allowed-ips '2001:db8:b123:2100::1/128'
set interfaces wireguard wg1 peer linode allowed-ips '::/1'
set interfaces wireguard wg1 peer linode allowed-ips '8000::/1'
set interfaces wireguard wg1 peer linode port '51820'
set interfaces wireguard wg1 peer linode public-key '<linode_publickey>'
set interfaces wireguard wg1 private-key '<client_privatekey>'
set protocols static route6 ::/0 interface wg1
commit
save
At this point you should be able to ping a public IPv6 address on the internet, maybe ping Quad9 just to make sure it’s working.
ping 2620:fe::fe
ℹ️ If you’re using another system that supports WireGuard it should be fairly easy to copy the idea from the configuration commands above.
Use IPv6 Prefixes on your Local Interfaces
The final step is to use your prefixes on your local network interfaces. Let’s say for example you have a LAN and a VLAN 100, you might do something like this to configure one of your /64 prefixes on each interface and configure SLAAC router advertisements so that your devices can get an IP.
configure
set interfaces ethernet eth1 address '2001:db8:b123:2101::1/64'
set interfaces ethernet eth1 vif 100 address '2001:db8:b123:2102::1/64'
set service router-advert interface eth1 name-server '2001:db8:b123:2101::1'
set service router-advert interface eth1 prefix 2001:db8:b123:2101::/64
set service router-advert interface eth1.100 name-server '2001:db8:b123:2102::1'
set service router-advert interface eth1.100 prefix 2001:db8:b123:2102::/64
commit
save
The above example assumes you are using the DNS forwarder or some other DNS service on your router.
Other Recommended Tasks
This will bring you to the place of having your own personal IPv6 tunnel broker, but you will want to also look at the following items.
- Make sure you have appropriate firewall policies especially for ingress as you do not have NAT in front of your internal devices.
- You may want to configure DHCPv6 for devices that have trouble with SLAAC.
- If you’d like to run an IPv6-only network, take a look at my blog post on setting up NAT64.