22
submitted 1 month ago* (last edited 1 month ago) by hempster@lemm.ee to c/selfhosted@lemmy.world

I’ve set up subnet routing via Tailscale from my Oracle VPS to my home RPi4. The VPS has a static IPv4 and a /64 IPv6 allocation. I use the VPS to reverse traffic apps on the raspberry using nginx. I would like to take one step forward by tunneling v6 traffic from my home network to WAN, so every client gets its own IPv6 address. What's the best way to tunnel IPv6 traffic from my home network through the RPi4 to the Oracle VPS? I’m also comfortable with messing up my Asus AC86U router to provide publicly routable IPv6 addresses to all clients via DHCP.

top 9 comments
sorted by: hot top controversial new old
[-] 2xsaiko@discuss.tchncs.de 4 points 1 month ago

The easy way is to just use tunnelbroker.net, that is what I currently have (this would use one of their assigned net blocks, not the one from the VPS). Set it up on the Pi, set up IP forwarding with appropriate firewall rules, make the Pi serve RA so clients can assign themselves an IP, done (IIRC).

If you want to set up the v6/v4 gateway yourself, I would do this with a /64 you can fully route to your home network like you would get with tunnelbroker.net because then you don't have to deal with the network split and essentially two gateways for the same network (your Pi and the VPS), because otherwise your clients would assume the VPS is directly reachable since it's in the same network when in reality it would have to go through the gateway (you would have to set up an extra route in that case on every client, I think). You'd need a second network from Oracle for this.

But it's pretty much the same thing I would assume plus the setup on the VPS side, make the VPN route your /64 block (or use 6in4 which is what tunnelbroker.net uses), configure IP forwarding on the Pi and the VPS between the VPN interface and local/WAN respectively.

[-] hempster@lemm.ee 1 points 1 month ago

Tunnelbroker doesn't work behind CGNAT

[-] 2xsaiko@discuss.tchncs.de 2 points 1 month ago

Hm, it doesn't? I'm not behind CGNAT but I'm in a network I don't control (university dorm) so my gateway is just another device in the local network and I don't have a public IP which I control, which I feel like should effectively be the same thing as CGNAT, and it works for me. Maybe it isn't the same.

[-] hempster@lemm.ee 1 points 1 month ago

Not sure how's that even possible, HE usually probes your IPv4 address before assigning a GUA

[-] 2xsaiko@discuss.tchncs.de 1 points 1 month ago

I had the network before moving here (created it when I did have a public IPv4). Can't test creating one new since it will only allow me to make one per IP.

[-] Natanael@slrpnk.net 2 points 1 month ago* (last edited 1 month ago)

You need to set up a publicly accessible device (in this case the VPS) as your IPv6 gateway

So you set up your VPN connecting your network to the VPS (should probably be set up from the router) and set your router to advertise an IP adress for the VPS which is routable from your local network as the gateway address (and should probably also run DHCPv6 for your network)

(note, I have not set up this stuff myself so I can't help with implementation details)

[-] hempster@lemm.ee 2 points 1 month ago* (last edited 1 month ago)

How do I make the VPS as a gateway device? I see that I can do a static route, but IPv6 gateway is something im unable to understand

[-] oshu@lemmy.world 2 points 1 month ago

I don't think you can do this with routing because IPv6 doesn't support splitting a /64 into subnets. Might work via virtual bridging over a vpn link. I don't think tailscale supports layer 2 tunneling so you would need to use something else.

[-] 2xsaiko@discuss.tchncs.de 2 points 1 month ago

What they suggest sounds like setting up a bridge interface between your LAN and the VPN interface to connect the VPS with your LAN. That’s actually a good idea since it would not need you to have a separate /64 for your local network. In this case I’m pretty sure that your VPN needs to be a layer 2 VPN, i.e. transports whole ethernet frames instead of TCP/UDP only, for this to work correctly. Wireguard doesn’t do this, OpenVPN can for example.

To make the VPS a gateway, you need to configure it to forward packets between networks and then set it as your default route on the clients (with IPv6, default route is usually published using router advertisements, set up radvd service on your VPS for that). That’s pretty much it IIRC except for the firewall rules. Here’s an article that’s some cloud stuff but is also applicable to your situation: https://www.linode.com/docs/guides/linux-router-and-ip-forwarding/#enable-ip-forwarding

this post was submitted on 04 Oct 2024
22 points (95.8% liked)

Selfhosted

40173 readers
634 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS