Home Server On IPv6-only Internet Connection?

RandyOo writes "I've recently learned that our neighborhood is getting a fiber optic network, with a 100Mbps connection in each subscriber's home. IPv6 connectivity is included, but unfortunately, the only IPv4 connectivity they offer is Carrier Grade NAT, due to the exhaustion of IPv4 addresses in RIPE. I travel a lot, and I've become accustomed to accessing my home network via SSH, VNC, etc. It appears uPNP and PMP are unsupported by CGN. So, without a publicly-routed IPv4 address, I'll be unable to reach devices on my home network from an IPv4-only connection, such as the one provided by my cellular carrier (which also appears to be behind some kind of NAT, by the way). If the ISP isn't willing or able to sell me an IPv4 address, what alternatives do I have? I'd be willing to pay a small monthly fee for, say, a VPN service that would allow me to accept incoming connection requests on a range of ports on their Internet-facing IPv4 address. Does such a service exist?"

Hamachi

[PhaseBurn]

I've been using LogMeIn's Hamachi system to accomplish this. It's a virtual LAN solution that links machines behind firewalls or CGN devices. The down side is that it has to be installed on all devices that access the virtual LAN, and they don't have any mobile clients (yet), but if you need access from a device you can't install the Hamachi client on, you can always get a cheap VPS, install the linux client on it, and set up some port forwarding - the Hamachi IPs are static, so each machine always gets the same one.

There are some limitations with the free version (5 machines in a virtual LAN, connection only works with a logged in user on desktop clients), but the $30ish it costs per year for a 32 user license is very reasonable. And it supports IPv6 and IPv4 across the VLAN, too.

proxy on an amazon ec2 instance?

[yincrash]

also, if you're using t-mobile and have a newer phone, you can get IPv6. https://sites.google.com/site/tmoipv6/lg-mytouch [google.com]

Cheap Linux VPS and a VPN to home

[toygeek]

A cheap Linux based VPS (Virtual Private Server) will do what you want. You can set up a VPN connection between your home server and the VPS, and then connect to the VPS on its public IP and have it route to your home. I haven't set up such a thing myself, and it will be a bit laggy, but it should works for what you need.

HE.net?

[alexandre]

Take a look at Hurricane Electric, they offer free tunnel, dns hosting, etc.
Oh, and an awesome IPv6 training program for which you can get a t-shirt if you finish it! ;)
You can be up and running on an IPv6 tunnel from anywhere in 30 seconds!

Reverse SSH Tunnel

[Ingenium13]

As one other comment suggested, get a cheap VPS and setup a VPN so that you can connect to your network. DigitalOcean has one for $5/month (I'm in no way affiliated) https://www.digitalocean.com/ [digitalocean.com] and you can then have your router connect to the VPN. Setup the routes correctly and any VPN user can access every device at home.

However you won't always want to load up the VPN on your phone, and if there's just 1 computer you want to access you can use a VPS with a remote SSH tunnel. Have the computer on your network connect to the VPS and forward some high numbered port, say 4222, to port 22: ssh -R 4222:localhost:22 user@vps. Then you can ssh into your VPS on port 4222 and it will go directly to your home computer. Just made sure you add "GatewayPorts yes" to /etc/ssh/sshd_config or the remote port will only bind to localhost.

Couple this with autossh and the home computer will always keep the connection open and re-establish it as necessary.

Sure, there's a little overhead, but I've never really noticed it. I use this trick so that my phone and tablet can always ssh into my laptop no matter where the laptop is (home network, friend's house, coffee shop, etc)... no need to find the IP address and worry about port forwarding.

Re:Hamachi

[Anonymous Coward]

Hamachi squats on valid address space, and may cause problems.

Port block allocation & PCP

[funkboy]

Your ISP should at least be giving you a block of static ports on a static public IPv4 address so that you can just map them on your home router afterwards. It's called "port block allocation". See this slide deck [menog.org] for more details.

Port control protocol [potaroo.net] is also very close to being reality [cisco.com]. It's a bit like a combination of UPnP and DHCP that allows static IPv4 ports to be requested by and allocated to an end user like IP addresses are now.

You should pester your ISP about these two services monthly until they have a satisfactory response for you. Frankly it's irresponsible on their part if they don't have a FAQ explaining this stuff and a policy for helping customers deal with these things. To do otherwise is demeaning to their customers.

Re:HE.net?

[gman003]

You aren't looking at the full picture.

What he needs is a way to connect to his (IPv6) home computers, from presumably-IPv4 remote locations. There are two ways he could do this - by finding a way to use IPv4 on his home machines, or by finding a way to use IPv6 on the remote connections. Tunneling IPv6 over IPv4 would work on the remote side, just as tunneling IPv4 over IPv6 would work on the home side.

Re:You've come to the right place.

[biggknifeparty]

Buy a VPS. Create an open ended ssh tunnel commencing that opens a port on the VPS IP4 address. Use a utility like autossh to automatically maintain the ssh connection. Connect to port 80 on the VPS IP and get routed to your home web server.

Re:Cheap Linux VPS and a VPN to home

[Deekin_Scalesinger]

He can get a free year of EC2 hosting. Windowz and Linux both. Amazon may be a Big Corporation but this ain't bad [amazon.com]

Re:Hamachi

[danpbrowning]

They finally fixed that? Good. They previously used 5.0.0.0/8 and it took a *long* time to figure out why certain users can't access certain web servers.

Re:Cheap Linux VPS and a VPN to home

[sortius_nod]

Not only that, you can just keep signing up for free tier every year. I've done it myself, & all I needed to do was transfer configs to my local machine, close down my AWS account, open a new one, upload, off I go again.

It may only be a year, but they don't check names, credit card details, or address, just email address.

Re:You can always get to IPV6 on the out

[JimboJoe]

I would definitely try Teredo first, though it does depend on the NAT design used by your ISP (you want remote IPv4 hosts to repeatedly see the same source address after repeated connections -- if the reported address changes, Teredo won't work for you).

The protocol doesn't require explicit ISP support, though NAT design can certainly break it and ISPs can filter it if they choose. When it works, the net effect is that any two hosts running Teredo clients can connect to each other via their client's IPv6 addresses, even if an IPv4 network sits between them.

Under the hood, it tunnels on top of NAT'd UDP over IPv4, using a 3rd party public IPv4 server to mediate the connection start-up (needed for NAT busting [wikipedia.org]) -- but all of that is transparently handled by the Teredo client, so using it seems exactly the same as connecting to any other IPv6 host. There's a small privacy aspect present since that other server sees your source and destination trying to start a connection, but all the real traffic is direct, peer-to-peer.

Since the effect is to allow connections despite a NAT, you should make sure you are suitably firewalled, patched up, hardened, etc. Some teredo clients may also require you to explicitly enable in-bound connections on the interface.

Re:proxy on an amazon ec2 instance?

[MtHuurne]

T-Mobile is part of Deutsche Telekom: Germany is where they started from.

Re:Toredo

[DarkOx]

No very much the opposite actually. Remember you are tcp or Udp inside the tunnel as well. For the inner Udp a lost packet is simply a lost packet like any other, the application will have been designed to handle that because its the nature of Udp. For tcp a lost tunnel packet will result in the inner tcp seeing a lost packet, there will be no ack and it will do what tcp always does a retransmit, the outer tunnel layer will encapsulate it in a new Udp packet and things will work fine.

Often tcp tunneled in tcp performs badly on lossy links. What happens if the stacks have not worked out the window sizes just right you get BOTH the inner and otter tcp doing a retransmit. This results in the inner tcp ultimately experiencing lots of duplicate packets; which it will handle, but you end up sending lots of useless traffic down the tunnel which is just like more overhead.

Re:You've come to the right place.

[RandyOo]

You know, I honestly did spend some time searching Google without coming up with useful results. I certainly could have spent a lot more time searching, but sometimes, it's a lot easier to ask someone with expertise and experience. I debated asking the question here, but I also found it interesting (and perhaps news and discussion-worthy) that ISPs are rolling out IPv6-only deployments (on synchronous 100Mbit fiber, even!), and thought others here might find that interesting, as well.

Re:You've come to the right place.

[realityimpaired]

Ask yourself whether you need a server, or you simply need to access your home computer.

If you just need to access your home computer to see files/etc., then a service like LogMeIn [logmein.com] or TeamViewer [teamviewer.com] would probably work for you. They work through NAT and don't require a publicly routable IP address to access specific equipment.