Saud Iqbal

IPv6 home server with dynamic prefix for VPN, Web Server, RDP and Firewall setup guide

IPv6 is the new successor to legacy IPv4 which overcomes the shortages of IPv4 addresses since it only contains 4,294,967,296 IP addresses where as the smallest IPv6 block which is a /64 has 18,446,744,073,709,551,616 IPv6 addresses. The world is running out of IPv4 addresses and more and more ISPs are moving towards CGNAT (Carrier Grade Network Address Translation) which means instead of a public IPv4 address a private IPv4 address is assigned to users where services hosted on home does not work. If you are planning on setting up a server or remote access to your home or office using IPv6 then this guide is for you.

Preparing your device.

Windows

Windows uses IPv6 privacy extension where it uses a temporary IPv6 address which changes every couple of hours. To force Windows to use a static address create a new file as disable_temp_ipv6.bat and paste these lines

netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent

save the file and right click on it and run it as admin then reboot the computer.

Linux

This config is for networking /etc/network/interfaces 

Raspberry Pi Only

These two commands are only for Raspberry Pi since it uses dhcpcd and we need networking to get it to work. If you are using Debian you can skip these two commands.

sudo systemctl disable dhcpcd

sudo systemctl enable networking

After executing the above commands do not reboot your Raspberry yet or it will not boot.

Now generate a new random IPv6 address suffix like this one ::71c6:b34f:8e2a:54f5 or your own easy to remember like ::2 or ::1000 and find your router IPv6 gateway address. In this example I will use ::71c6:b34f:8e2a:54f5 as my desired IPv6 address. Now edit the /etc/network/interfaces file and replace the code with this one replacing the token and gateway of your router.

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source /etc/network/interfaces.d/*

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp

iface eth0 inet6 auto
	accept_ra 2
	up ip token set ::71c6:b34f:8e2a:54f5 dev eth0

For Netplan use this as an example

network:
  ethernets:
    eth0:
      match:
        macaddress: ab:cd:12:34:56:78
      addresses:
      - 192.168.1.10/24
      ipv6-address-token: "::71c6:b34f:8e2a:54f5" 
      gateway4: 192.168.1.1
      gateway6: fd32:f949:d949:b66c::1
      accept-ra: true
      ipv6-privacy: true
      dhcp4: true
      dhcp6: true
      nameservers:
        addresses: [8.8.8.8, 2001:4860:4860::8888]

Save the file and reboot your server or Raspberry Pi.

Router configuration

Next step is to setup your router firewall where we will use the suffix 71c6:b34f:8e2a:54f5 to match the last 4 octects to a full IPv6 address. The prefix can be dynamic and can change whenever it wants and your server will continue to work fine. Now go to your router firewall, Asus and OpenWRT config is similar and use these values as an example.

Asus router example

Service name: Your preferred name

Remote IP: Leave it empty

Local IP: ::71c6:b34f:8e2a:54f5/::ffff:ffff:ffff:ffff

Port: 443

Protocol: Select TCP or UDP or both that your service requires.

Asus IPv6 Firewall

OpenWRT example

Network -> Firewall -> Traffic Rules -> Add

OpenWRT IPv6 Firewall

Now go to Advanced Settings tab and select 'Restrict to address family' -> 'IPv6 only'

IPv6 Advanced tab

Save the firewall and you are done.

Keeping the server private

If you are planning on keeping your server safe from hackers and private you can use IPv6 privacy extensions. IPv4 addresses are always under constant attack and scanning since the address space is so small, it takes a couple of hours to scan the whole IPv4 address space and exposing your home network on the Internet is not a good idea. IPv6 privacy extensions keeps generating temporary IPv6 address at a certain interval, like every 24 hours your server will use a different IPv6 address to communicate on the Internet. This way your outbound IPv6 address will be different from your inbound IPv6 address. To do this edit the file /etc/sysctl.conf and add these commands after net.ipv6.conf.all.forwarding=1

net.ipv6.conf.eth0.accept_ra=2
net.ipv6.conf.eth0.use_tempaddr=2
net.ipv6.conf.eth0.temp_prefered_lft = 86400
net.ipv6.conf.eth0.temp_valid_lft = 90000

Dynamic DNS script

If you need a bash or shell script to update your DNS server then go here for an example script ❯ LINK

Hopefully now you should get a working home IPv6 server or a VPN connection with inbound IPv6 address.

Let me know if you have any comments or if there is any bug or error in this guide.

❮ Back to blog