I have recently moved my hosting to a couple of VPSes at ChicagoVPS and wanted to use IPv6 (via tunnelbroker.net)

ChicagoVPS uses OpenVZ which presents a couple of problems

$ ifconfig sit0
sit0: error fetching interface information: Device not found
$ sudo modprobe ipv6
FATAL: Module ipv6 not found.

It turns out, this is a fairly common problem though OpenVZ is supposed to support IPv6. Luckily, someone made a small userland program (tb-tun, which “tunnels” IPv6 tunnels through a TUN/TAP device.

First, it requires tun/tap device support to be enabled in the VPS, this is done in the control panel under settings

Control panel

Note! – Changing this setting will reboot your VPS without warning!

Next, make sure the build-essential package is installed (it’s included in the Ubuntu template at ChicagoVPS)

$ sudo apt-get install build-essential

Now, download and install the tb-tun program

$ mkdir tb-tun
$ cd tb-tun
$ wget https://tb-tun.googlecode.com/files/tb-tun_r18.tar.gz
$ tar zxvf tb-tun_r18.tar.gz
$ gcc tb_userspace.c -l pthread -o tb_userspace
$ sudo mv tb_userspace /usr/local/sbin

Before, continuing I recommend looking up the following information:

Server IPv4 Address - This is the IPv4 address of the Tunnelbroker gateway
Client IPv4 Address - This is the IPv4 address of your server
Client IPv6 Address - This is the IPv6 address of your server (for the tunnel end-point)
Routed /64 - This is your network

Next, you need to ensure your iptables configuration allows incoming encapsulated IPv6 traffic (protocol 41). Since ufw is a PITA to get to work on OpenVZ, I’m using iptables-persistant, which simply means adding one line to /etc/iptables-persistent/rules.v4

# IPv6 tunnel
-A INPUT -p 41 -s <Server IPv4 Address> -j ACCEPT

You also need to secure your server on IPv6, /etc/iptables-persistent/rules.v6

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ping
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

Apply the new rules

$ sudo service iptables-persistent reload

Finally, you are ready to set up your tunnel in /etc/network/interfaces

auto tb
iface tb inet6 manual
        pre-up  setsid /usr/local/sbin/tb_userspace tb <Server IPv4 address> <Client IPv4 address> sit > /dev/null &
        up      ifconfig tb up
        post-up ifconfig tb inet6 add <Client IPv6 address>/64
        post-up ifconfig tb inet6 add <Routed /64>:1/64
        post-up ifconfig tb mtu 1480
        post-up route -A inet6 add ::/0 dev tb
        post-up netstat -rn6 | grep -q venet0 && route -A inet6 del ::/0 dev venet0
        down    ifconfig tb down
        post-down       route -A inet6 del ::/0 dev tb
        post-down       killall tb_userspace

In my setup it looks like this:

auto tb
iface tb inet6 manual
        pre-up  setsid /usr/local/sbin/tb_userspace tb 209.51.181.2 192.210.137.214 sit > /dev/null &
        up      ifconfig tb up
        post-up ifconfig tb inet6 add 2001:470:1f10:74b::2/64
        post-up ifconfig tb inet6 add 2001:470:1f11:74b::1:1/64
        post-up ifconfig tb mtu 1480
        post-up route -A inet6 add ::/0 dev tb
        post-up netstat -rn6 | grep -q venet0 && route -A inet6 del ::/0 dev venet0
        down    ifconfig tb down
        post-down       route -A inet6 del ::/0 dev tb
        post-down       killall tb_userspace

Now, I just have one question

Y U NO

(Actually I know, and understand, why. It’s still annoying though)

iptables is not always easy to deal with so I prefer to use Uncomplicated firewall (ufw) in Ubuntu, because it simplifies configuring and maintaining my firewall rules.

Unfortunately, ufw does not play nice with OpenVZ containers so I decided to find something else. In the end (after testing various things) I decided to install the package iptables-persistent which is not as sexy as ufw but gets the job done.

iptables-persistent uses two configuration files

/etc/iptables-persistent/rules.v4
/etc/iptables-persistent/rules.v6

both files can be generated during installation.

The a simple version of /etc/iptables-persistent/rules.v4 may look like this

*filter
#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j DROP

# Allow all traffic from tun-devices (VPN)
-A INPUT -i tun+ -j ACCEPT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You could modify this to only allow certain traffic
#  This is in addition to allowing established and related traffic as listed above
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections from trusted-host only - drop the rest
-A INPUT -p tcp --dport 22 -s 1.2.3.4 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Drop all other inbound - default deny unless explicitly allowed policy (change to REJECT of you which to reject packets instead of dropping them)
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

After making changes to your rules files, apply them by running

$ sudo service iptables-persistent reload