IPv6 tunnel with ssh

My home network is somewhere off of the qwest cloud. I have a DSL router and an access point (running OpenBSD, of course). I also have a co-lo machine. On the co-lo machine, I have a tunnelbroker.net IPv6 tunnel configured (my co-lo ISP doesn’t do IP6 yet *sigh*).

I decided to route a “real” /64 to my house from the co-lo machine and it wasn’t as easy as I expected it would be. I fiddled with IPSec, but being behind a double NAT (access point is the first NAT and the DSL router is the second) made that configuration more trouble than I wanted. (btw, ideas for how to make this work are welcome).

So, I ended up using ssh(1) and tun(4) to create a tunnel between my access point and the co-lo machine.

How it works:

On the home access point:

# cat /etc/hostname.tun0
inet6 alias fe80::2 128
dest fe80::1
! route delete -inet6 default
! route add -inet6 default fe80::1%tun0
# cat /etc/hostname.rum0
inet 172.16.0.1 255.255.255.0 NONE
inet6 alias 2001:470:b813:f000::1
# cat /etc/hostname.dc0
inet 172.16.1.1 255.255.255.0 NONE
inet6 alias 2001:470:b813:f001::1

This creates a tun interface with a link local address (LLA) of fe:80::2%tun0 and the “other” end of the tunnel is fe80::1%tun0. (note: LLA’s are only valid within the context of the interface (tun0 in this case), which is why the % syntax is used). I also add “real” ipv6 addresses to my wireless LAN (rum0) and my wired LAN (dc0).

On the co-lo machine:

inet6 alias ‘fe80::1%tun0′ 128
dest ‘fe80::2%tun0′
! route add -inet6 2001:470:b813:f000:: fe80::2%tun0
! route add -inet6 2001:470:b813:f001:: fe80::2%tun0

This configures the tunnel interface and adds routes through it (using the LLA’s).

Now, back on the home machine:

ssh -4 -f -w 0:0 www.thought.net sh /etc/netstart tun0

The command above creates the actual tunnel and activates the tun interfaces. Shazam!