IPv6 Tunnelling

Hurricane Electric (http://he.net) provides a free IPv6 "6in4" tunnel that works well with CeroWrt. This gives your router a globally routable IPv6 address so that you can directly connect to other IPv6 resources on the Internet. It's straightforward to do this: first you create a tunnel through Hurricane Electric's Tunnelbroker site (http://tunnelbroker.net) and then configure your CeroWrt router.

The Sample Script for IPv6 tunnel at the bottom of this page makes it easy to set up the tunnel once you have created your Tunnelbroker account. This procedure has been tested with the Modena 3.7.5-2 build, and is different from the procedure used in Sugarland and earlier builds.

NB: As of March 2013 (CeroWrt 3.7.5-2), the automatic re-establishment code of the 6in4 module appears not to be working. You will need to re-establish the tunnel manually when your external IP address changes. Bug is being tracked here: #358

1. Create an IPv6 6in4 tunnel

  1. Go to the IPv6 Tunnel Broker site at http://tunnelbroker.net
  2. Register to create an account. After you're logged in...
  3. Click the Create Regular Tunnel link (circled in Figure 1, below) You'll see the "Create New Tunnel" page (Figure 2).
  4. Fill in the "IPv4 Endpoint (Your side):" field with your router's external IP address. This is shown in the "You are viewing from:" line.
  5. Click the button that corresponds to the closest Tunnel Server. The page may suggest a server recommendation, as shown in the image. If so, use it.
  6. Scroll to the bottom of the page and click the "Create Tunnel" button. It will take a few moments (less than a minute) to create and register your new tunnel, and show the Tunnel Details page.
  7. The Tunnel Details page (Figure 3) shows everything you need to know about your tunnel:
    • Your Tunnel ID and its creation date.
    • A text field where you can fill in a human-readable name for the tunnel
    • The IPv6 Tunnel endpoints: both an IPv4 and IPv6 address for the server (far) endpoint, and the IPv4 & IPv6 address for your end of the tunnel.
    • DNS resolver addresses (IPv4 & IPv6)
    • Routed IPv6 prefixes for a /64 (single network) or /48 address.
    • rDNS name servers for this block of addresses.
  8. You can click on any of the legends ("Tunnel ID", "Routed /64", etc.) to see more details.

You have now created the tunnel. (The Tunnel Broker home page lists all the tunnels that you have established.) Hurricane Electric is listening on their end waiting to pass IPv6 traffic to and from your external address listed above. Now you need to configure the CeroWrt router to use the tunnel.

2. Configure CeroWrt to use the IPv6 Tunnel

  1. Stay on the Tunnel Details page of the Tunnel Broker web site.
  2. Click the Example Configurations tab (Figure 4) on the Tunnel Details page. This lists a number of configurations for common routers/operating systems.
  3. Select "OpenWRT Backfire 10.03.1" from the dropdown. You will see a set of commands listed.
  4. Use your favorite text editor to open the Sample Script for IPv6 tunnel at the bottom of this page.
  5. Use the values from the Tunnelbroker web page to fill in the corresponding values in the script. Save the text to file in /tmp and execute the script.
  6. The full procedure for saving and executing the script is described at the top of the script file.

3. Manually re-establish the tunnel when your IPv4 address changes

If you do not have a static IPv4 address for the client end of the tunnel (perhaps you have a DSL or cable modem connection), your tunnel will go down each time your external IPv4 address changes.

The Tunnel Broker has a facility for re-registering your current client IPv4 address. The page at https://ipv4.tunnelbroker.net/ipv4_end.php has details. As a quick fix, you can visit the URL below to inform the Tunnel Broker to update your TUNNELID to autodetect your IPv4 address:


or use the non-HTTPS URL described in the script below. If the update goes properly, you see a response similar to this:

+OK: Tunnel endpoint updated to:


Figure 1: Main Page, showing Create Regular Tunnel link

Figure 2: Create New Tunnel page

Figure 3: Tunnel Details page

Figure 4: Configuration script for CeroWrt and OpenWrt

Figure 5: Advanced Settings

Sample Script for setting up Tunnelbroker Tunnel

The script below sets up a tunnel using the configuration parameters provided by the Hurricane Electric Tunnelbroker.net site.

# Script for setting CeroWrt to create an IPv6 tunnel 
# to Hurricane Electric at http://www.tunnelbroker.net/
# There are two steps:
# 1) Go to the Tunnelbroker.net site to set up your free account
# 2) Run the script below, using the parameters supplied by Tunnelbroker
# This CeroWrt page gives detailed instructions for setting up an IPv6 tunnel: 
#    http://www.bufferbloat.net/projects/cerowrt/wiki/IPv6_Tunnel  
# Once you've created your account and a tunnel, get the "Example
# Configurations" for OpenWRT Backfire, and use the info to fill in this
# file, then save it as a file named "tunnel.sh" Finally, ssh into the 
# router and execute this script with these steps:
# ssh root@
# cd /tmp
# cat > tunnel.sh 
# [paste in the contents of this file, then hit ^D]
# sh tunnel.sh
# [Restart your router. This seems to make a difference.]
# Presto! Your tunnel is set up. You should now be able 
#   communicate directly with IPv6 devices. 

# ==============================================
# Download and update all the interesting packages
# Some of these are pre-installed, but there is no 
# harm in updating/installing them a second time.
opkg update
opkg install 6in4

# ==============================================
# Create a 6in4 interface to tunnel IPv6. These steps show how to
# set the credentials for a Hurricane Electric tunnel
# First create an account at http://HE.net, then use their
# Example Configurations page to get the specifics, which are
# automatically generated specifically for *your* tunnel 
# Copy/paste the information from the Example Configurations
# generated for the OpenWRT Backfire 10.03.1 dropdown
echo 'Setting up HE.net tunnel'
uci set network.henet=interface
uci set network.henet.proto=6in4
uci set network.henet.peeraddr=xxx.xxx.xxx.xxx
uci set network.henet.ip6addr='2001:470:ABCD::2/64'
uci set network.henet.tunnelid=123456
uci set network.henet.username=tbxxxxxxxx.xxxxxx
uci set network.henet.password='your-password'

# ------- Additional configuration info required for the tunnel --------
# This automatically assigns each LAN interface a /64 from your routed /48
uci set network.henet.ip6prefix='2001:470:ABCD::/48'   # Use your routed /48 prefix from HE.net
uci set network.henet.mtu=1424
uci set network.henet.ttl=64
uci commit network

# ==============================================
# Configure the 6in4-henet interface into the WAN zone
# CeroWrt puts WAN stuff in zone[0], not zone[1] as with OpenWrt
uci set firewall.@zone[0].network='ge00 henet'
uci commit firewall

# ==============================================
# Invoke the new configuration
echo 'Restarting network... "Device busy (-16)" messages are OK.'
/etc/init.d/network restart
echo 'Restarting firewall...'
/etc/init.d/firewall restart

# Belt and suspenders - you could also restart
echo 'Done. You should restart the router now to make these take effect.'

# ==============================================
# What's going on here?
# CeroWrt is configured to do a lot of stuff automatically, so you may not notice
# all the magic that's happening under the covers. Here are some of the configuration
# tricks that have been worked out over the various test releases of CeroWrt 3.7.x
# IPv6-in-IPv4 tunnel to Hurricane Electric (http://HE.net):
# These lines create an interface named "6in4-henet" that acquires an IPv6 address
# for the CeroWrt router, and also gets the assigned /48 prefix to assign to the 
# individual routed LAN interfaces.
# In addition, the script places 6in4-henet into the firewall's WAN zone.
# dnsmasq-dhcpv6 is the default DNS and DHCP server. By default, it is prepared
# to handle all DNS duties and to hand out IPv4 and IPv6 addresses.
# Each time it restarts, its config file (/etc/config/dhcp) is compiled to 
# create /var/etc/dnsmasq.conf. This in turn links to a conf file at
# /etc/dnsmasq.conf. The latter file contains the information required for 
# handing out IPv6 addresses on the LAN interfaces (se00, sw00, gw00, sw10, gw10).
# Restarting services:
# The final step in the script is to restart the network and firewall services.
# It never hurts to reboot the router after this completes.
# NB: This has been tested with CeroWrt 3.7.5-2 (Feb 2013)

# ==============================================
# Re-establishing the Tunnel
# NB: As of CeroWrt 3.7.5-2 (Feb 2013), the automatic re-establishment code 
# of the 6in4 module appears not to be working. You will need to re-establish 
# the tunnel manually when your external IP address changes.
# To re-establish the tunnel, say, because your external IP address changed,
# you can also use the following URL with these parameters. Note that the 
# USERNAME and PASSWORD are what you type to log into the Tunnelbroker site.
# USERNAME is the Account Name 
# PASSWORD is the current password
# TUNNELID is the Tunnel ID  
# https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID
# You can also use a non-HTTPS URL and parameters to re-establish the link.
# This form relies on hashed representations of the credentials since they're
# not carried on a secure connection. You can get more information about the
# parameters at https://ipv4.tunnelbroker.net/ipv4_end.php
# USERID is the "User ID" from the Tunnelbroker site's Main Page
# PWHASH is the MD5 hash of the password
# TUNNELID is the Tunnel ID
# http://ipv4.tunnelbroker.net/ipv4_end.php?ip=AUTO&apikey=USERID&pass=PWHASH&tid=TUNNELID
# --- end of script ---

tunnelbroker1.png (116.6 kB) Rich Brown, 03/17/2012 07:13 am

tunnelbroker2.png (154.5 kB) Rich Brown, 03/17/2012 07:14 am

tunnelbroker3.png (134.9 kB) Rich Brown, 03/17/2012 07:14 am

tunnelbroker4.png (147.8 kB) Rich Brown, 03/17/2012 07:14 am

tunnelbroker5.png (102.5 kB) Rich Brown, 03/17/2012 07:14 am