One annoying caveat with these is that for streaming services, you will need to figure out how to disable those tunnels, because they're blocked as if they're VPNs for getting around region restricted content blocks.
Still works great, though. Thanks to the power of RAs, you can get all of your devices hooked up with an IPv6 address even if your router doesn't support HE tunnels, just have any device in your network advertise a /64 and it'll become an IPv6 router (assuming your router doesn't filter out RAs for security reasons).
Very useful for hosting stuff from within your home network without actually needing to mess with port forwarding rules.
pQd · 49m ago
aspect worth noting: up to my knowledge HE's tunnel will work only if you're assigned public IPv4 by your ISP. if you're behind a carrier grade NAT - too bad, you'll need to use another solution to get IPv6 to your home.
daneel_w · 1h ago
Happy "customer" here. I've been using their free 6in4 tunnel through OpenBSD for about five years and have had no mentionable problems. I configure mine solely with OpenBSD's network interface files, e.g. /etc/hostname.gif0:
I use the connectivity to reach a cluster of VPSes in AWS deliberately set-up without public IPv4 addressing, which would otherwise represent a large part of the monthly costs because of buttholes like Jeff Bezos actively monetizing IPv4 address space.
cebert · 42m ago
> because of buttholes like Jeff Bezos actively monetizing IPv4 address space.
IPV4 addresses are finite and rapidly being depleted. What other solution do you have to manage demand of a finite resource other than charging for it?
daneel_w · 15m ago
My stance is that common connectivity shouldn't cost an additional $3.70 a month on top of already egregious traffic costs. The price per IP today is about $30. The lifetime of the investment is infinite and upkeep is in the grand scheme of things nothing. The markup profit is insane. It's a new behavior, pure usury, seizing an opportunity to profit on a crisis. To offer some contrast (without getting into the sizes of their respective turfs) Oracle doesn't charge a dime.
xyzzyz · 2m ago
We are in crisis precisely because nobody charged for IPv4 addresses in the past, and so overwhelming majority of those are wastefully allocated. What you want would exacerbate the crisis.
simonjgreen · 4h ago
Slightly misleading title, this is more “getting to the IPv4 internet via an IPv6 tunnel through a VPS”. Also just called 4in6.
Interesting nonetheless!
We find at our ISP that if we break something with IPv4 we experience a very different type of support issue to if we break IPv6. Breaking v4 results in, broadly, a pretty hard “down” state. While folks are unhappy, it is at least simple. Breaking v6 results in weird, and a partial down, which manifests for the users as partial outages, slow starts due to fall back, etc. Especially if their gateways believe there is v6 when there isn’t.
jeroenhd · 1h ago
When my IPv4 died last time, I noticed it mostly because Github didn't work anymore. These days, most consumer websites just work on IPv6. That said, people whose routers were only provisioned IPv4 DNS servers did have a full outage.
If Microsoft would get off their incompetent assets already, my biggest concern would've been remembering the mDNS hostname I've assigned to my router so I could log in and see if IPv4 is back already.
kalleboo · 2h ago
There's certainly a long tail of IPv4, but the last time IPv4 broke at home, my wife didn't even notice since Google, Facebook, Apple/iCloud, and most CloudFlare-hosted properties all still worked over IPv6.
danappelxx · 3h ago
Mirrors my experience. IPv6 issues are frustratingly hard to triage and reproduce, lots of “works on my machine” etc.
jeroenhd · 1h ago
I think it's because of all of those transition mechanisms and fallback code added over the years. IPv6 fails the same way IPv4 does, but because of the terrible bullshit ISPs do to IPv6 connections, you end up with tons of software triggering obscure timeouts and fallback mechanisms that lead to a system of almost working networking code.
If the absence of IPv6 would've been treated the same way absence of IPv4 is, troubleshooting would've become a lot clearer. In fact, it probably would've been easier because ISPs can't just ignore and disable ICMP on IPv6 so you can actually get a hunch where in the network the problem is rather than seeing traffic vanish into the void.
pumplekin · 3h ago
If you ever need a quick hack to get v4 connectivity over a true v6 only setup, you can use a public DNS64+NAT64 Gateway. You can find a list at https://nat64.net/public-providers. So for most regular use, all you are doing is changing DNS servers.
This is the combo.
** 1. DNS64
Synthesis of AAAA DNS records for things that don't have them to a NAT64 box.
$ dig +short @2a00:1098:2c::1 AAAA github.com
2a01:4f8:c2c:123f:64:5:141a:9cd7
** 2. NAT64.
Will take this traffic thats been sent to it because of DNS64 and protocol translate + NAT it for you.
And you can connect directly to ipv4 addr via WARP.
czbd · 4h ago
So, those mythical IPv6-only internet users actually exist :) That's some great network engineering.
I once needed something like that for the perhaps more common inverse purpose, to work on something IPv6 from within my happy IPv4-only connection. A more limited, but quicker solution given full control of a server - I set up a SOCKS5 proxy, using:
ssh -D 1080 -N myserver
and set my browser to use it. I think that it could also be set system-wide, but wonder if that might break the original ssh connection, holding it all up :)
avhception · 4h ago
I'm operating a few IPv6-only VPNs at work, for access to internal infrastructure.
The biggest problem so far is that Windows and macOS clients need a v6 DNS server.
Otherwise, they won't even try to resolve v6onlyhost.vpn.example.com.
Because the client may or may not be in a v6-enabled network, I have to run a DNS server inside the VPN and push that to the client, which can lead to all kinds of problems when the VPN disconnects but the Wireguard app for some reason fails to reset the DNS to the original one.
thexa4 · 4h ago
If anyone else runs into this, it's very easy to set up an ssh proxy: ssh -D 8080 user@hostname
Once that connection is set up, point your browser to use localhost:8080 as a socks proxy.
daneel_w · 4h ago
I was just about to offer the same advice. It's a far simpler solution to a temporary problem - and equally, a permanent tool for the times when you want to proxy.
Don't forget that this function needs "AllowTcpForwarding" to be enabled in your sshd_config.
czbd · 3h ago
And I just managed to offer the same advice, then upon posting discovered I'd been beaten lol.
I'm in the same situation myself. It's quite frustrating, since 2 weeks I have been told that "the ticket is open and the technicians will take a look soon". Not sure if stuff like this has a low priority since IPv6 works and it's not considered a total outtage? In Germany there are laws to grant consumers compensation in those cases, but I'll see if this counts soon enough.
One problem with the solution in this blog post is that various endpoints block datacenter IP ranges entirely or make you go through various captcha hoops, but no good way around that. Same for common VPN providers.
Since I wanted to fix this for my entire home network I also had to do this on my router - in those cases it's quite beneficial to have a non-standard device like an Ubiquiti EdgeRouter, not sure how I would have set up all the Wireguard routing and nat rules on something like a FritzBox. The only downside is that the Router isn't powerful enough to handle a lot of connections, so I'll have to switch to IPSec which is supported by hardware offloading.
Tijdreiziger · 32m ago
Not sure about the situation in Germany, but in the Netherlands, if you have your fixed + mobile connection with the same ISP and there’s an outage on the fixed connection, you can ask for free mobile data until the outage is fixed.
Perhaps this would be an option to ask your ISP about.
jeroenhd · 1h ago
Fritzbox actually has some very nice GUI steps for configuring a VPN connection, intended for Fritzbox to Fritzbox connections but any compatible VPN will do. It also allows setting up static IPv4/IPv6 routes (Home Network>Network>Network Settings>Additional settings>IPv4 routes/IPv6 routes).
The biggest problem you'd probably run into is figuring out what kind of IPsec encryption configuration the router expects from the other side (Wireguard should be a lot easier but then you may run into hardware acceleration issues).
If you need to get down to it, you can also make a backup of the Fritzbox config file, edit the dump to manually configure the VPN endpoint, recalculate the checksum (there are tools for that), and re-import the config file. AVM has loads of config not accessible to the user that you can tweak that way, but they make it a bit hard to access so you don't accidentally brick your router.
JimDabell · 4h ago
One thing I appreciate about Apple’s App Store rules is that they require all apps to work on IPv6-only networks. They’ve had that rule in place for many years. It’s a little surprising as a developer the first time you run into it, but I’m glad it’s there as a user.
Gigachad · 4h ago
Is github accessible by v6 as long as you use the app?
xvilka · 3h ago
GitHub doesn't support IPv6 yet[1]. Ridiculous but true.
No, their policy is that you have to use IPv6-capable sockets and APIs, not that the remote endpoints are accessible over IPv6.
Sesse__ · 4h ago
”v6-only” in this context generally means ”with NAT64”, so only kind of.
the_mitsuhiko · 3h ago
Yes, but it does not require your server to have an IPv6 address.
xacky · 1h ago
I have strong opinions about ipv4, especially since I'm forced to use an ipv4 isp. The lack of ipv6 adoption should be considered one of the great failures of tech. Who actually is responsible? Is it router manufacturers writing poor quality firmware, ipv4 advocates in leadership positions at isps, ipv4 address speculators, poor training of network engineers and tech support staff? I think we all need to have a much greater discussion with the internet at large and not just on isolated web posts and subreddits.
For comparison, the internet mostly transitioned off of TLS 1.0 just fine, why can't we do the same for transitioning off ipv4? Maybe AI powered proxies for legacy code perhaps?
crims0n · 38m ago
We have a saying in the industry… IPv6 is an academic solution to an engineering problem. The reality is it’s just too damn complicated to implement and maintain at scale while also retaining compatibility with v4… which is never going to go away because other than the address shortage, there are no problems with it.
arp242 · 11m ago
It's just a lot of work/churn with little to no concrete benefit for many people involved. There is no IPv4 cabal.
Toorkit · 2h ago
Ha, I actually had to do this last year while setting up Arch Linux on my desktop.
I have to use this wifi dongle, but using IWD to connect somehow only gave me an ipv6 IP.
Most of the big sites worked, but trying to click links from a search engine was a 50/50 chance.
Thankfully, the Arch wiki was accessible, so I got it sorted out pretty quickly.
theandrewbailey · 3h ago
A few months ago, one of the Linux distros I used released a kernel update with a bug that killed IPv4 connectivity. I tried to set up some kind of VPN to my basement server to work around that, but it didn't work. I even installed WireGuard, so I wasn't too far off. I gave up and decided to use the older not-buggy kernel.
b0a04gl · 2h ago
ipv6 only machine still reaches ipv4 sites because dns64 upstream is just faking AAAA records ,makes it look like everything is native ipv6. this part of the trick is happening somewhere else which's not controllable. if dns64 breaks or stops doing the mapping properly then this might break
nurettin · 3h ago
Past 10 years I just do ssh -R to the vps and use that as a socks5 proxy. Takes 2 seconds to set up.
sylware · 4h ago
Blockers for switching off IPv4:
- I am using alternative search engines, and it seems most do not provide IPv6 connectivity (when they are not wrecked by big tech gigantic network resources, you know "AI"... how to conveniently DDOS alternatives...)
- github.com: zero ipv6 last time I did check. This is microsoft, do not expect anything good, actually expect the worst, for instance they broke recently noscript/basic (x)html for the issues. Can we still create a account with a noscript/basic (x)html browser and self-hosted emails with IP(v6) literals (mailbox@[ipv6:...])?
- steam? games? Did not check lately. I think many CDNs/game servers or good chunks of them are still IPv4 only.
- many email servers: additionnally many blocks self-hosted email servers (often due to the usage of clumsy and inappropriate block lists from spamhaus, a shaddy company from Switzerland and Andore), with a DNS (SPF) or ip literals (even if it is much stronger than SPF).
- A lot of network applications do not leverage the power of IPv6: for instance for the client-server applications (web for instance), a client-server session should be using a randomly generated IPv6 address, if the ISP provides a not to big prefix. Mobile internet IPv6 ISPs seem to provide random IPv6/128 addresses (in their prefixes), but should provide a stable prefix (probably 96bits) in order to let the terminal applications choose "fixed" ipv6 addresses for direct audio/video calls (no central and online name resolution required). A new user-level OS service is required for user application IPv6 address coordination (beware of brain damaged complexity which some vendors and developer will force upon users and app devs for lock-in).
jcgl · 1h ago
Everything was going just fine with v6-only in my mini homelab...until I needed GitHub for something or other. And thus I set up NAT64+NAT64. It felt like a real shame to have to do that just for GitHub. I would've needed to eventually for my mail server anyway, but this was a super lame reason to need NAT64 sooner rather than later.
This is one of the (imo several) downsides of people using GitHub has a software distribution mechanism.
miyuru · 2h ago
> I think many CDNs/game servers or good chunks of them are still IPv4 only.
I have created a DNS proxy for this problem, it will add the correct AAAA records on such domains.
It mostly matches domains of CDNs at the DNS level.
It should be really called a DNS proxy.
jeroenhd · 55m ago
I don't think moving off IPv4 is on anyone's radar yet, unless you're buying VPS services that often come with a discount when you run on IPv6 only. In practice, you'll probably always have IPv4 connectivity of some sort, even though it's probably going to become more and more likely that that connectivity is attained through CGNAT.
Github is especially infuriating. For a few weeks, they ran a test, everything seemed to work great, and then they reverted to IPv4-only again.
Email servers live a decade or two in the past anyway. Disabling SSL 3.0 or TLS 1.0 support on email servers is still something you can't do without risking email deliverability problems. Microsoft Outlook's support and spam filters don't even seem to be aware of IPv6 capable mail servers (despite their headers showing they've been using IPv6 internally for ages).
I do wish IPv6 would be leveraged more, but the fear that maybe things work slightly less well for a minority of customers seems to be freezing every attempt at actually making use of the tech.
The reason you may be seeing weird IP behaviour from mobile carriers probably has to do with the way IP on mobile networks works, though. If you're on a call driving down a highway or sitting in a high-speed train, your phone will be doing handovers over and over again, and your IP address needs some form of stability. You may even cross a border and switch to a foreign network and the entire stack is supposed to maintain a seamless connection. There are special routing systems set up within cellular networks (some of which make excellent use of IPv6 features) that will make it very difficult to provide "normal" static GUAs to cell phones. Things are made as normal as possible, but it's not as easy to accomplish that kind of stability as you would with a fixed-line home internet connection.
encom · 2h ago
>spamhaus
Oh boy Spamhaus. I had to deal with them a few months back. For some reason, my VPS had ended up with its IPv6 addr. on the Spamhaus block list. I have no idea how it happened, the machine runs nothing with the capability to send email, and as far as I know, Digital Ocean even blocks SMTP, so it would be literally impossible for this machine to send any email. Spamhaus was not at all helpful in getting this resolved (and neither was DO for that matter).
sylware · 2h ago
Spamhaus is a shaddy company from Switzerland and Andore, VERY SHADDY (I suspect blackmail).
digital ocean? I had to block all of digital ocean because scanners and script kiddies from there were zillions to scan/attacks my email server.
hashworks · 3h ago
I can confirm that Steam requires IPv4. Also some games that require authentication to play do too.
sylware · 2h ago
I think microsoft(github.com)/steam are the main dominant corpos dragging the world backward, well from an IPv6 point of view. I though steam had now IPv6 addresses.
Don't forget IPv4 is favoring hardcore centralized online services.
allyourdatas · 1h ago
Why would I ever need IPv6 at home or in my office? Explain to me logically why I need it in my house or in my office?
I do not care about using up the last internet address because that is akin to the 'think of the children' crap used to justify things on an emotional level in order to manipulate people.
There's no way I'll exhaust the private address spaces and I not not see NAT as a negative.
I do not want my fridge or toaster on the internet. I do not want my phone always on the internet. Nor do I carry a smrt phone or use WiFi as everything in my house is hard-wired.
So it seems like all I would ever need is a 4-to-6 gateway solution of some sort . Devices in my house or office will not ever really need IPv6 or a 'dual-stack' and all that extra complexity is a waste of time... what problem is it supposed to be solving exactly?
* https://tunnelbroker.net
* https://ipv6.he.net
There are scrips available to bring up a tun device on your system (or router) and route traffic over it:
* https://fedoraproject.org/wiki/IPv6_tunnel_via_Hurricane_Ele...
* https://brandonrozek.com/blog/obtaining-ipv6-address-hurrica...
* https://wiki.dd-wrt.com/wiki/index.php/IPv6_setup_Hurricane_...
* https://forum.mikrotik.com/t/auto-update-script-for-hurrican...
* https://docs.rockylinux.org/guides/network/hurricane_electri...
Still works great, though. Thanks to the power of RAs, you can get all of your devices hooked up with an IPv6 address even if your router doesn't support HE tunnels, just have any device in your network advertise a /64 and it'll become an IPv6 router (assuming your router doesn't filter out RAs for security reasons).
Very useful for hosting stuff from within your home network without actually needing to mess with port forwarding rules.
IPV4 addresses are finite and rapidly being depleted. What other solution do you have to manage demand of a finite resource other than charging for it?
Interesting nonetheless!
We find at our ISP that if we break something with IPv4 we experience a very different type of support issue to if we break IPv6. Breaking v4 results in, broadly, a pretty hard “down” state. While folks are unhappy, it is at least simple. Breaking v6 results in weird, and a partial down, which manifests for the users as partial outages, slow starts due to fall back, etc. Especially if their gateways believe there is v6 when there isn’t.
If Microsoft would get off their incompetent assets already, my biggest concern would've been remembering the mDNS hostname I've assigned to my router so I could log in and see if IPv4 is back already.
If the absence of IPv6 would've been treated the same way absence of IPv4 is, troubleshooting would've become a lot clearer. In fact, it probably would've been easier because ISPs can't just ignore and disable ICMP on IPv6 so you can actually get a hunch where in the network the problem is rather than seeing traffic vanish into the void.
This is the combo.
** 1. DNS64
Synthesis of AAAA DNS records for things that don't have them to a NAT64 box.
$ dig +short @2a00:1098:2c::1 AAAA github.com
2a01:4f8:c2c:123f:64:5:141a:9cd7
** 2. NAT64.
Will take this traffic thats been sent to it because of DNS64 and protocol translate + NAT it for you.
$ curl --resolve github.com:443:[2a01:4f8:c2c:123f:64:5:141a:9cd7] https://github.com/
<loads github>
And you can connect directly to ipv4 addr via WARP.
I once needed something like that for the perhaps more common inverse purpose, to work on something IPv6 from within my happy IPv4-only connection. A more limited, but quicker solution given full control of a server - I set up a SOCKS5 proxy, using:
and set my browser to use it. I think that it could also be set system-wide, but wonder if that might break the original ssh connection, holding it all up :)Once that connection is set up, point your browser to use localhost:8080 as a socks proxy.
Don't forget that this function needs "AllowTcpForwarding" to be enabled in your sshd_config.
This simple solution versus the article reminds me of McIlroy and Knuth: https://news.ycombinator.com/item?id=35915169
One problem with the solution in this blog post is that various endpoints block datacenter IP ranges entirely or make you go through various captcha hoops, but no good way around that. Same for common VPN providers.
Since I wanted to fix this for my entire home network I also had to do this on my router - in those cases it's quite beneficial to have a non-standard device like an Ubiquiti EdgeRouter, not sure how I would have set up all the Wireguard routing and nat rules on something like a FritzBox. The only downside is that the Router isn't powerful enough to handle a lot of connections, so I'll have to switch to IPSec which is supported by hardware offloading.
Perhaps this would be an option to ask your ISP about.
The biggest problem you'd probably run into is figuring out what kind of IPsec encryption configuration the router expects from the other side (Wireguard should be a lot easier but then you may run into hardware acceleration issues).
If you need to get down to it, you can also make a backup of the Fritzbox config file, edit the dump to manually configure the VPN endpoint, recalculate the checksum (there are tools for that), and re-import the config file. AVM has loads of config not accessible to the user that you can tweak that way, but they make it a bit hard to access so you don't accidentally brick your router.
[1] https://github.com/orgs/community/discussions/10539
For comparison, the internet mostly transitioned off of TLS 1.0 just fine, why can't we do the same for transitioning off ipv4? Maybe AI powered proxies for legacy code perhaps?
I have to use this wifi dongle, but using IWD to connect somehow only gave me an ipv6 IP.
Most of the big sites worked, but trying to click links from a search engine was a 50/50 chance.
Thankfully, the Arch wiki was accessible, so I got it sorted out pretty quickly.
- I am using alternative search engines, and it seems most do not provide IPv6 connectivity (when they are not wrecked by big tech gigantic network resources, you know "AI"... how to conveniently DDOS alternatives...)
- github.com: zero ipv6 last time I did check. This is microsoft, do not expect anything good, actually expect the worst, for instance they broke recently noscript/basic (x)html for the issues. Can we still create a account with a noscript/basic (x)html browser and self-hosted emails with IP(v6) literals (mailbox@[ipv6:...])?
- steam? games? Did not check lately. I think many CDNs/game servers or good chunks of them are still IPv4 only.
- many email servers: additionnally many blocks self-hosted email servers (often due to the usage of clumsy and inappropriate block lists from spamhaus, a shaddy company from Switzerland and Andore), with a DNS (SPF) or ip literals (even if it is much stronger than SPF).
- A lot of network applications do not leverage the power of IPv6: for instance for the client-server applications (web for instance), a client-server session should be using a randomly generated IPv6 address, if the ISP provides a not to big prefix. Mobile internet IPv6 ISPs seem to provide random IPv6/128 addresses (in their prefixes), but should provide a stable prefix (probably 96bits) in order to let the terminal applications choose "fixed" ipv6 addresses for direct audio/video calls (no central and online name resolution required). A new user-level OS service is required for user application IPv6 address coordination (beware of brain damaged complexity which some vendors and developer will force upon users and app devs for lock-in).
This is one of the (imo several) downsides of people using GitHub has a software distribution mechanism.
I have created a DNS proxy for this problem, it will add the correct AAAA records on such domains.
https://gitlab.com/miyurusankalpa/IPv6-dns-server
It should be really called a DNS proxy.
Github is especially infuriating. For a few weeks, they ran a test, everything seemed to work great, and then they reverted to IPv4-only again.
Email servers live a decade or two in the past anyway. Disabling SSL 3.0 or TLS 1.0 support on email servers is still something you can't do without risking email deliverability problems. Microsoft Outlook's support and spam filters don't even seem to be aware of IPv6 capable mail servers (despite their headers showing they've been using IPv6 internally for ages).
I do wish IPv6 would be leveraged more, but the fear that maybe things work slightly less well for a minority of customers seems to be freezing every attempt at actually making use of the tech.
The reason you may be seeing weird IP behaviour from mobile carriers probably has to do with the way IP on mobile networks works, though. If you're on a call driving down a highway or sitting in a high-speed train, your phone will be doing handovers over and over again, and your IP address needs some form of stability. You may even cross a border and switch to a foreign network and the entire stack is supposed to maintain a seamless connection. There are special routing systems set up within cellular networks (some of which make excellent use of IPv6 features) that will make it very difficult to provide "normal" static GUAs to cell phones. Things are made as normal as possible, but it's not as easy to accomplish that kind of stability as you would with a fixed-line home internet connection.
Oh boy Spamhaus. I had to deal with them a few months back. For some reason, my VPS had ended up with its IPv6 addr. on the Spamhaus block list. I have no idea how it happened, the machine runs nothing with the capability to send email, and as far as I know, Digital Ocean even blocks SMTP, so it would be literally impossible for this machine to send any email. Spamhaus was not at all helpful in getting this resolved (and neither was DO for that matter).
digital ocean? I had to block all of digital ocean because scanners and script kiddies from there were zillions to scan/attacks my email server.
Don't forget IPv4 is favoring hardcore centralized online services.
I do not care about using up the last internet address because that is akin to the 'think of the children' crap used to justify things on an emotional level in order to manipulate people.
There's no way I'll exhaust the private address spaces and I not not see NAT as a negative.
I do not want my fridge or toaster on the internet. I do not want my phone always on the internet. Nor do I carry a smrt phone or use WiFi as everything in my house is hard-wired.
So it seems like all I would ever need is a 4-to-6 gateway solution of some sort . Devices in my house or office will not ever really need IPv6 or a 'dual-stack' and all that extra complexity is a waste of time... what problem is it supposed to be solving exactly?