Project HE-1A: Hurricane Electric Tunnel on AWS (10 pts.)

What You Need

Purpose

Hurricane Electric tunnels are often the best way to get IPv6 for professional use, since most ISPs don't yet offer native IPv6. They have low latency and high bandwidth, and they are reliable, and free.

Adjusting AWS Security Groups

Note: If you are using an Amazon Web Services (AWS) machine, you will see a private address starting with 10. You can still connect, but you need to find your public address and allow pings through the firewall, as explained below.

In a Web browser, go to http://aws.amazon.com/

On the upper right, click My Account/Console, as shown below:

Log in if you are prompted to.

In the next page, click E2C

In the next page, on the left side, click Instances, as shown below:

In the "My Instances" page, in the top pane, click the box to select your Ubuntu instance, as shown below:

In the lower pane, note the Security Group (mine was quick-start-1).

Adjusting the Firewall Rules

In the left pane, click "Security Groups".

In the top pane, click the check box next to the relevant Security Group. In the lower pane, click the Inbound tab.

Click the "Create a new rule" drop-down list box and select "All ICMP", as shown below:

Click the "Add Rule" button.

Click the "Apply Rule Changes" button.

Getting an Elastic IP

On the left side, click "Elastic IPs".

Click the "Allocate New Address" button.

In the next box, click the "Yes, Allocate" button.

In the next screen, click the "Associate Address" button.

In the "Associate Address" box, select your Ubuntu instance. Click the "Yes, Associate" button.

The IP address appears, associated with your Ubuntu machine, as shown below:

On your own computer, ping your elastic IP. You should see replies, as shown below:

Registering for a HE Tunnel

In a Web browser, go to

http://tunnelbroker.net/

On the left side, click Register. Fill in the form, get your email, and log in.

Once you are logged in, you will see a page like the image below:

On the left side, click "Account Info" and change the password to something you won't forget.

Creating a Tunnel

On the left side of the TunnelBrokers page, click "Create Regular Tunnel"

Enter your server's IP address into the "IPv4 Endpoint (Your side)" field and press Enter.

Below your IP address, in red letters, the name of the Hurricane Electric location closest to your server appears.

My server is apparently near Los Angeles, as shown below:

Scroll down to the bottom of the page. The recommended Hurricane Electric location should already be pre-selected. Click the "Create Tunnel" button

Your tunnel information appears, as shown below:

You need all these numbers to configure your server. Here's a brief explanation of the most important items:

Configuring the Tunnel on Your Server

Unfortunately, the configuration commands Hurricane Electric provides won't work on an Amazon Web Services machine because of the limitations of Amazon's networking.

I am following the process explained here.

Finding the Local IP Address

The first script required finds the local private dynamic IP address Amazon assigns the server.

On your server, execute this command:

sudo nano /usr/local/bin/checkipeth0
Paste the commands below into the nano window:
#!/usr/bin/perl
$check=`ip addr show dev eth0|grep "inet "|awk '{print \$2}'|awk -F/ '{print \$1}'`;
print $check;
Press Ctrl+X, Y, Enter to save the file.

On your server, execute these commands:

sudo chmod +x /usr/local/bin/checkipeth0

/usr/local/bin/checkipeth0
You should see your local IP address, as shown below:

Creating the Tunnel Interface

This code creates a virtual tunnel interface every time your server starts up.

On your server, execute this command:

sudo nano /etc/network/interfaces
Move the cursor to the bottom of the file and paste in the code below, replacing the $CLIENT_IPV6 and $SERVER_IPV4 placeholders with the actual values for your Hurricane Electric tunnel (omitting the /64 from the $CLIENT_IPV6):
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
  address $CLIENT_IPV6
  netmask 64
  endpoint $SERVER_IPV4
  local `/usr/local/bin/checkipeth0`
  up ip -6 route add default dev he-ipv6
  down ip -6 route del default dev he-ipv6
Press Ctrl+X, Y, Enter to save the file.

On your server, execute these commands:

sudo ifup he-ipv6

ifconfig he-ipv6

ping6 -c 4 google.com
You should see a public IPv6 address on your interface, and replies to the pings, as shown below:

Troubleshooting

If you do something wrong, and make a non-functional he-ipv6 interface, you need to delete it before you can try again. Otherwise you will see this error:
add tunnel sit0 failed: No buffer space available
If that happens, delete the old interface with this command:
sudo ip tun del he-ipv6

Assigning a Static IPv6 Address to eth0

When you configured your Hurricane Electric tunnnel setup, you were given a "Routed /64". When I did it, I got 2001:470:1f05:80b::/64

Remove the "/64" from the end, and append a 1 to get the first routed address:

2001:470:1f05:80b::1

To configure that address, on your server, execute this command:

sudo nano /etc/network/interfaces
Find the "auto eth0" section, and add these lines to it, using your own routed address, not mine:
iface eth0 inet6 static
  address 2001:470:1f05:80b::1
  netmask 64
Your file should look like the image below:

Press Ctrl+X, Y, Enter to save the file.

To make the change take effect, on your server, execute these commands:

sudo /etc/init.d/networking restart

ifconfig eth0
You should see your IPv6 address on the interface, as shown below:

Keeping the Tunnel Up

Your tunnel will close if there isn't any traffic, so these "keepalive" pings are needed. This cron job will send three pings through the tunnel every two minutes.

On your server, execute this command:

sudo nano /etc/cron.d/he-ipv6
Enter this line, replacing the $SERVER_IPV6 placeholder with the correct Server IPv6 from your Hurricane Electric tunnel configuration (without the "/64"):
*/2 * * * *    nobody  ping6 -c 3 -n -q $SERVER_IPV6 > /dev/null

Press Ctrl+X, Y, Enter to save the file.

Testing your Tunnel with tcpdump

On your server, execute this command:
sudo tcpdump -vv -i he-ipv6 ip6
This listens for IPv6 traffic on your he-ipv6 interface.

Now wait two minutes. You should see three "echo request" packets and three "echo reply" packets, as shown below:

Saving the Screen Image

Make sure you see three "echo request" packets and three "echo reply" packets, as shown in the image above on this page.

Save a screen image with the filename Proj HE-1A from Your Name.

Turning in Your Project

Email the image(s) to cnit.60@gmail.com with a Subject line of Proj HE-1A from Your Name.

Sources

http://blog.iphoting.com/blog/2012/06/02/ipv6-on-amazon-aws-ec2

http://askubuntu.com/questions/109709/hurricane-ipv6-buffer-space-error

http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/x811.html


Last modified 1 pm 10-14-2012