Hosting An IPv6 Reachable Server At Home – The Summary

Over the past years but particularly in recent months I had quite a number of posts on many different aspects of using IPv6, beginning from IPv6 use at home on the PC to using IPv6 on a server at home. With things now neatly in place on both clients and server it’s time for an overview and summary.

The Basics

Back in 2009 (!) I put together a crash course on IPv6 in 4 parts. Have a look here, here, here and here if you need an overview.

Putting Theory Into Practice

In 2009 I was certain that theory would be put into practice pretty soon. I was a bit too optimistic, though, it took until the second part of 2015 before my mobile network operator offered IPv6 and until December 2015 before I also had IPv6 on my DSL line at home. Yes, I was working on IPv6 related things in the meantime but from an end user point of view it took 5 years to get there.

Be Aware Of IPv6 Leakage

There is one very important thing to be aware of right from the start: Once a network is IPv6 enabled you run the risk of data leakage when using a VPN tunnel. If the VPN tunnel only supports IPv4, and that’s probably 99.9% of VPN tunnels used today, and the DNS server on the other end of the tunnel returns IPv4 and IPv6 addresses, your applications will bypass the tunnel for all IPv6 destinations. There are several fixes for this issue on the client and also on the server side and you can find the details in a 3 part mini-series on the topic here, here and here.

Using IPv6 on the Client Side

On the PC and mobile phone, use of IPv6 is pretty simple. All major operating systems support IPv6 today and if they detect that IPv6 is available in a network they will use the protocol without any manual configuration. In many cases, however, fixed line and mobile network operators are still cautious and don’t activate IPv6 by default. In that case, IPv6 support has to be activated in the Access Point (APN) settings of the smartphone. On the fixed line side, IPv6 support has to be activated in the home gateway (DSL, cable router, etc.).

An IPv6 Server at Home

Things get a bit trickier when it comes to making a server in your home network reachable from the Internet via IPv6. Unlike IPv4, IPv6 requires no Network Address Translation (NAT) so in theory a machine is directly reachable from the Internet. In practice, some routers block incoming connection requests from the Internet to global IPv6 addresses in the local network by default for security reasons. It is thus necessary to configure the router to allow incoming connection requests to the static IPv6 interface identifier of the server in the local network that is derived from the MAC address of its network interface.

DNS Rebinding Attack Protection

In addition, some routers protect against DNS rebind attacks by not returning local IP addresses for DNS requests. As a consequence a server in the local network with a public IPv6 address is not reachable from the local network. This can be fixed by declaring an exception in the DNS rebinding protection feature of the DSL/cable router.

Static vs. Dynamic IPv6 Prefixes and Privacy Extensions

In practice some network operators assign a static IPv6 prefix to a customer line. This is not ideal for privacy but helps a lot from a server configuration point of view as the DNS entry can be static and does not have to be dynamically updated. If the IPv6 prefix is dynamic, i.e. it changes after rebooting the router, a dynamic DNS provider has to be found that offers 1 minute Time To Live intervals not only for IPv4 but also for IPv6. In addition, the dynamic DNS provider has to offer an API to not only change the IPv4 address but also the IPv6 address on the fly. It turns out that not many support both features and it took me some time to find a solution.

Once a suitable dynamic DNS provider is found, one needs a way to detect that the prefix has changed and a DNS update has to be triggered from the server. In my case this was somewhat more complicated because I had the IPv6 privacy feature turned on that regularly assigns new IPv6 interface identifiers. This can of course be turned off but since in my case the IPv6 prefix changes as well once a day I adapted an IPv6 dynamic DNS update script I found on the web to find the static interface identifier and disregard all ephemeral identifiers in the Ethernet interface IPv6 address list.

There we go, these are all the steps required for hosting a server at home and making it accessible via IPv6. Not quite as straight forward as I hoped but not impossible to put into place, either.