2011-03-27: Tunneling IPv6 over IPv4 using SixXS on Win7 x64

Posted at 2011-03-27 21:26:05 by SHD
Note: SixXS shut down on 2017-06-06. This blog post is left for archival purposes.

It's been a long time coming, and now the IPv4 address pool has been exhausted. Still it doesn't seem like world is scrambling to switch over to IPv6 (it doesn't even seem like they're preparing for it, even though they ought to be ready). My provider hasn't even given any information about their plans for implementing IPv6. This makes it difficult to see if my own network or any of the stuff I make will handle IPv6. Fortunately, there are services that allow you to experiment with IPv6 by tunneling it through IPv4. SixXS is one such service, but setting up a tunnels, especially on Windows 7 (64 bit) is a bit more involved than you might think from the documentation or the 10 step guide and there's a few things that are unclear or downright missing. Here's my step-by-step walkthrough.

Network
AMS IX @ EU Networks photograph © 2008 by mattdork

Step 1: Create an account

To get started, you first need to create an account. As an end user, you're not likely to have a NIC handle, so you have to go through the signup process to get an -SIXXS handle. Be sure to give a valid reason for signing up. Mine was similar to the first paragraph of this blog post. After a few moments, you should get an e-mail to verify your e-mail address. After you have verified, it may take a few hours or even a few days while an actual person reviews your application. For me, it took about 7 hours. This is not something you will be able to do when you have half an hour of spare time.

Step 2: Request a tunnel

After your account has been approved and you have received your handle, you will need to request a tunnel. There are three kinds of tunnels. Since you are more than likely behind a NAT-ing router if you have broadband at home, there's only really one protocol that you can use: AYIYA (which is a weird kind of palindromic acronym for "anything in anything"), so request one of these. You'll need to ping a few of the selected PoPs and select the one that gives you the best performance. If they perform equally well, just select the one that is glosest to you geographically. Like the request for the handle, it will take a while for the request to be approved. In my case, this was about 10 hours. After it is done, though, all that remains is setting up your own system.

Step 3: Installing the tunnel drivers

The tunnels provided by SixXS require a Tap32 driver, which they have for download, but this will not work properly on 64-bit Windows, as it requires signed drivers. So this is where things start to get ugly. Note that this isn't the kind of stuff you'd have to deal with when working with IPv6 natively, only when using the SixXS tunnels.

Instead of the regular Tap32 drivers, you will need to download OpenVPN (at the moment, the latest stable version is 2.1.4, the Windows installer for which is available from the OpenVPN Community Project downloads page. When installing, you can (and probably should) deselect all options except the "TAP Virtual Ethernet Adapter".

Step 4: Setting up the tunnel through the command line tool

SixXS provide an automated tool, AICCU, to set up the tunnel. Unfortunately, the GUI version of this does not work on Windows 7, even though it doesn't throw an error message or give any kind of feedback. The console version of it however, will work just fine, so put this in a place where you can easily access it. Create a text file called "aiccu.conf" (make sure it doesn't become aiccu.conf.txt because of Windows' habit of hiding the file extension). The minimal contents should consist of four lines, with the login details provided in the e-mails you've received from SixXS, in the following formatusername *****-SIXXS
password ********
tunnel_id T*****
automatic true

Then copy this file into the C:\WINDOWS directory. You will probably get a Windows UAC prompt to confirm that you really want to copy the file into the Windows directory. It's a dirty job, but someone's gotta do it. Once this is done, you can enable the tunnel by running the console executable from the command line, followed by the parameter "start" so the command becomes something like aiccu-2008-03-15-windows-console start

When you start this, there will be a few lines of information and possibly a warning about being unable to access a certain registry key, which may be safely ignored.

Step 5: Testing the tunnel

By now, the actual tunnel should be up and running. To test it, a quick first check would be to ping the IPv6 version of the Google homepage, by IP address. From the command prompt, type ping -6 2a00:1450:8001::68 (yes, IPv6 addresses look even uglier than IPv4 ones). If all goes well, you should get a ping response from Google. Next is to see whether there's an appropriate IPv6 DNS lookup working. So let's try it without the IPv6 address, just the hostname: ping -6 ipv6.google.com Everything working? Great, that's fine. We're almost done.

Step 6: Enabling DNS lookup through Teredo tunnels

You might think you're done now, and if you believe the official documentation, it would appear that you are. Unfortunately, however, you will notice that in your web browser, you can open http://[2a00:1450:8001::68] (the square brackets denote that it is an IPv6 address) and get the Google homepage, but going through the friendlier name of http://ipv6.google.com/ won't work. Apparently, although the command line tools have no problem doing their DNS lookup through the tunnel, other programs will fail. This is apparently because Windows refuses to do IPv6 DNS lookups over interface that only have link-local addresses or Teredo addresses (Teredo tunneling is the name of the technology used for providing IPv6 through IPv4).

There are two ways about this. Note: you only need to do one or the other, not both, though that won't hurt. One is to add a dummy IPv6 address to the interface. By using a technique called 6to4 that maps IPv4 addresses to IPv6 ones, you can convert a LAN IPv4 address into a full IPv6 address. As long as it's a LAN address, it's not really all that important what the address is, just as long as it's assigned to the interface. The most commonly used one is 2002:81a8:0102::, which corresponds to the IPv4 address 192.168.1.2 (in hexadecimal: 81.A8.01.02). You can add this address to the interface using the GUI or you can do it using the command line. The command for this would be something like netsh int ipv6 add address "Local Area Connection" 2002:81a8:0102:: which needs to be done from a command prompt with administrator privileges.

Another way is to change the way Windows does DNS lookups by altering a registry setting. If you choose this way, open the registry editor and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters and create a new DWORD value called AddrConfigControl and leave it at the default value of 0. You can also simply download my premade registry file for convenience.

When you've done this, your browser should accept the common forms of URLs and use IPv6 in preference to IPv4 when available. Go to http://ipv6.google.com/ or the SixXS homepage and there should be a notice there that you're using IPv6.

All done

You may want to set up a shortcut to start the tunnel, possibly even put it in the Windows startup folder so it gets started along with Windows. I haven't done this myself, as I'm using it primarily for testing and hope my provider will be rolling out native IPv6 sooner rather than later. When that happens I won't have a need for the tunnel any longer. Don't feel bad for SixXS, as this is actually their stated goal. In the meantime it allows me to make sure the stuff I've built can be made to work with IPv6. I suggest you do the same. Although IPv6 is still not rolled out to end users in any significant degree, this will change in the near future... it has to, whether the ISPs like it or not.

Comments

No comments, yet...

Post a comment

Note: HTML is not permitted, URLs will be linked automatically. Spam comments will result in a permanent ban.
Type these 4 symbols into the edit field