You are not logged in.

#1 2018-02-28 10:02:15

egeus
Member
Registered: 2016-04-26
Posts: 6

[Solved]Accessing a server with a IPv6 only adress from a IPv4 network

Hello everybody!
For educational pruposes I have got a server at home, where different software is hosted for my students (nextcloud, mediawiki, different blogs). It is a proxmox host with different Arch instances. My ISP is giving me a (almost) static IPv6 /64 net only. I have no public IPv4 adress - I had to share it with a thousends of other people. So every virtual machine has got a static IPv6, a AAAA record on the domain and everything is working finde except you are in a network which is not supporting IPv6 - and that is exactly my problem.

Users in IPv4-only networks can't reach the services. Much telephone-providers (or sub-providers, or sub-sub...-providers) doesn't support IPv6 on UMTS or HSDPA-connections in germany. I had to find a solution for a problem which would not exist, if those providers had read the IPv6 specifications a single time since 1998...

One solution is to use one of those portmapper-services. But in that case I only get a single port, so I had to go to https://domain.tld:12345 - which doesen't seems to be professional and no user could remember different ports for different services (and the user has to find out if he is in a IPv4 only network). Not nice!

I thought I could rent a small virtual server with a static IPv4 adress. Add a A-record to every domain pointing to those virtual-IPv4-server, and install something like Apache to "catch" from which domain the call is coming and use

ProxyPass "/" "https://IPv6-Adress of the home server"
ProxyPassReverse "/" "https://IPv6-Adress of the home server"

But this gives me a loooot of problems: The connection between client and IPv4 server should be secured. On every single IPv6 host is a certificate for HTTPS (Letsencrypt) installed. I had to copy those certificates to the IPv4-Server every time they are new generated. Furthermore the connection between IPv4-Server and IPv6-Server should be secured to - but the certificate is not valid for a IP-Adress.

Has anybody a better idea to solve my problem? Are my thoughts on the right way (or is it the best way)?
If you have read to this sentence - THANK YOU!

Greetings,
Chris

Last edited by egeus (2018-03-26 15:01:05)

Offline

#2 2018-02-28 15:27:26

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 16,117

Re: [Solved]Accessing a server with a IPv6 only adress from a IPv4 network

My first suggestion would be to run Squid on your rented VM and reverse proxy in IPv6 mode back to your server.
Or Pound


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#3 2018-02-28 15:39:11

progandy
Member
Registered: 2012-05-17
Posts: 3,080

Re: [Solved]Accessing a server with a IPv6 only adress from a IPv4 network

You can probably also try snip or sniproxy. That way you don't have to put SSL keys on your v4/v6 bridge.
https://tnc16.geant.org/getfile/2674
https://github.com/jornane/node-snip
https://github.com/dlundquist/sniproxy

Edit: With more work you can maybe even translate all incoming ipv4 adresses to a specific ipv6 in a custom a /96 subnet, so that your servers still get unique ips for all clients. (I'm not completely sure, maybe you'd need kernel support to specify a source address when connecting?)
https://idea.popcount.org/2014-04-03-bi … e-connect/
https://blog.apnic.net/2016/09/14/binding-ipv6-subnet/

Last edited by progandy (2018-02-28 16:14:08)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#4 2018-03-26 14:20:01

egeus
Member
Registered: 2016-04-26
Posts: 6

Re: [Solved]Accessing a server with a IPv6 only adress from a IPv4 network

Hello and thank you two for you're nice solutions. The nice thing about a proxy like squid or pund is that it is realy simple to be configured - but the problem is that I have to put the ssl keys on those machine to. I dicided to use SNI proxy which does not need the SSL key:
You can install it from the AUR. The next step is to edit the config file in /etc/sniproxy.conf:

user nobody
pidfile /run/sniproxy/sniproxy.pid

error_log {
    filename /tmp/sniproxy_error.log
    priority notice
}

resolver {
nameserver 9.9.9.9
mode ipv6_first
}

listen 0.0.0.0:443 {
    proto tls
    access_log {
        filename /tmp/sniproxy_access.log
        priority debug
    }
}

table {
        mydomain.tld *:443
}

You can setup a table for different domains, using some wildcards and so on and then just start/enable sniproxy via systemctl.
Furthermore you need to setup the A-Record pointing to you're IPv4-Machine with SNI Proxy on it and an AAAA-Record pointing to you're IPv6 only machine. It is working really good in my tests.

Thank you for those awesome solution!

The next problem is that tools like fail2ban always see the IP of my Proxy-VM which will get banned... You're last solution (those binding ipv6 stuff) looks to be a nice addon, but I am not shure how it is working.

Last edited by egeus (2018-03-26 15:01:59)

Offline

#5 2018-03-26 14:56:56

progandy
Member
Registered: 2012-05-17
Posts: 3,080

Re: [Solved]Accessing a server with a IPv6 only adress from a IPv4 network

Good for you. I'm not sure how to use an ipv6 subnet either.

I think you have to patch sniproxy as well, somewhere in the "initiate_server_connect" function I guess. That IP_TRANSPARENT section seems to be similar to what we want, but I'm not sure how the kernel does the address translation here. maybe you don't need to patch and setting the transparent option and an ip6tables SNPT/DNPT from ::ffff:0:0/96 (rfc5156) to your subnet might work? I can't help you further, I have no experience with IPv6 NAT.
https://github.com/dlundquist/sniproxy/ … ion.c#L608

Last edited by progandy (2018-03-26 15:04:14)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#6 2018-03-26 14:59:55

egeus
Member
Registered: 2016-04-26
Posts: 6

Re: [Solved]Accessing a server with a IPv6 only adress from a IPv4 network

Thank you! I have no NAT-IPv6 experience to. But now I will mark this thread as solved, because the goal (accessing IPv6 from v4 network) is done! Thank you for you're help.

Offline

#7 2018-03-26 15:06:13

progandy
Member
Registered: 2012-05-17
Posts: 3,080

Re: [Solved]Accessing a server with a IPv6 only adress from a IPv4 network

iptables seems to be able to do prefix translation with SNPT and DNPT, maybe that will help.


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#8 2018-05-30 10:54:49

egeus
Member
Registered: 2016-04-26
Posts: 6

Re: [Solved]Accessing a server with a IPv6 only adress from a IPv4 network

Just want to inform you about the actual status: The server is running on productive now for two months without any problems. Furthermore you can use some wildcard-stuff that you don't have to set up every subdomain.

Offline

Board footer

Powered by FluxBB