Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
TunnelBroker.ch | Free (BGP) IPv4 and IPv6 Tunnels and IPv6 Prefixes | Securebit AG
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

TunnelBroker.ch | Free (BGP) IPv4 and IPv6 Tunnels and IPv6 Prefixes | Securebit AG

securebitsecurebit Member, Provider

Dear LowEndTalk Users

Tunnelbroker.ch is a free tunnel broker service, which allows you to reach the IPv6 Internet by tunneling over existing IPv4 connections from your IPv6-enabled host or router to one of our IPv6 routers.

We provide free IPv6 Tunnels and Prefixes with RPKI (ROA):

IPv6 Prefix (from /48 to /44) $0.00/mo) - Details
/44 to /48 IPv6 Prefixes
Assigned to your ORG Object
Authorization for your Maintainer Object
RPKI Support
RIPE Sub-Allocation
Set own Geolocation
Sub-Allocation from 2a0e:b107::/32

Tunnels (SIT or GRE) $0.00/mo) - Details
IPv4 BGP Session (optional)
IPv6 BGP Session
Automatic Prefix Filtering
SIT (for IPv6) and GRE (DualStack)
/64 Allocation for every Tunnel
Locations: Zurich, Dusseldorf, London and Sandefjord

Securebit AG provides virtual servers, Colocation, Internet Resouces (ASN, IPv4, IPv6) and other Solutions in data centers in Europe (Zurich, Frankfurt, Dusseldorf and London).

Our services are based on latest HPE and DELL servers, offering outstanding performance and reliability . We also operate our own fully redundant network across multiple data centers.

Securebit AG was founded in 2018 and has more than 14 years of experience in the field of networks, virtualization and internet services.

Find out more about Securebit AG and our offers:

Thanked by 3truweb abysscong Bertie

Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

«1

Comments

  • psb777psb777 Member

    I've been using it for months. It's worth mentioning that it works with Cloudflare, unlike Hurricane Electric, which blocks CF on free tunnels. It is great but sadly only has servers in western Europe.

  • jamjam Member

    502 Bad Gateway

    Ruby, JS Programmer and Linux user

  • rm_rm_ Member

    @securebit website not working:

  • GanonkGanonk Member

    502 bad gateway

    kuat dilakoni, ra kuat tinggal ngopi

  • securebitsecurebit Member, Provider

    Thanks for the Information and sorry for that.
    We will check and solve this. Website is working now.

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • davidavi Member

    Anyone knows using this service or any other free service I can get ipv4 connectivity on ipv6 only VPS

  • For residential usage, is there a benefit of using this over Hurricane Electric tunnels?

  • psb777psb777 Member

    @yoursunny said:
    For residential usage, is there a benefit of using this over Hurricane Electric tunnels?

    As I said, it works with Cloudflare. So you can host IPv4-accessible websites from a NAT'd network.

  • psb777psb777 Member

    @davi said:
    Anyone knows using this service or any other free service I can get ipv4 connectivity on ipv6 only VPS

    If you want to access (make outbound connections to) IPv4, you can try NAT64, such as https://nat64.net/

    If you want to have the ports on your VPS accessible from IPv4 network, I don't know any free services for that.

    Thanked by 1davi
  • rm_rm_ Member

    psb777 said: from a NAT'd network.

    On SIT tunnels you can't, as they only reliably traverse NAT if it's a NAT that you control and can set up a "DMZ" rule on, or (a slim chance) if you are the only user of such tunnel across your entire ISP, and they don't load balance across multiple NAT gateways, and their gateway replies to ping.

    Thanked by 1farsighter
  • klikliklikli Member

    psb777 said: It's worth mentioning that it works with Cloudflare, unlike Hurricane Electric, which blocks CF on free tunnels

    Does HE actively blocks CloudFlare? I have one of their regular SIT tunnels and CF works flawlessly.

  • psb777psb777 Member

    @rm_ said:

    psb777 said: from a NAT'd network.

    On SIT tunnels you can't, as they only reliably traverse NAT if it's a NAT that you control and can set up a "DMZ" rule on, or (a slim chance) if you are the only user of such tunnel across your entire ISP, and they don't load balance across multiple NAT gateways, and their gateway replies to ping.

    It's true that some ISP perform NAT to multiple public addresses, and those do not respond to ping. But luckily it works on my ISP, although of course I have to send keep alive packets to keep the stateful firewall happy.

  • psb777psb777 Member

    @klikli said:

    psb777 said: It's worth mentioning that it works with Cloudflare, unlike Hurricane Electric, which blocks CF on free tunnels

    Does HE actively blocks CloudFlare? I have one of their regular SIT tunnels and CF works flawlessly.

    You can access Cloudflare sites via SIT tunnels, but I (and others) found it impossible to host a Cloudflare-proxied site inside the tunnel.

  • klikliklikli Member

    Ah I see. Yes I agree it's an issue.

  • davidavi Member

    @psb777 said:

    @davi said:
    Anyone knows using this service or any other free service I can get ipv4 connectivity on ipv6 only VPS

    If you want to access (make outbound connections to) IPv4, you can try NAT64, such as https://nat64.net/

    If you want to have the ports on your VPS accessible from IPv4 network, I don't know any free services for that.

    Thanks, this worked for me.

  • vncouponvncoupon Member without signature

    You must login with your username and password to access this page.

    What does that mean?

  • securebitsecurebit Member, Provider

    You have to create an account to access the page.

    Thanked by 1vncoupon

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • @psb777 said:

    @yoursunny said:
    For residential usage, is there a benefit of using this over Hurricane Electric tunnels?

    As I said, it works with Cloudflare. So you can host IPv4-accessible websites from a NAT'd network.

    Hosting website is not relevant to residential usage.

  • psb777psb777 Member

    @yoursunny said:

    @psb777 said:

    @yoursunny said:
    For residential usage, is there a benefit of using this over Hurricane Electric tunnels?

    As I said, it works with Cloudflare. So you can host IPv4-accessible websites from a NAT'd network.

    Hosting website is not relevant to residential usage.

    Why not? It pertains to the freedom to "publish" contents from your home network. While it might not be very useful, given that LET is a web hosting forum, but it at least keeps your options open, rather than actively blocking the CF network as HE does.

    Thanked by 2rm_ yoursunny
  • GanonkGanonk Member

    what a GCP is allowed tunnel from this?

    kuat dilakoni, ra kuat tinggal ngopi

  • securebitsecurebit Member, Provider

    @Ganonk said:
    what a GCP is allowed tunnel from this?

    Can you formulate your question more clearly?

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • GanonkGanonk Member

    @securebit said:

    Can you formulate your question more clearly?

    are you on port 41 like as he.net ?

    kuat dilakoni, ra kuat tinggal ngopi

  • securebitsecurebit Member, Provider

    If you use IPv6 only tunnel, we use SIT Protocol (proto 41) same as HE.
    If you enable IPv4 we configure GRE Protocol (proto 47).

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • abysscongabysscong Member, Provider

    Awesome project!

  • securebitsecurebit Member, Provider

    Thank you, nice to hear :smile:

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • salakissalakis Member

    Too bad that your prefixes are banned on Netflix, else it would have been perfect. Thanks for the great service nevertheless!

  • securebitsecurebit Member, Provider

    do you know why they are banned? Any Error Message or so?
    Maybe we can find a solution for this :wink:

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • vserversitevserversite Member, Provider

    @securebit said:
    do you know why they are banned? Any Error Message or so?
    Maybe we can find a solution for this :wink:

    Normal, the most tunnelbroker are blocked :D

  • securebitsecurebit Member, Provider

    When they block our Tunnelbroker IPv6 Space, you can try the following:
    get your own ASN and IPv4/IPv6 Space

    Then you can use your own resources also via or tunnelbroker service or with a VPS :smiley:

    Thanked by 1Ganonk

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • Great project!

    @securebit Do you offer an API to update the endpoint IP for tunnels? This would help with DSL connections with dynamic IPs.

  • securebitsecurebit Member, Provider

    Yes we proivde an "API" to update your ip, when you created your tunnel you can switch to the advanced tab and see the username, password and url for updating your endpoint.

    Same way as DynDNS Provider Update the IPv4 Address.

    Thanked by 1brueggus

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • kasperdkasperd Member

    @psb777 said:
    If you want to access (make outbound connections to) IPv4, you can try NAT64, such as https://nat64.net/

    If you want to have the ports on your VPS accessible from IPv4 network, I don't know any free services for that.

    I am the author of https://nat64.net/ and I also have a service for the other direction http://v4-frontend.netiter.com/

    The v4-frontend website is a bit outdated, but I do keep the service alive and use it for my personal website and email. I should note that the v4-frontend is not as scalable as the NAT64 service. If you have lots of traffic, the v4-frontend isn't for you and you should look into a content distribution network instead such as Cloudflare, Fastly, or Akamai.

    The v4-frontend service only works with TCP based services and only those which send a hostname. It works with:

    • HTTP as long as the client includes a host header (which has been standard for about 20 years)
    • SSL/TLS as long as the client sends an SNI field
    • SMTP (but no encryption as I haven't found a single SMTP client with SNI support)
    • SSH if you are willing to apply a small patch to the client.

    If you know other protocols which could work I'll happily add support for them. The requirements for a protocol to be supported is:

    • It runs over TCP
    • The client send the hostname over the TCP connection before the server has sent any payload
    • That hostname is contained within the first 1KB of data sent by the client.

    In principle authoritative DNS could be proxied as well, but a DNS proxy according to the same principles as the rest of this v4-frontend service is very complicated. It would be much simpler to just configure a dual-stack DNS slave using standard software such as BIND 9. But that wouldn't work as a zero-registration service. I am not sure if there even is a demand for authoritative DNS on the frontend.

    Thanked by 2brueggus klikli
  • kasperdkasperd Member

    I like the initiative with free tunnels and might give them a try myself. And the BGP part also sounds very interesting. That's something I might soon find useful.

    @securebit said:

    Tunnels (SIT or GRE) $0.00/mo) - Details

    It sounds like you are not offering any tunnels over UDP based protocols. That unfortunately means that many NAT users won't be able to use those tunnels. There used to be two providers of free IPv6 tunnels over UDP based protocols, but they have both shut down.

    That means at the moment there are users who only have the option of paying for a tunnel through one of the providers who offer IPv6 over a UDP based tunnel.

  • dfroedfroe Member, Provider
    edited April 3

    @kasperd:
    I'd guess most ISPs either provide a public IPv4 address or (hopefully) IPv6. So you can build a tunnel on L4 (e.g. GRE) over IPv4 or IPv6. If your ISP only gives you IPv4 CGNAT and no IPv6 at all, that would be poor.

    Then your best choice might be a VPS with routed IPs or BGP so you can build your own UDP encapsulated tunnel; though like most things in life this doesn't come for free.

    If you don't want to build it on your own, some folks might offer tunnels based on L2TP for instance which is probably one of the simpliest and most common UDP tunneling protocols.

    IT Service David Froehlich | Individual network and hosting solutions | AS39083 | RIPE LIR services (IPv4, IPv6, ASN)

  • kasperdkasperd Member

    @dfroe said:
    @kasperd:
    I'd guess most ISPs either provide a public IPv4 address or (hopefully) IPv6.

    Unfortunately that's not the case. There are ISPs who only provide CGN and no IPv6 - they call that configuration future-proof.

    Then your best choice might be a VPS with routed IPs or BGP so you can build your own UDP encapsulated tunnel; though like most things in life this doesn't come for free.

    If you don't want to build it on your own, some folks might offer tunnels based on L2TP for instance which is probably one of the simpliest and most common UDP tunneling protocols.

    I don't mind paying a reasonable price for such a product. But I'd also like to know something I can recommend to those who don't want to pay.

    L2TP surely can work through a NAT. It's something I have been using myself. But if the NAT ever change the mapping the L2TP connection will time out and have to be re-established. That's something I'd surely be able to do better if I were to implement my own.

    I know where to find a cheap VPS with a routed /64 but if I want a shorter routed prefix, that limits the available options.

    Redundant tunnels with BGP is something I do consider. That's why I might be interested in the BGP tunnels.

  • dfroedfroe Member, Provider

    kasperd said: There are ISPs who only provide CGN and no IPv6 - they call that configuration future-proof.

    Oh, sad to hear that. And I assume they have a monopoly and there is no alternative "proper" ISP to choose from.

    kasperd said: But if the NAT ever change the mapping the L2TP connection will time out and have to be re-established.

    That's probably how it works with most tunneling protocols. At least unless you are having some kind of cryptographic authentication header included in every packet, you do not want to accept packets from another UDP port, especially when CGNAT'ed.

    I think StrongSwan IPSec implementation allows changing IPs on the fly during an established IKE. Which is okay when your packets are encrypted and especially signed in ESP so you can be sure a packet is matching your existing SA if SPI matches and the signature can be validated.

    I used this some time back and it worked pretty well. Of course you have the overhead of IPSec and a more complex protocol stack. But it can give you some advantages.

    kasperd said: I know where to find a cheap VPS with a routed /64 but if I want a shorter routed prefix, that limits the available options.

    Well, nearly all providers should be able to assign something like /56 or /48 (as recommended) without any fear of running out of IPv6 space. And some actually do if you ask them kindly. ;)

    kasperd said: Redundant tunnels with BGP is something I do consider. That's why I might be interested in the BGP tunnels.

    If you want to "think bigger", you can of course get some IPv6 space like a /48 from a LIR of your choice, request an ASN, grab two BGP-capable VPS and start playing - if you know what you're doing of course. :)

    You will be able to learn a lot about routing and how "the internet" works but it will cost you a few bucks a year.

    IT Service David Froehlich | Individual network and hosting solutions | AS39083 | RIPE LIR services (IPv4, IPv6, ASN)

  • kasperdkasperd Member

    @dfroe said:

    kasperd said: There are ISPs who only provide CGN and no IPv6 - they call that configuration future-proof.

    Oh, sad to hear that. And I assume they have a monopoly and there is no alternative "proper" ISP to choose from.

    One particular ISP which fits that description have a monopoly on fiber in some areas. There are competitors with native IPv6 if you go with ADSL or cellular connectivity instead.

    kasperd said: But if the NAT ever change the mapping the L2TP connection will time out and have to be re-established.

    That's probably how it works with most tunneling protocols. At least unless you are having some kind of cryptographic authentication header included in every packet, you do not want to accept packets from another UDP port, especially when CGNAT'ed.

    The necessary level of protection is open for debate. But there's no doubt you are going to need some amount of protection. Accepting packets from the wrong UDP port isn't a huge deal because all that could be abused for is IP spoofing, which the higher layers have to protect against anyway. It's more important that you don't start sending traffic to the wrong UDP port. And if you have sufficient authentication to protect against that kind of hijacking you may as well use it to protect against spoofing too.

    If you want to take it even further you can go full VPN. But an advantage of sticking with just cookies is that for the cookies themselves neither side need to know what cryptographic algorithms the other side uses.

    I think StrongSwan IPSec implementation allows changing IPs on the fly during an established IKE. Which is okay when your packets are encrypted and especially signed in ESP so you can be sure a packet is matching your existing SA if SPI matches and the signature can be validated.

    I used this some time back and it worked pretty well. Of course you have the overhead of IPSec and a more complex protocol stack. But it can give you some advantages.

    It's been a couple of years since I last worked with IPSec. I do remember that not running over UDP was causing problems. I also do remember that there is a specification for IPSec over UDP with provisions for NAT. I don't know how widely used that is.

    kasperd said: I know where to find a cheap VPS with a routed /64 but if I want a shorter routed prefix, that limits the available options.

    Well, nearly all providers should be able to assign something like /56 or /48 (as recommended) without any fear of running out of IPv6 space. And some actually do if you ask them kindly. ;)

    At Hetzner you can get a cheap VPS with a routed /64 you can get a second routed /64 if you pay extra.

    At Mythic Beasts which aren't quite as cheap I initially got just a link /64 and no routed prefix. I asked for a routed /96 and got a routed /48.

    kasperd said: Redundant tunnels with BGP is something I do consider. That's why I might be interested in the BGP tunnels.

    If you want to "think bigger", you can of course get some IPv6 space like a /48 from a LIR of your choice, request an ASN, grab two BGP-capable VPS and start playing - if you know what you're doing of course. :)

    You will be able to learn a lot about routing and how "the internet" works but it will cost you a few bucks a year.

    I'd say I know a lot already. But my hands-on experience with BGP is limited.

    If my NAT64 service grows big it's possible I might at some point need to use a BGP feed to dynamically generate DNS64 configuration files.

  • psb777psb777 Member

    @kasperd said:

    @psb777 said:
    If you want to access (make outbound connections to) IPv4, you can try NAT64, such as https://nat64.net/

    If you want to have the ports on your VPS accessible from IPv4 network, I don't know any free services for that.

    I am the author of https://nat64.net/ and I also have a service for the other direction http://v4-frontend.netiter.com/

    Thank you for providing the services for free. Although I don't use either of those myself, it did help some of my acquaintances in case of need.

    I don't know any other protocols that are in demand for v4-to-v6 translation. But speaking of SSH, I don't think patching the client to send SNI-esque would a popular choice. I implemented a SOCKS proxy server, in part to ease access of v6 services from v4 networks. Users can use the SSH -o ProxyCommand='nc -x ... option to connect via SOCKS proxy, and I can take advantage of the performance of haproxy and its flexibility to police the connections.

  • kasperdkasperd Member

    @psb777 said:
    I don't know any other protocols that are in demand for v4-to-v6 translation. But speaking of SSH, I don't think patching the client to send SNI-esque would a popular choice.

    I know my patch is never going to make it into the official OpenSSH release. But since I was able to make SSH work with no modifications to the frontend I decided to write the patch anyway.

    The SSH protocol has a message type which will be ignored by the receiver, so all I did on the client was to insert such an ignored message between the SSH banner and the first SSH message. The content of that ignored message contains a byte sequence which to the frontend looks like an HTTP Host header.

    I also wrote an external tool which you can call through ProxyCommand instead of patching the client. It works on a similar principle but because it isn't part of the client there are some more limitations to what it can inject into the byte stream without causing integrity checks to fail. For that reason the external tool actually has to open two separate TCP connections to port 22 in order to establish one SSH connection.

  • volkankvolkank Member

    no ticket support no email support.

    cant see other provider's assignment in prefix list, even if I have IRR records. so it is filtered

  • volkankvolkank Member
    edited April 8

    just an update: you need to enable keepalive packets (without keepalive timeout) unlike he.net otherwise it did not work. and my prefix is accepted now, probably filters updated.

    thanks for the service.

  • securebitsecurebit Member, Provider

    @volkank said:
    no ticket support no email support.

    we only respond on emails.
    But please understand that customers pay for their services have priority

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • securebitsecurebit Member, Provider

    @volkank said:
    and my prefix is accepted now, probably filters updated.

    we update our filters daily at 23:00, if you create a tunnel it can take max. 24 hours to get visible/exported.

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • volkankvolkank Member

    do you plan to add MTU setting?

  • imfanimfan Member

    Have using SB's services (TB and v6 prefix) for several months, nice management panel and fast auto process!

  • securebitsecurebit Member, Provider
    edited April 9

    Thank you :smile:
    Nice to hear.

    @volkank said:
    do you plan to add MTU setting?

    Currently not planned.

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • volkankvolkank Member

    Please add mtu setting. I want to increase mtu to 1472-byte

  • securebitsecurebit Member, Provider

    @volkank said:
    Please add mtu setting. I want to increase mtu to 1472-byte

    Currently not planned to add this feature.

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

  • Just a question, I'm retarded:
    Could I get a 48 and assign a 112 to a vps or something? I'd figure this out but I'm wondering.

  • securebitsecurebit Member, Provider

    @duckeeyuck said:
    Just a question, I'm retarded:
    Could I get a 48 and assign a 112 to a vps or something? I'd figure this out but I'm wondering.

    you can, but we and other isps may filter prefixes from /49 to /128.
    But you can use a /44 Prefix and then you can announce a /48 per site:
    https://www.securebit.ch/internet/resources

    Securebit AG is an ISP in Switzerland provide VPS and Colocation with Internet Exchange connection to 4IXP, SBIX, DE-CIX, etc.. (www.securebit.ch). We also provide a free Tunnelbroker.ch Service with BGP Dual Stack.

Sign In or Register to comment.