Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


TunnelBroker.ch | Free (BGP) IPv4 and IPv6 Tunnels and IPv6 Prefixes | Securebit AG - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

TunnelBroker.ch | Free (BGP) IPv4 and IPv6 Tunnels and IPv6 Prefixes | Securebit AG

2

Comments

  • securebitsecurebit Member, Host Rep

    Yes we proivde an "API" to update your ip, when you created your tunnel you can switch to the advanced tab and see the username, password and url for updating your endpoint.

    Same way as DynDNS Provider Update the IPv4 Address.

    Thanked by 1brueggus
  • @psb777 said:
    If you want to access (make outbound connections to) IPv4, you can try NAT64, such as https://nat64.net/

    If you want to have the ports on your VPS accessible from IPv4 network, I don't know any free services for that.

    I am the author of https://nat64.net/ and I also have a service for the other direction http://v4-frontend.netiter.com/

    The v4-frontend website is a bit outdated, but I do keep the service alive and use it for my personal website and email. I should note that the v4-frontend is not as scalable as the NAT64 service. If you have lots of traffic, the v4-frontend isn't for you and you should look into a content distribution network instead such as Cloudflare, Fastly, or Akamai.

    The v4-frontend service only works with TCP based services and only those which send a hostname. It works with:

    • HTTP as long as the client includes a host header (which has been standard for about 20 years)
    • SSL/TLS as long as the client sends an SNI field
    • SMTP (but no encryption as I haven't found a single SMTP client with SNI support)
    • SSH if you are willing to apply a small patch to the client.

    If you know other protocols which could work I'll happily add support for them. The requirements for a protocol to be supported is:

    • It runs over TCP
    • The client send the hostname over the TCP connection before the server has sent any payload
    • That hostname is contained within the first 1KB of data sent by the client.

    In principle authoritative DNS could be proxied as well, but a DNS proxy according to the same principles as the rest of this v4-frontend service is very complicated. It would be much simpler to just configure a dual-stack DNS slave using standard software such as BIND 9. But that wouldn't work as a zero-registration service. I am not sure if there even is a demand for authoritative DNS on the frontend.

    Thanked by 2brueggus klikli
  • I like the initiative with free tunnels and might give them a try myself. And the BGP part also sounds very interesting. That's something I might soon find useful.

    @securebit said:

    Tunnels (SIT or GRE) $0.00/mo) - Details

    It sounds like you are not offering any tunnels over UDP based protocols. That unfortunately means that many NAT users won't be able to use those tunnels. There used to be two providers of free IPv6 tunnels over UDP based protocols, but they have both shut down.

    That means at the moment there are users who only have the option of paying for a tunnel through one of the providers who offer IPv6 over a UDP based tunnel.

  • dfroedfroe Member, Host Rep
    edited April 2020

    @kasperd:
    I'd guess most ISPs either provide a public IPv4 address or (hopefully) IPv6. So you can build a tunnel on L4 (e.g. GRE) over IPv4 or IPv6. If your ISP only gives you IPv4 CGNAT and no IPv6 at all, that would be poor.

    Then your best choice might be a VPS with routed IPs or BGP so you can build your own UDP encapsulated tunnel; though like most things in life this doesn't come for free.

    If you don't want to build it on your own, some folks might offer tunnels based on L2TP for instance which is probably one of the simpliest and most common UDP tunneling protocols.

  • @dfroe said:
    @kasperd:
    I'd guess most ISPs either provide a public IPv4 address or (hopefully) IPv6.

    Unfortunately that's not the case. There are ISPs who only provide CGN and no IPv6 - they call that configuration future-proof.

    Then your best choice might be a VPS with routed IPs or BGP so you can build your own UDP encapsulated tunnel; though like most things in life this doesn't come for free.

    If you don't want to build it on your own, some folks might offer tunnels based on L2TP for instance which is probably one of the simpliest and most common UDP tunneling protocols.

    I don't mind paying a reasonable price for such a product. But I'd also like to know something I can recommend to those who don't want to pay.

    L2TP surely can work through a NAT. It's something I have been using myself. But if the NAT ever change the mapping the L2TP connection will time out and have to be re-established. That's something I'd surely be able to do better if I were to implement my own.

    I know where to find a cheap VPS with a routed /64 but if I want a shorter routed prefix, that limits the available options.

    Redundant tunnels with BGP is something I do consider. That's why I might be interested in the BGP tunnels.

  • dfroedfroe Member, Host Rep

    kasperd said: There are ISPs who only provide CGN and no IPv6 - they call that configuration future-proof.

    Oh, sad to hear that. And I assume they have a monopoly and there is no alternative "proper" ISP to choose from.

    kasperd said: But if the NAT ever change the mapping the L2TP connection will time out and have to be re-established.

    That's probably how it works with most tunneling protocols. At least unless you are having some kind of cryptographic authentication header included in every packet, you do not want to accept packets from another UDP port, especially when CGNAT'ed.

    I think StrongSwan IPSec implementation allows changing IPs on the fly during an established IKE. Which is okay when your packets are encrypted and especially signed in ESP so you can be sure a packet is matching your existing SA if SPI matches and the signature can be validated.

    I used this some time back and it worked pretty well. Of course you have the overhead of IPSec and a more complex protocol stack. But it can give you some advantages.

    kasperd said: I know where to find a cheap VPS with a routed /64 but if I want a shorter routed prefix, that limits the available options.

    Well, nearly all providers should be able to assign something like /56 or /48 (as recommended) without any fear of running out of IPv6 space. And some actually do if you ask them kindly. ;)

    kasperd said: Redundant tunnels with BGP is something I do consider. That's why I might be interested in the BGP tunnels.

    If you want to "think bigger", you can of course get some IPv6 space like a /48 from a LIR of your choice, request an ASN, grab two BGP-capable VPS and start playing - if you know what you're doing of course. :)

    You will be able to learn a lot about routing and how "the internet" works but it will cost you a few bucks a year.

  • @dfroe said:

    kasperd said: There are ISPs who only provide CGN and no IPv6 - they call that configuration future-proof.

    Oh, sad to hear that. And I assume they have a monopoly and there is no alternative "proper" ISP to choose from.

    One particular ISP which fits that description have a monopoly on fiber in some areas. There are competitors with native IPv6 if you go with ADSL or cellular connectivity instead.

    kasperd said: But if the NAT ever change the mapping the L2TP connection will time out and have to be re-established.

    That's probably how it works with most tunneling protocols. At least unless you are having some kind of cryptographic authentication header included in every packet, you do not want to accept packets from another UDP port, especially when CGNAT'ed.

    The necessary level of protection is open for debate. But there's no doubt you are going to need some amount of protection. Accepting packets from the wrong UDP port isn't a huge deal because all that could be abused for is IP spoofing, which the higher layers have to protect against anyway. It's more important that you don't start sending traffic to the wrong UDP port. And if you have sufficient authentication to protect against that kind of hijacking you may as well use it to protect against spoofing too.

    If you want to take it even further you can go full VPN. But an advantage of sticking with just cookies is that for the cookies themselves neither side need to know what cryptographic algorithms the other side uses.

    I think StrongSwan IPSec implementation allows changing IPs on the fly during an established IKE. Which is okay when your packets are encrypted and especially signed in ESP so you can be sure a packet is matching your existing SA if SPI matches and the signature can be validated.

    I used this some time back and it worked pretty well. Of course you have the overhead of IPSec and a more complex protocol stack. But it can give you some advantages.

    It's been a couple of years since I last worked with IPSec. I do remember that not running over UDP was causing problems. I also do remember that there is a specification for IPSec over UDP with provisions for NAT. I don't know how widely used that is.

    kasperd said: I know where to find a cheap VPS with a routed /64 but if I want a shorter routed prefix, that limits the available options.

    Well, nearly all providers should be able to assign something like /56 or /48 (as recommended) without any fear of running out of IPv6 space. And some actually do if you ask them kindly. ;)

    At Hetzner you can get a cheap VPS with a routed /64 you can get a second routed /64 if you pay extra.

    At Mythic Beasts which aren't quite as cheap I initially got just a link /64 and no routed prefix. I asked for a routed /96 and got a routed /48.

    kasperd said: Redundant tunnels with BGP is something I do consider. That's why I might be interested in the BGP tunnels.

    If you want to "think bigger", you can of course get some IPv6 space like a /48 from a LIR of your choice, request an ASN, grab two BGP-capable VPS and start playing - if you know what you're doing of course. :)

    You will be able to learn a lot about routing and how "the internet" works but it will cost you a few bucks a year.

    I'd say I know a lot already. But my hands-on experience with BGP is limited.

    If my NAT64 service grows big it's possible I might at some point need to use a BGP feed to dynamically generate DNS64 configuration files.

  • @kasperd said:

    @psb777 said:
    If you want to access (make outbound connections to) IPv4, you can try NAT64, such as https://nat64.net/

    If you want to have the ports on your VPS accessible from IPv4 network, I don't know any free services for that.

    I am the author of https://nat64.net/ and I also have a service for the other direction http://v4-frontend.netiter.com/

    Thank you for providing the services for free. Although I don't use either of those myself, it did help some of my acquaintances in case of need.

    I don't know any other protocols that are in demand for v4-to-v6 translation. But speaking of SSH, I don't think patching the client to send SNI-esque would a popular choice. I implemented a SOCKS proxy server, in part to ease access of v6 services from v4 networks. Users can use the SSH -o ProxyCommand='nc -x ... option to connect via SOCKS proxy, and I can take advantage of the performance of haproxy and its flexibility to police the connections.

  • @psb777 said:
    I don't know any other protocols that are in demand for v4-to-v6 translation. But speaking of SSH, I don't think patching the client to send SNI-esque would a popular choice.

    I know my patch is never going to make it into the official OpenSSH release. But since I was able to make SSH work with no modifications to the frontend I decided to write the patch anyway.

    The SSH protocol has a message type which will be ignored by the receiver, so all I did on the client was to insert such an ignored message between the SSH banner and the first SSH message. The content of that ignored message contains a byte sequence which to the frontend looks like an HTTP Host header.

    I also wrote an external tool which you can call through ProxyCommand instead of patching the client. It works on a similar principle but because it isn't part of the client there are some more limitations to what it can inject into the byte stream without causing integrity checks to fail. For that reason the external tool actually has to open two separate TCP connections to port 22 in order to establish one SSH connection.

  • no ticket support no email support.

    cant see other provider's assignment in prefix list, even if I have IRR records. so it is filtered

  • volkankvolkank Member
    edited April 2020

    just an update: you need to enable keepalive packets (without keepalive timeout) unlike he.net otherwise it did not work. and my prefix is accepted now, probably filters updated.

    thanks for the service.

  • securebitsecurebit Member, Host Rep

    @volkank said:
    no ticket support no email support.

    we only respond on emails.
    But please understand that customers pay for their services have priority

  • securebitsecurebit Member, Host Rep

    @volkank said:
    and my prefix is accepted now, probably filters updated.

    we update our filters daily at 23:00, if you create a tunnel it can take max. 24 hours to get visible/exported.

  • do you plan to add MTU setting?

  • imfanimfan Member

    Have using SB's services (TB and v6 prefix) for several months, nice management panel and fast auto process!

  • securebitsecurebit Member, Host Rep
    edited April 2020

    Thank you :smile:
    Nice to hear.

    @volkank said:
    do you plan to add MTU setting?

    Currently not planned.

  • Please add mtu setting. I want to increase mtu to 1472-byte

  • securebitsecurebit Member, Host Rep

    @volkank said:
    Please add mtu setting. I want to increase mtu to 1472-byte

    Currently not planned to add this feature.

  • Just a question, I'm retarded:
    Could I get a 48 and assign a 112 to a vps or something? I'd figure this out but I'm wondering.

  • securebitsecurebit Member, Host Rep

    @duckeeyuck said:
    Just a question, I'm retarded:
    Could I get a 48 and assign a 112 to a vps or something? I'd figure this out but I'm wondering.

    you can, but we and other isps may filter prefixes from /49 to /128.
    But you can use a /44 Prefix and then you can announce a /48 per site:
    https://www.securebit.ch/internet/resources

  • TripleflixTripleflix Member
    edited May 2020

    My consumer ISP does not give me ipv6 so im currently using HE to get a tunnel and ipv6 block.

    I succesfully created a tunnel but am unable to create a prefix because i am not an organization..

    nvm, i missed the /64 that can be used

    Tunnel doesnt seem to work thou.. :(

  • add_iTadd_iT Member

    @securebit

    I create some tunnel but it seems did not work on my side, i have try to ping any ipv6 point but the result is packet loss

    PING google.com(lax31s01-in-x0e.1e100.net) 56 data bytes

    --- google.com ping statistics ---
    4 packets transmitted, 0 received, 100% packet loss, time 2999ms

  • securebitsecurebit Member, Host Rep

    @add_iT said:

    I create some tunnel but it seems did not work on my side, i have try to ping any ipv6 point but the result is packet loss

    please contact us via email, and we can have a look. Normally it works fine.

  • NyrNyr Community Contributor, Veteran

    Excellent initiative, thank you!

  • xkeyxkey Member

    First, big thanks to SecureBit for their offering, filling a gap left by HE.net, when it comes with free BGP peering. They did responded my initial questions quickly. Understood the priority is paying customers, can't complain. But would like to get some community support here.

    Did anyone get ROA added to the free prefix? The website shows it as self-service once BGP announces the prefix, but w/o ROA added, can't even announce those prefixes. Or is this only available to paid customers?

    Did anyone get BGP tunneling working? or is this for paid customers only?

  • berkayberkay Member

    @xkey said:
    Did anyone get BGP tunneling working? or is this for paid customers only?

    BGP tunneling works if you have the proper inet(6)num and route(6) objects. They do create filters automatically from those objects so it might take some time for them to accept your announcements.

  • xkeyxkey Member

    @berkay said:

    BGP tunneling works if you have the proper inet(6)num and route(6) objects. They do create filters automatically from those objects so it might take some time for them to accept your announcements.

    How did you create the BGP tunnel with securebit? request by email or they are just through the same tunnel created? I don't see any instructions on their website, hence asking. I do have my own ASN, and wanted to announce both my route and those allocated from securebit

    Thanked by 1udonworld
  • berkayberkay Member

    @xkey said:

    @berkay said:

    BGP tunneling works if you have the proper inet(6)num and route(6) objects. They do create filters automatically from those objects so it might take some time for them to accept your announcements.

    How did you create the BGP tunnel with securebit? request by email or they are just through the same tunnel created? I don't see any instructions on their website, hence asking. I do have my own ASN, and wanted to announce both my route and those allocated from securebit

    I just registered through tunnelbroker.ch and created a tunnel at the control panel.

  • xkeyxkey Member

    @berkay said:

    I just registered through tunnelbroker.ch and created a tunnel at the control panel.

    I went back, there are indeed instructions on their website. Didn't pay attention to the radio button to select BGP tunnel instead of regular sit tunnel. User error. Thanks!

    Again, great IPv6/BGP offering from securebit, highly recommended

  • securebitsecurebit Member, Host Rep

    Thank you, nice to hear.

    If you want to support us, please check out our other offers.

    Virtual Server with IP-Transit and Internet Exchange Point VLANs:
    https://www.securebit.ch/server/internet_exchange

    Internet Resources like ASNs, IPv4 and IPv6 Prefixes:
    https://www.securebit.ch/internet/resources

    We also offer paid tunnels with different protocols (EoIP, GRE, SIT and VxLAN):
    https://www.securebit.ch/internet/tunnel

    Securebit Customers also have full access to our knowledge base:
    https://www.securebit.ch/support/kb

    If you have any questions feel free to contact our support team:
    https://www.securebit.ch/about/contact

Sign In or Register to comment.