Setting up a he.net IPv6 Tunnel Print

A customer reached out to us asking how to set up a he.net IPv6 tunnel on their Ethernet Servers VPS running Debian 12.

After some discussion, the customer was able to get this working as intended, and offered up a bash script in hope it helps others!

It's important to note that:

- The VPS in question does not require IPv6 connectivity.
- TUN/TAP and PPP must be enabled within our VPS control panel.
- The script was tested on Debian 12. Support on other Linux distributions is unknown.
- The script assumes you are using SSH port 22.

Pleas ensure that time is taken to adjust the settings accordingly.

Without further ado, below is the script, again, kindly offered up to us by a valued customer:

#!/bin/bash

# CREDITS:
# Stefan Meinecke (https://github.com/smeinecke/ustun) - UStun w/ updates
# Radoslaw Ejsmont (https://github.com/rejsmont/UStun) - original UStun project

# !!! PREREQUISITES: Enable Settings > TUN/TAP & PPP !!!!!!!!!!!!!!!!

# !!! CHANGE THESE TO YOUR HE.NET SETTINGS !!!!!!!!!!!!!!!!!!!!!!!!!!

IPV6_ADDRESS="HE.net-CLIENT-IPv6-ADDRESS"
IPV4_REMOTE="HE.net-SERVER-IPv4-ADDRESS"
IPV4_LOCAL="HE.net-CLIENT-IPv4-ADDRESS"
IPV6_GATEWAY="HE.net-SERVER-IPv6-ADDRESS"
IPV6_NETMASK="64"

SSH_PORT="22"

# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

# Install required packages
sudo apt update
sudo apt upgrade -y
sudo apt install -y ufw build-essential git

# Clone the repository
git clone https://github.com/smeinecke/ustun.git
cd ustun || exit

# Compile the project
make

# Copy binaries to /usr/local/sbin
sudo cp ustun usctrl us6tables /usr/local/sbin

# Copy ufw helper scripts to /usr/local/sbin
sudo cp ufw/us6tables-restore /usr/local/sbin

# Backup current ip6tables
mv /sbin/ip6tables /sbin/ip6tables.bak
mv /sbin/ip6tables-restore /sbin/ip6tables-restore.bak

# Relink ip6tables commands
sudo ln -sf /usr/local/sbin/us6tables /sbin/ip6tables
sudo ln -sf /usr/local/sbin/us6tables-restore /sbin/ip6tables-restore
sudo ln -sf /usr/local/sbin/us6tables /usr/sbin/us6tables
sudo ln -sf /usr/local/sbin/us6tables-restore /usr/sbin/us6tables-restore

# Disable ip6tables-save by linking to /bin/true
sudo ln -sf /bin/true /sbin/ip6tables-save

# Backup and copy ufw rules
sudo cp /etc/ufw/after6.rules /etc/ufw/after6.rules.bak
sudo cp /etc/ufw/before6.rules /etc/ufw/before6.rules.bak
sudo cp /etc/ufw/ufw.conf /etc/ufw/ufw.conf.bak
sudo cp ufw/after6.rules ufw/before6.rules ufw/ufw.conf /etc/ufw

# Set UFW default incoming policy to deny
sudo ufw default deny incoming

# Set UFW default outgoing policy to allow
sudo ufw default allow outgoing

# Allow EthernetServers default SSH port
sudo ufw allow "$SSH_PORT"/tcp

# Disable ufw logging (ip6tables -m limit is not support)
sudo ufw logging off

# Generate IPv6 network interface configuration
echo "
iface he-ipv6 inet6 static
address $IPV6_ADDRESS
netmask $IPV6_NETMASK
endpoint $IPV4_REMOTE
local $IPV4_LOCAL
ttl 255
gateway $IPV6_GATEWAY
pre-up /usr/local/sbin/ustun -n he-ipv6 -r $IPV4_REMOTE -l $IPV4_LOCAL -m tunnelbroker -p /run/ustun-he-ipv6.pid
post-up /sbin/ip -6 route add ::/0 dev he-ipv6
post-down /bin/kill `cat /run/ustun-he-ipv6.pid` > /dev/null 2>&1 || /bin/true
mtu 1480
" > /etc/network/interfaces.ipv6

# Backup /etc/rc.local before modifications
cp /etc/rc.local /etc/rc.local.bak

# Ensure /etc/rc.local ends with 'exit 0'
if ! tail -n1 /etc/rc.local | grep -q "exit 0"; then
echo -e "\nexit 0" >> /etc/rc.local
fi

# Insert the network interface setup before 'exit 0' if it's not already
if ! grep -q "cat /etc/network/interfaces.ipv6 >> /etc/network/interfaces" /etc/rc.local; then
sed -i "/^exit 0/i cat /etc/network/interfaces.ipv6 >> /etc/network/interfaces" /etc/rc.local
fi

# Make rc.local executable
chmod +x /etc/rc.local

# Set up /etc/network/interfaces to work immediately
cat /etc/network/interfaces.ipv6 >> /etc/network/interfaces

# Set up a service to bring up the tunnel interface after network is ready:
echo "[Unit]
Description=HE IPv6 Tunnel
After=network.target multi-user.target

[Service]
Type=oneshot
ExecStart=/bin/sh -c '/usr/sbin/ifup he-ipv6 || true'
RemainAfterExit=true

[Install]
WantedBy=multi-user.target" > /etc/systemd/system/he-ipv6-tunnel.service

# Reload the systemd daemon to pick up the new service
sudo systemctl daemon-reload

# Enable and start the HE IPv6 Service
sudo systemctl enable he-ipv6-tunnel.service
sudo systemctl start he-ipv6-tunnel.service

# Enable UFW
sudo ufw enable

# Ping ethernetservers.com to confirm IPv6 connectivity
ping6 -c 1 ethernetservers.com

echo "HE.net IPv6 tunnel setup completed!"