How to Tunnel IPv6 Traffic over SSH IPv4 Connection: A Practical Guide


2 views

When working with IPv6 networks behind IPv4-only infrastructure, SSH tunneling becomes a valuable tool for network engineers. The fundamental requirement is establishing a reliable IPv6-over-IPv4 tunnel where native IPv6 connectivity isn't available.

First, ensure both endpoints have SSH server running and proper authentication configured. The basic IPv4 tunnel command looks like:

ssh -N -L 8080:[IPv6-enabled-host]:80 user@ssh-gateway

But this only handles single-port forwarding. For full IPv6 tunneling, we need more advanced techniques.

The most effective method uses tun devices and SSH's built-in tunneling capabilities:

# On the client side:
ssh -w 0:0 user@remote-server -o Tunnel=ethernet

# After connection established:
ip link set tun0 up
ip -6 addr add 2001:db8::1/64 dev tun0

On the server side:

ip link set tun1 up
ip -6 addr add 2001:db8::2/64 dev tun1

For proper IPv6 routing through the tunnel:

# Client routing:
ip -6 route add default via 2001:db8::2 dev tun0

# Server routing (if acting as gateway):
ip -6 route add 2001:db8::1/128 dev tun1
sysctl -w net.ipv6.conf.all.forwarding=1

For production environments, consider these enhancements:

# SSH config file entry (~/.ssh/config):
Host ipv6-tunnel
    HostName remote-server.example.com
    User tunneluser
    PermitLocalCommand yes
    LocalCommand ip link set tun0 up && ip -6 addr add 2001:db8::1/64 dev tun0
    RemoteCommand ip link set tun1 up && ip -6 addr add 2001:db8::2/64 dev tun1
    Tunnel ethernet
    RequestTTY no

Remember to:

  • Use SSH key authentication only
  • Restrict SSH access to specific IPs
  • Monitor tunnel bandwidth usage
  • Consider adding firewall rules for the tun interface

If connectivity fails:

# Check interface status:
ip -6 addr show dev tun0

# Test basic connectivity:
ping6 2001:db8::2

# Verify routing:
ip -6 route show

# Check SSH tunnel:
ss -tulnp | grep ssh

For cases where tun devices aren't available:

# Using socat for port forwarding:
ssh user@gateway -L 8080:[internal-ipv6-host]:80

# Then on localhost:
socat TCP6-LISTEN:80,fork TCP4:localhost:8080

When working with IPv6 networks behind IPv4-only SSH tunnels, we face a fundamental protocol mismatch. SSH traditionally operates over IPv4, while modern applications increasingly require IPv6 connectivity. The solution lies in creating a virtual network interface that can encapsulate IPv6 packets within our SSH tunnel.

Before implementation, ensure your systems have:
- OpenSSH 7.0+ (supports tun device creation)
- Root/admin privileges
- TUN/TAP kernel module loaded
- IPv6 enabled on both endpoints

First establish the SSH connection with tunnel capabilities:

ssh -NTCf -w 0:1 user@remote_host -i /path/to/private_key

This creates a point-to-point tunnel using tun devices (0 on local, 1 on remote). The -w flag enables tunnel device forwarding.

On the local machine:

sudo ip link set tun0 up
sudo ip -6 addr add 2001:db8::1/64 dev tun0

On the remote machine:

sudo ip link set tun1 up
sudo ip -6 addr add 2001:db8::2/64 dev tun1

Configure routing tables to direct IPv6 traffic through the tunnel:

sudo ip -6 route add 2001:db8::/64 dev tun0
sudo ip -6 route add default via 2001:db8::2

Verify IPv6 connectivity through the tunnel:

ping6 2001:db8::2
traceroute6 ipv6.google.com

For persistent configurations, create a script with all commands and set it to run on boot. Example systemd service unit:

[Unit]
Description=IPv6 over SSH Tunnel
After=network.target

[Service]
ExecStart=/usr/local/bin/setup_ipv6_tunnel.sh
Restart=always

[Install]
WantedBy=multi-user.target

If connectivity fails:
1. Check SSH server configuration for PermitTunnel
2. Verify kernel supports tun devices (modprobe tun)
3. Ensure proper IPv6 forwarding is enabled (sysctl net.ipv6.conf.all.forwarding=1)
4. Examine firewall rules on both ends