VPS as VPN to get Dual Stack at Home ? (CGNAT / IPv4 only)

[Survivor7171]

So I had Dual Stack before but moved into a new flat and now I'm behind CGNAT with IPv4 only.

I would like to continue hosting some websites from home and therefore get Dual Stack again.


My plan is to buy a VPS from a Cloud Provider and install OPNsense on it.

Then create a Wireguard site-to-site between my home and the VPS to route IPv4/IPv6.


IPv4 only would be easy to do just setup NAT and be done but I have no clue about how to get IPv6 working.


My thoughts about this are

Option1 buy additional /60 network and use that at home and route it via Wireguard, no idea how to set this up, how to get SLAAC/RA working ?!

Option2 use ULA's and NPTv6, basically doing NAT with IPv6, bad practice


I just can't find much about it using google.

Has anyone pointers for me to get this solved ? Any tutorials etc. ?

 

[kpfleming]

A simpler solution would be to use a free tunnel from the Hurricane Electric TunnelBroker server, terminated on the router in your flat.

 

[heromode]

I know nothing about hosting or SLAAC/RA etc, but you might want to check out the TrailOfBits algo project, to run a wg gateway on a standard VPS, which supports road warrior mode. Don't know if it fits your situation, but i've been using algo for years and consider it excellent.

 

[rtech]

You could also contact ISP and tell them you want to setup camera system and monitor it from internet.

 

[Survivor7171]

Hurricane Electric TunnelBroker actually seems like the best option, but I'm not really a fan of it, I would prefer to do the routing/setup myself and kinda own it instead of using a free service.

I'm already having a hard time finding a cheap VPS that has /60 or /56 ipv6 which is really annoying since ipv6 is basically free for them.

Asking the ISP is not an option, I already did that and they don't even offer a business contract.

 

[Survivor7171]

So I went ahead and ordered a VPS at Vultr with 2x IPv4/32 & IPv6/64 to play around with.

I got Wireguard fully setup and now have a ipv4/32 and ipv6/64 public IP on the Wireguard interface at home which works.

I can ping them from another external VPS server and see the ping as well as reply on my home router via packet capture.



I asked Vultr Support whether they offer /60 or /56 IPv6 so I can subdivide the IPv6 network but sadly they don't

So now I'm stranded looking for a VPS provider that offers a bigger IPv6 subnet for the time being.


Linode seems to offer it via support but is rather expensive.

Hetzner only via dedicated root server.


And overall everything else I find is rather expensive, I would prefer to stay below 10$/month

 

[kpfleming]

At the risk of repeating myself... this is exactly what TunnelBroker is for. You get a routed /48, delegated reverse DNS, and it's free.

 

[rtech]

Google blocks HE tunnels....this might rattle your calculations.

Google Blocking Hurricane Electric Tunneled IPv6 /64s | Hacker News

news.ycombinator.com

Google blocking when using HE.net ipv6 tunnel

Discussion about Google blocking when using HE.net ipv6 tunnel

www.geekzone.co.nz

 

[kpfleming]

They have never blocked mine, I've had it for over 13 years. Your mileage/kilometerage may vary, of course.

 

[Survivor7171]

Lo and behold I'm looking to get into BGP peering now, since Vultr BGP is free and a /48 IPv6 prefix is like 20$/year

Just need to find a LIR and figure this all out


@kpfleming I totally get you and I might come back to it, but for now I want to learn along the journey and see if I can set this up myself.

 

[Survivor7171]

Little update on this, I found a LIR and now got a /44 prefix announced via Vultr

I ended up with 1.25$/month for the /44 Prefix + 3.50$/month for VPS.