IPv6 — LowEndSpirit

Clearance - 10% OFF - Ryzen 9 KVM - Unmetered Bandwidth - UK & DE - Comment VM ID for 2x NVMe

Hostaris — Wed, 05 Apr 2023 16:43:40 +0000

Hello LES,

For a limited time only, we are offering 10% off on every plan currently available!

Ryzen 9 5900X / Ryzen 9 5950X

DE Looking glass: https://lg.de-1-fra.sys.hostaris.com
DE test IP: 45.158.9.1
UK Looking glass: https://lg.uk-1-ke.sys.hostaris.com
UK test IP: 185.179.216.1

DE includes a /64 IPv6

ASN: AS199765 (https://bgp.tools/as/199765)

Order: https://deploy.hostaris.com?les

As stated in the title: Send the ID of your VPS for double NVMe SSD storage!

Need a custom plan? Simply contact us through live chat and we can assist you

first time attempt ipv6 from router to pfsense

xyphos10 — Fri, 24 Mar 2023 00:16:49 +0000

Hello everyone,

Just wanted to get some input with my attempt and configuring native ISP ipv6 on my network. So for an overview of how things are setup, my ISP gives me a Cable Modem which has a static ipv4 and /64 ipv6 which feeds a pfsense and from there everything else. They do not allow me to put the modem in bridged mode.

lets use fd00:0824:2273:a::/64 as stand in for the public ipv6.

If I assign fd00:0824:2273:a::1 to the modem and fd00:0824:2273:a::2 to pfsense on WAN side. How can I go about make all clients on pfsense LAN side have an ipv6.

I have attempted using ULA on LAN side and then using NPt but it does not work. As soon as traffic gets to pfsense it stop. (Yes I have all appropriate pfsense rules and have verified in the logs that it is not simply being blocked)

I have attempted breaking down the /64 into 2 /65 and use 1 for wan and 1 for lan but no luck.

Is there a simpler way of doing this that I am just overlooking? I appreciate any help.

EasyVM - News & Specials | Dallas, NYC, Tampa, Las Vegas, Singapore

aqua — Tue, 21 Mar 2023 20:26:06 +0000

Hello Everyone,

We recently upgraded our space in Las Vegas, opened doors for Singapore, deployed newer and faster nodes in NYC, and upgraded our network capacity in Dallas. We are working hard to replenish all the out-of-stock locations and will inquire with updates throughout this thread.

These specials are while supplies last (probably won't restock some items for a bit), or until April 7th.

Global E5 SSD VPS

SAVE 40% OFF using coupon code "BVYI7TQS66"

https://easyvm.net/vps

Bronze
1 Core
2GB RAM
30GB SSD
2TB Bandwidth
$5/mo $3/mo

Silver
2 Cores
4GB RAM
50GB SSD
4TB Bandwidth
$9/mo $5.4/mo

Higher Plans are available with this discount -- https://easyvm.net/vps

Provisioning Time:

Dallas, TX (Instant)
Las Vegas, NV (1-2 Weeks -- awaiting IP announcement),
Tampa, FL (1 week -- awaiting IP announcement),
NYC, NY (1-2 weeks -- Awaiting drives for new servers).

If space frees up, we will instantly provision those pending from oldest to newest.

Dallas Ryzen NVMe VPS

SAVE 60% OFF using coupon code "D0DQJ1MR28"

https://easyvm.net/ryzen-vps

Bronze
1 Core (Fair Share)
2GB RAM
50GB NVMe SSD
2TB @ 1 Gbit/s
$8/mo $3.2/mo

Silver
1 Core (Dedicated)
4GB RAM
100GB NVMe SSD
4TB Bandwidth
$15/mo $6/mo

Higher Plans are available with this discount -- https://easyvm.net/ryzen-vps

Provisioning Time: Instant

Singapore Ryzen NVMe VPS -- NEW!

SAVE 40% OFF using coupon code "BVYI7TQS66"

https://portal.easyvm.net/store/sg-ryzen (will get it pushed to main site in a bit)

Bronze
1 Core (Fair Share)
2GB RAM
25GB NVMe SSD
1TB Bandwidth
$8/mo $4.8/mo

Higher Plans are available with this discount -- https://portal.easyvm.net/store/sg-ryzen

Provisioning Time: Instant

Dallas Dedicated Servers

SAVE 20% OFF using coupon code "CEH6YQJ907"

https://easyvm.net/dedicated

2x E5-2670
128GB RAM
2x 1TB SSD
10TB @ 1 Gbit/s
/31 IPv4 + /64 IPv6 (/29 IPv4 is also available for free)
$68/mo

There is one more that doesn't fit in the price range in stock, it is still valid with this coupon. Please check https://easyvm.net/dedicated

Provisioning Time: 1-3 Days

Comment your invoice number and we'll top up your account with $5 of balance

The sorry state of IPv6 reverse DNS

cmeerw — Fri, 03 Mar 2023 17:47:14 +0000

Just noticed that reverse DNS for IPv6 addresses doesn't work over IPv6-only for any of my VPSes.

For alphaVPS and KTS24 the DNS servers responsible for the reverse zone don't have any IPv6 address and for InceptionHosting the DNS server do have IPv6 addresses, but are not reachable via IPv6.

Are others any better?

EasyVM - Ryzen 3900x Pre-Order! Deal Megathread! Refugee Progam! New Locations!

aqua — Sun, 12 Feb 2023 21:35:56 +0000

Howdy Friends,

Now we know Valentines Day is around the corner, and what is the best gift you can give to your S/O? An EasyVM server!

The transfer to the new name has been successful, and we're ready to take on the load from the recent disasters that have struck the LowEnd community.

With the recent questionable existences and drama around 2 major providers (that also had very popular Ryzen VPS Plans), we are offering a refugee discount.

Standard (E5 Based Hosting): First month free, then locked rate + 10% off (if lower) from previous provider.

Ryzen: 50% off the first month, then a locked rate + 10% off (if lower) from the previous provider.

To claim, please open a ticket. You will need to provide invoice/client panel proof of your service.

We can do any sort of custom plans desired and still honor the Refugee Program to those who are in need! Only limitation is bandwidth (can be done for small amounts), but no unmetered bandwidth

GET 25% FOR LIFE WITH CODE LET25OFF FOR ANY BILLING PERIOD -- COUPON CODES ARE PRE-APPLIED TO ALL LINKS

AND

GET 50% FOR LIFE WITH CODE LE50OFF YEARLY BILLING

Standard KVM VPS Offers:

· Xeon E5 Based Servers
· DDR4 ECC Memory
· RAID-10 SATA SSD Storage
· Tons of readily available space
· Instant Deployment
· Available in Dallas, TX, New York City, NY, Tampa, FL (New Location), and Las Vegas, NV (New Location)

Bronze
1 Core
1GB RAM
25GB SSD Storage
1TB @ 1 Gbit/s
1 IP + /64 IPv6
DDOS Protected
Price: $2.99/mo $2.24/mo
Dallas - New York City - Las Vegas - Tampa

Silver
2 Cores
2GB RAM
40GB SSD Storage
2TB @ 1 Gbit/s
1 IP + /64 IPv6
DDOS Protected
Price: $4.99/mo $3.74/mo
Dallas - New York City - Las Vegas - Tampa

Gold
2 Cores
4GB RAM
80GB SSD Storage
4TB @ 1 Gbit/s
1 IP + /64 IPv6
DDOS Protected
Price: $8.99/mo $6.74/mo
Dallas - New York City - Las Vegas - Tampa

Ryzen VPS Offers (PRE-ORDER):

· Ryzen 9 3900x Based Servers
· DDR4 Memory
· RAID-1 NVMe SSD
· Path.net DDOS Protection
· Available in Dallas, TX

RYZ-1GB
1 Core (Fair Share)
1GB RAM
30GB NVMe Storage
1TB @ 1 Gbit/s
1 IP + /64 IPv6
Included Path.net DDOS Protection
Price: $4.00/mo $3/mo
Dallas Pre-Order

RYZ-2GB
1 Core (Fair Share)
2GB RAM
40GB NVMe Storage
2TB @ 1 Gbit/s
1 IP + /64 IPv6
Included Path.net DDOS Protection
Price: $8.00/mo $6/mo
Dallas Pre-Order

Higher Plans are available: https://easyvm.net/ryzen-vps

Locations (Has LG & Test IP on there): https://easyvm.net/locations
Discord: https://easyvm.net/discord
Twitter: https://twitter.com/EasyVMnet
Email: support@easyvm.net

Payment Methods: PayPal, Credit Card, and Cryptocurrencies

There is fraud protection active, disable any VPN while ordering.

Note to China & others who cannot access Recaptcha, turn on VPN while logging in/creating an account, and then turn it off while paying.

Comment your invoice # and I'll double your bandwidth! (If I don't respond for a while it's because Brian has killed me for doing this).

I'll also be giving out $10 Account credit daily til Feb 18th. There is no entry limit, just leave a comment and you'll be entered. Keep it to an extent that mods do not get mad for spam.

★SICloud★Happy New Year★TYO/LAX★VDS/VPS/Anti-DDos/Private Cloud

SiliCloud — Mon, 09 Jan 2023 04:06:41 +0000

VPS / VDS / AnyCast-Anti-DDoS / Managed OpenStack Private Cloud

Los Ángeles & Tokyo OpenStack Cloud Server

DDos-Protect Powered by AS3223

Tokyo Special Offers：

Standard Global: (Limit 60 qty)
1 vCPU EPYC 7571 1GiB DDR4 20GiB vSSD (CEPH 3 replicas)
Global Traffic 500G@500Mbps throttled@1Mbps
1 Years 29.18 USD (Recurring)

[Order]

Standard Global+CN2+9299: (Limit 60 qty)
1 vCPU Intel 8259CL 1GiB DDR4 20GiB vSSD (CEPH 3 replicas)
Global Traffic 500G@500Mbps throttled@1Mbps
1 Years 45.31 USD (Recurring)

[Order]

Los Angeles Special Offers：

Standard Global: (Limit 100 qty)
1 vCPU EPYC 7571 1GiB DDR4 20GiB vSSD (CEPH 3 replicas)
Global Traffic 500G@500Mbps throttled@1Mbps
1 Years 20.22 USD (Recurring)

[Order]

Standard Global+CN2: (Limit 100 qty)
1 vCPU EPYC 7571 1GiB DDR4 20GiB vSSD (CEPH 3 replicas)
Global Traffic 500G@300Mbps throttled@1Mbps
1 Years 25.22 USD (Recurring)

[Order]

VDS Global: (Limit 100 qty)
1 dedicated vCPU EPYC 7571 4GiB DDR4 10+30 GiB vSSD (CEPH 3 replicas)
Global Traffic 1000G@1Gbps throttled@5Mbps
3 Monthes 13.57 USD (Recurring)

[Order]

AnyCast DDoS mitigate : (LES SP OFFER)
Clean Bandwitdh 50Mbps
AnyCast Filter Power 1Tbps
BGP over GRE
Setup Fee 50 USD
MRC 50 USD (Renew 100 USD)
Location LAX/Tokyo

[Open Ticket]

More Options Listed Here :
https://www.silicloud.com/activity/vps

Looking Glass(Los Ángeles, United State):
* IPv4 (GIA Blended) - https://lg-cn2gia-west01-us.silicloud.com/
* IPv6 (GIA Blended) - https://lg-cn2gia-west01-us-v6.silicloud.com/
* IPv4 (Global) - https://lg-global-west01-us.silicloud.com/
* IPv6 (Global) - https://lg-global-west01-us-v6.silicloud.com/

Looking Glass(Tokyo, Japan):
* IPv4 (GIA Blended) - https://lg-global-tyo01-jp-cn2.silicloud.com/
* IPv6 (GIA Blended) - https://lg-global-tyo01-jp-cn2-v6.silicloud.com/
* IPv4 (Global) - https://lg-global-tyo01-jp.silicloud.com/
* IPv6 (Global) - https://lg-global-tyo01-jp-v6.silicloud.com/

GeekBench 5:

Route48.org :: IPv6 BGP Enabled Tunnelbroker Service

Cloudie — Sat, 16 Apr 2022 05:47:07 +0000

Did you always want to have IPv6 at home, but your ISP doesn't realise it's 2022 and refused to deploy it?
Have you ever thought how cool it would be to have your own personal IPv6 block with your own whois information on it?
Just imagine... how awesome it would be able to do real-world BGP and control your own IPv6 space?
Imagine, no more! We want to formally introduce Route48.org! Your new free TunnelBroker, IPv6 network allocator, and BGP session / IPv6 transit provider! Yes Free, instant, and automatic!

What is Route48, and why should we care?

The idea behind this project is to enable a regular user to learn, use and play with IPv6, BGP, and networking in a safe, free and automated manner. As an LIR it is our responsibility to promote and endorse the use of IPv6 to our end clients and serve them with the opportunity to learn and use IP resources (in this case IPv6 resources)
We take pride in knowing that we are actively supporting the adoption of IPv6 for users that would otherwise find it too difficult. But now, without further ado lets go over the features of this new platform:

IPv6 Tunnel Broker

Route48's tunnel broker functionality enables any user to create what is called a 6in4 tunnel. This gives you the ability to create a simple, VPN-like, tunnel where you get allocated a full /48 IPv6 block and you can route all your IPv6 traffic through one of our nodes. 6in4 tunnel enables any user to bring IPv6 into their home network or to a server that is IPv4 only. From over 13 geographical locations (and growing) you're able to choose the location that is closest to you or your server.

Automated IPv6 prefix Allocation

Everyone wants to have their IP space and be able to manage the space themselves. Well, now you can, and you can do this for free. In Route48 we can assign and allocate multiple IPv6 prefixes, this means you can control the name, and country and even add your RIPE maintainer to the assigned IPv6 network. You can even take the newly assigned IPv6 space to your hosting providers and ask them to announce the prefix on their network and route the IPv6 space to your existing server(s). We provide LOAs, and each allocation is automatically signed with an RPKI ROA and IRR object. Let's also keep in mind how much of a perfect excuse this would be to learn how to manage IP resources on the RIPE database, securely and safely using your RIPE account.

Automated BGP Sessions

Now we all know that once you have your IP address, the next step is to get them announced and routed on the internet. While you can use the allocated address space with whatever upstream you wish, Route48 offers automatic BGP sessions over your IPv6 tunnels. This means you can start exporting and announcing your newly allocated IPv6 networks using your BGP sessions and route them to where you wish! (Free and automated IPv6 transit for your newly allocated IPv6 space)

Route48 Global Network & Sponsors

Route48 is proud to be able to offer so many different node locations for 6in4 tunnels and for transit, as of right now we have nodes in 13 different locations around the world (and a few more in the works)
Yes, all of this is free! But how? Well, we are lucky enough to have a few hosting providers who were willing to sponsor IP space and servers for this project, this is the reason we can offer such a diverse number of locations with such flexible and automated features.

Further Disclosure...

This project is a joint partnership between Cloudie Networks & Zappie Host. Administration of all nodes in use provided by our sponsors and directly, are done so by only Cloudie Networks, & Zappie Host.

In short, this platform can empower end-users to do more with IPv6 and be less locked into what your hosting provider or ISP provides you. Let's be honest, who doesn't want an IPv6 address that has the words b00b in it :P

P.S. we love feedback, criticism, and suggestions. If you have an idea or even a question about this project, we would love to hear it!

Dynamic IP vs Static IP rates

AndrewL64 — Mon, 05 Dec 2022 19:52:55 +0000

Why/How are dynamic IPs cheaper than static IPs?

Tried googling about this but all I got are definitions of what dynamic/static IPs are but economically, why though?

For residential connections, wouldn't it be cheaper to just allocate an address and be done with (until the user cancels their subscription or something) rather than dealing with the whole IP pools & recycling addresses shenanigans?

VPS IPv6 /64 for SLAAC at home via wireguard?

topogio — Sat, 06 Mar 2021 05:49:18 +0000

I'm looking to hand out public IPv6 addresses from my VPS /64 to my clients at home via SLAAC if possible. I have so far been able to get a single IPv6 public address to work via ndp_proxy (instructions here) BUT I have been unsuccessful at allowing multiple IPv6 thru the wireguard tunnel to become available to clients.

Here is a dirty diagram of how things would look like:

VPS
2602:fed2:8888:106:: /64 assigned
eth0 = 2602:fed2:8888:106::1
wg0 = 2602:fed2:8888:106:100::1
-- wg tunnel --
Home client
wg0 = 2602:fed2:8888:106:100::10 (this will become a 'default gateway' at home - receiving traffic from multiple hosts)
eth0 = 192.168.1.100

-- client 1 fowards packets to 192.168.1.100 asking for an IPv6 address. Hoping it automatically gets one from the available /64 space.

VPS provider won't give more IPv6 space than /64 unfortunately - I haven't tried asking for a /128 for a ptp thats routed to it - I was reading that may work but dont know.

I did try /etc/ndppd.conf with this config but did not see any requests comming from wg0 instance:

proxy eth0 {
  autowire yes
  rule 2602:fed2:8888:106::/64 {
      iface wghub
  }
}

Anyone with experience that could comment?

Request for CAPTCHA Verification in Upcoming Flash Sales

bliss — Wed, 23 Nov 2022 17:13:45 +0000

The Black Friday will come in less than 48 hours.
Suffering from high inflation, tempting offers of this year may be scarce.

So I request CAPTCHA be deployed when ordering, otherwise I'm sure scalpers' automatic scripts will win in terms of speed.

Feel free to "at" spokespersons of your interesting providers. Thank you.

Ipv6 / Ipv4 & Dual Stacking

hostarts — Mon, 31 Jan 2022 14:04:04 +0000

Hello

In the future as web hosts, are we supposed to have & provide VMs or servers with Dual Stack ? Or the plan is to actually dump IPV4 which is currently still impossible due to multiple reasons.

How to use Cloudns as Secondary DNS provider [ Plesk Tested ]

hostarts — Thu, 27 Jan 2022 18:02:40 +0000

Hello,

I would like to share our experience regarding Secondary DNS for Plesk server. For the moment It has been pretty straight forward to setup Slave nameservers for Plesk.

The issue is, the solution becomes totally unreliable once you have 2 master servers or more. It looks like Plesk themselves couldn't figure out issues related to rndc-keys etc for our case. We have been getting random disconnections etc...

Additionally it requires the maintenance of the nameservers slave and having them on different locations or datacenters

We found solutions such as gDNS from Admin Ahead but it looks too complicated and not that different from the Plesk Slave servers.

We want to share our solution for the community especially the ones using Plesk, we are also planning to test the solution on different Hosting panels such as cPanel.

You can go ahead and create an account at https://www.cloudns.net/

Once done, you will need to put edit a default provided PHP script that you can find on their Github Page.

Due to the multiple changes between the old script and the new one we have provided some additional information to the ClouDNS team who corrected some elements on their previous one.

You can read the article they have put together for Plesk servers. https://www.cloudns.net/wiki/article/250

We will try to do the same for cPanel very soon and update this thread.

through this you can enjoy IPV4 & IPV6 Anycast Secondary DNS and protect your Master server

Regarding the Cronjob to setup we made it run once per minute in our case due to multiple DNS zone changes and new clients. Especially that Plesk is kind of slow when it comes to SSL

We would love to hear your feedback

IPv6-to-IPv4 Translation Providers or Other Methods

lindy54 — Sat, 02 Oct 2021 19:24:13 +0000

Basically I couldn't use the Cloudflare method which is for a NAT VPS which has dedicated IPv6 only. Is there any other providers/solutions for this?

IPv6 Neighbor Discovery Responder for KVM VPS

yoursunny — Wed, 21 Apr 2021 04:38:33 +0000

This article is originally published on yoursunny.com blog https://yoursunny.com/t/2021/ndpresponder/

I Want IPv6 for Docker

I'm playing with Docker these days, and I want IPv6 in my Docker containers.
The best guide for enabling IPv6 in Docker is how to enable IPv6 for Docker containers on Ubuntu 18.04.
The first method in that article assigns private IPv6 addresses to containers, and uses IPv6 NAT similar to how Docker handles IPv4 NAT.
I quickly got it working, but I noticed an undesirable behavior: Network Address Translation (NAT) changes the source port number of outgoing UDP datagrams, even if there's a port forwarding rule for inbound traffic; consequently, a UDP flow with the same source and destination ports is being recognized as two separate flows.

$ docker exec nfd nfdc face show 262
    faceid=262
    remote=udp6://[2001:db8:f440:2:eb26:f0a9:4dc3:1]:6363
     local=udp6://[fd00:2001:db8:4d55:0:242:ac11:4]:6363
congestion={base-marking-interval=100ms default-threshold=65536B}
       mtu=1337
  counters={in={25i 4603d 2n 1179907B} out={11921i 14d 0n 1506905B}}
     flags={non-local permanent point-to-point congestion-marking}
$ docker exec nfd nfdc face show 270
    faceid=270
    remote=udp6://[2001:db8:f440:2:eb26:f0a9:4dc3:1]:1024
     local=udp6://[fd00:2001:db8:4d55:0:242:ac11:4]:6363
   expires=0s
congestion={base-marking-interval=100ms default-threshold=65536B}
       mtu=1337
  counters={in={11880i 0d 0n 1498032B} out={0i 4594d 0n 1175786B}}
     flags={non-local on-demand point-to-point congestion-marking}

The second method in that article allows every container to have a public IPv6 address.
It avoids NAT and the problems that come with it, but requires the host to have a routed IPv6 subnet.
However, routed IPv6 is hard to come by on KVM servers, because virtualization platform such as Virtualizor does not support routed IPv6 subnets, but can only provide on-link IPv6.

On-Link IPv6 vs Routed IPv6

So what's the difference between on-link IPv6 and routed IPv6, anyway?
It differs in how the router at the previous hop is configured to reach a destination IP address.

Let me explain in IPv4 terms first:

|--------| 192.0.2.1/24       |--------| 198.51.100.1/24    |-----------|
| router |--------------------| server |--------------------| container |
|--------|       192.0.2.2/24 |--------|    198.51.100.2/24 |-----------|
            (192.0.2.16-23/24)    |
                                  | 192.0.2.17/28           |-----------|
                                  \-------------------------| container |
                                              192.0.2.18/28 |-----------|

The server has on-link IP address 192.0.2.2.
- The router knows this IP address is on-link because it is in the 192.0.2.0/24 subnet that is configured on the router interface.
- To deliver a packet to 192.0.2.2, the router sends an ARP query of 192.0.2.2 to learn the server's MAC address, which should be responded by the server.
The server has routed IP subnet 198.51.100.0/24.
- The router must be configured to know: 198.51.100.0/24 is reachable via 192.0.2.2.
- To deliver a packet to 198.51.100.2, the router first queries its routing table and finds the above entry, then sends an ARP query to learn the MAC address of 192.0.2.2 which should be responded by the server, and finally delivers the packet to the learned MAC address.
The main difference is what IP address is enclosed in the ARP query:
- If the destination IP address is an on-link IP address, the ARP query contains the destination IP address itself.
- If the destination IP address is in a routed subnet, the ARP query contains the nexthop IP address, as determined by the routing table.
If I want to assign an on-link IPv4 address (e.g. 192.0.2.18/28) to a container, the server should be made to answer ARP queries for that IP address so that the router would deliver packets to the server, and then forwards these packets to the container.
- This technique is called ARP proxy, in which the server responds to ARP queries on behalf of the container.

The situation is a bit more complex in IPv6 because each network interface can have multiple IPv6 addresses, but the same concept applies.
Instead of Address Resolution Protocol (ARP), IPv6 uses Neighbor Discovery Protocol that is part of ICMPv6.
A few terminology differs:

IPv4	IPv6
ARP	Neighbor Discovery Protocol (NDP)
ARP query	ICMPv6 Neighbor Solicitation
ARP reply	ICMPv6 Neighbor Advertisement
ARP proxy	NDP proxy

If I want to assign an on-link IPv6 address to a container, the server should respond to neighbor solicitations for that IP address, so that the router would deliver packets to the server.
After that, the server's Linux kernel could route the packet to the container's bridge, as if the destination IPv6 address was in a routed subnet.

NDP Proxy Daemon to the Rescue, I Hope?

ndppd, or NDP Proxy Daemon, is a program that listens for neighbor solicitations on a network interface and responds with neighbor advertisements.
It is often recommended for dealing with the scenario when the server has only on-link IPv6 but we need a routed IPv6 subnet.

I installed ndppd on one of my servers, and it worked as expected with this configuration:

proxy uplink {
  rule 2001:db8:fbc0:2:646f:636b:6572::/112 {
    auto
  }
}

I can start up a Docker container with a public IPv6 address.
It can reach the IPv6 Internet, and can be ping-ed from outside.

$ docker network create --ipv6 --subnet=172.26.0.0/16
  --subnet=2001:db8:fbc0:2:646f:636b:6572::/112 ipv6exposed
118c3a9e00595262e41b8cb839a55d1bc7bc54979a1ff76b5993273d82eea1f4

$ docker run -it --rm --network ipv6exposed
  --ip6 2001:db8:fbc0:2:646f:636b:6572:d002 alpine

# wget -q -O- https://www.cloudflare.com/cdn-cgi/trace | grep ip
ip=2001:db8:fbc0:2:646f:636b:6572:d002

However, when I repeated the same setup on another KVM server, things didn't go well: the container cannot reach the IPv6 Internet at all.

$ docker run -it --rm --network ipv6exposed
  --ip6 2001:db8:f440:2:646f:636b:6572:d003 alpine

/ # ping -c 4 ipv6.google.com
PING ipv6.google.com (2607:f8b0:400a:809::200e): 56 data bytes

--- ipv6.google.com ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

What's Wrong with ndppd?

Why ndppd works on the first server, but does not work on the second server?
What's the difference?
We need to go deeper, so I turned to tcpdump.

On the first server, I see:

$ sudo tcpdump -pi uplink icmp6
19:13:17.958191 IP6 2001:db8:fbc0::1 > ff02::1:ff72:d002:
    ICMP6, neighbor solicitation, who has 2001:db8:fbc0:2:646f:636b:6572:d002, length 32
19:13:17.958472 IP6 2001:db8:fbc0:2::2 > 2001:db8:fbc0::1:
    ICMP6, neighbor advertisement, tgt is 2001:db8:fbc0:2:646f:636b:6572:d002, length 32

The neighbor solicitation from the router comes from a global IPv6 address.
The server responds with a neighbor advertisement from its global IPv6 address.
Note that this address differs from the container's address.
IPv6 works in the container.

On the second server, I see:

$ sudo tcpdump -pi uplink icmp6
00:07:53.617438 IP6 fe80::669d:99ff:feb1:55b8 > ff02::1:ff72:d003:
    ICMP6, neighbor solicitation, who has 2001:db8:f440:2:646f:636b:6572:d003, length 32
00:07:53.617714 IP6 fe80::216:3eff:fedd:7c83 > fe80::669d:99ff:feb1:55b8:
    ICMP6, neighbor advertisement, tgt is 2001:db8:f440:2:646f:636b:6572:d003, length 32

The neighbor solicitation from the router comes from a link-local IPv6 address.
The server responds with a neighbor advertisement from its link-local IPv6 address.
IPv6 does not work in the container.

Since IPv6 has been working on the second server for IPv6 addresses assigned to the server itself, I added a new IPv6 address and captured its NDP exchange:

$ sudo tcpdump -pi uplink icmp6
00:29:39.378544 IP6 fe80::669d:99ff:feb1:55b8 > ff02::1:ff00:a006:
    ICMP6, neighbor solicitation, who has 2001:db8:f440:2::a006, length 32
00:29:39.378581 IP6 2001:db8:f440:2::a006 > fe80::669d:99ff:feb1:55b8:
    ICMP6, neighbor advertisement, tgt is 2001:db8:f440:2::a006, length 32

The neighbor solicitation from the router comes from a link-local IPv6 address, same as above.
The server responds with a neighbor advertisement from the target global IPv6 address.
IPv6 works on the server from this address.

In IPv6, each network interface can have multiple IPv6 addresses.
When the Linux kernel responds to a neighbor solicitation in which the target address is assigned to the same network interface, it uses that particular address as the source address.
On the other hand, ndppd transmits neighbor advertisements via a PF_INET6 socket and does not specify the source address.
In this case, some complicated rules for default address selection come into play.

One of these rules is preferring a source address that has the same scope as the destination address (i.e. the router).
On my first server, the router uses a global address, and the server selects a global address as the source address on its neighbor advertisement.
On my second server, the router uses a link-local address, and the server selects a link-local address, too.

In an unfiltered network, the router wouldn't care where the neighbor advertisements come from.
However, when it comes to a KVM server on Virtualizor, the hypervisor would treat such packets as attempted IP spoofing attacks, and drop them via ebtables rules.
Consequently, the neighbor advertisement never reaches the router, and the router has no way to know how to reach the container's IPv6 address.

ndpresponder: NDP Responder for KVM VPS

I tried a few tricks such as deprecating the link-local address, but none of them worked.
Thus, I made my own NDP responder that sends neighbor advertisements from the target address.

ndpresponder is a Go program using the GoPacket library.

The program opens an AF_PACKET socket, with a BPF filter for ICMPv6 neighbor solicitation messages.
When a neighbor solicitation arrives, it checks the target address against a user-supplied IP range.
If the target address is in the range used for Docker containers, the program constructs an ICMPv6 neighbor advertisement messages and transmits it through the same AF_PACKET socket.

A major difference from ndppd is that, the source IPv6 address on a neighbor advertisement message is always set to the same value as the target address of the neighbor solicitation, so that the message wouldn't be dropped by the hypervisor.
This is made possible because I'm sending the message via an AF_PACKET socket, instead of the AF_INET6 socket used by ndppd.

ndpresponder operates similarly as ndppd in "static" mode.
It does not forward neighbor advertisements to the destination subnet like ndppd does in its "auto" mode, but this feature isn't important on a KVM server.

If ndppd doesn't seem to work on your KVM VPS, give ndpresponder a try!
Head to my GitHub repository for installation and usage instructions:
https://github.com/yoursunny/ndpresponder

NL or UK | NVMe SSD | KVM | 50GB | 6TB | DDOS Protection | Free Direct Admin | €35 / year

InceptionHosting — Thu, 27 May 2021 08:24:40 +0000

A little offer for the long weekend (in the UK anyway)

2 CPU Core (Equal Share)
2 GB Ram
50 GB Pure NVMe SSD Disk space
6 TB Bandwidth
1 x IPv4 address (Automated PTR/rDNS records)
1 x /64 IPv6 (Automated PTR/rDNS records)
DDOS Protection included
Free Direct Admin by request

€35.00 /year - no promo code needed just select annual payment.
This offer is recurring.

NL: Order link: https://clients.inceptionhosting.com/cart.php?a=add&pid=215
UK Order link: https://clients.inceptionhosting.com/cart.php?a=add&pid=185

A few extra bits:

In the UK/London there is a mix of E-2276G and E3-1270v5/6 CPU's allocation is random.
In the Netherlands/Amsterdam there is a mix of E-2276G and E-2278G CPU's allocation is random.
Netherlands/Amsterdam ports can burst up to 10gbit.
If you want to switch locations after purchase that is fine we will do that for you once at no extra cost.

Network ping/mtr/trace tests: https://as62240.net/tools
Network speed tests: https://as62240.net/speedtest

This offer is intended to end on June 2nd but may go on a bit longer than that depending on interest.

Orders from Brazil and China are not currently being accepted.
Orders placed while on a VPN or proxy will be automatically rejected.

If you want any sort of custom deal, it is a good time to ask.

Cheers,

Ant.

Spearware Networks "has" IPv6 now!

SWN_Michael — Sun, 13 Jun 2021 00:11:40 +0000

So... I've flipped the switch for IPv6 (months late I know) but it's here! If you're a current customer, submit a ticket and I'll assign your /64. If you're new, just order and it'll be automatically assigned.

Caveats:

IPv6 is currently provided only via Cogent. This means that if you're trying to access either Google or someone single homed on Hurricane Electric, you will need to do it via IPv4. I'm working on figuring out a cost effective solution to resolve this issue and hope to have it fixed soon.
IPv6 connectivity is not perfect (see the first bullet), however if you're having an issue, submit a ticket, and I'll see what can be done.

drServer.net ||| cPanel Web Hosting, Free DNS, Email, VPS and Dedicated! Basket of deals!

Radi — Wed, 19 May 2021 11:44:28 +0000

Hello friends,

We are back with our offer table with current stock.

Starting with the shared hosting, I’d like to talk about the…
…main features each account comes with:
Quick Technical Support - You won’t be waiting for hours to receive a reply to a single question.
30 Day Money Back Guarantee - Don’t like it? Get your money back for your first order.
HIGH Clock CPU
ECC Registered RAM
Enterprise Sandisk OPTIMUS MAX SAS SSD Hard Drives - Delivering ultrafast I/O to get your applications loading with extreme speed
Hardware RAID-10 with BBU - For guaranteed data safety in case of disk failure
cPanel Control Panel - The most widely known control panel on the market
Web Server with HHVM support - Guaranteed to work faster than the usual LAMP stack
MariaDB (MySQL) - Faster than ordinary MySQL and compatible with it
Multiple PHP Versions - Not every app is updated to run on newest and greatest, so you get ability to choose.
JetBackup - Backup your website to a remote location free of charge.
Softaculous Auto Installer - You can install your favourite scripts
MailChannels Email Relay - Prevent your emails from landing into SPAM
FREE cPanel Migration - On Request
and much much more, which we will leave for you to discover.

Without further delay, straight to the offer:

Promo-1
Disk Space: 5 GB
Disk Type: Enterprise SAS SSD
RAID: Hardware RAID 10 with BBU
Backup: Automated incremental
Network Bandwidth: 1 TB
Bandwidth Type: Premium Multihomed
Network Pipe: 1 Gbps
Email Accounts: Unlimited
Email relay limit: 300 / hr
FTP Accounts: Unlimited
MySQL Databases: Unlimited
NodeJS Support: Yes
Python Support: Yes
Ruby Support: Yes
Proxy: Nginx
HHVM Support: Yes
PHP Version: All major selectable
Analytics: Yes
Free enterprise SSL: No
Free domain name / domain transfer: No
Panel Type: cPanel
Auto Installer: Softaculous
Mail Relay: MailChannels
DC Location: Dallas - TX - USA
Price: 2.00$/month
Price(Yearly): 20.00$/year
Order link: https://portal.drserver.net/?cmd=cart&action=add&id=146

Extra Deal: Try the plan for just $1 dollar for the first month with code "DDAAE2WYO6W0M" (code is only valid on monthly billing cycle).

Promo-10G
Disk Space: 10 GB
Disk Type: Enterprise SAS SSD
RAID: Hardware RAID 10 with BBU
Backup: Automated incremental
Network Bandwidth: 1 TB
Bandwidth Type: Premium Multihomed
Network Pipe: 1 Gbps
Email Accounts: Unlimited
Email relay limit: 300 / hr
FTP Accounts: Unlimited
MySQL Databases: Unlimited
NodeJS Support: Yes
Python Support: Yes
Ruby Support: Yes
Proxy: Nginx
HHVM Support: Yes
PHP Version: All major selectable
Analytics: Yes
Free enterprise SSL: No
Free domain name / domain transfer: No
Panel Type: cPanel
Auto Installer: Softaculous
Mail Relay: MailChannels
DC Location: Dallas - TX - USA
Price: 3.00$/month
Price(Yearly): 30.00$/year
Promocode to get this pricing: KIK8ZIUTKWGEP-WEBPROMO10G
Order link: https://portal.drserver.net/?cmd=cart&action=add&id=146

Extra Deal: Try the plan for just $1 dollar for the first month with code "ACQ7HDDGFAM2U" (code is only valid on monthly billing cycle).

We also offer a Zimbra-based email service
which comes with the features listed.
Zimbra Collaboration Suite
Nice Webmail Client
The option to use a desktop app
Free DNS hosting available for easy setup.
MailChannels relay, to ensure deliverability of your emails
POP/SMTP/IMAP. to make your email accessible by your favourite mail client
Host as much domains as needed
Multiple accounts
White-labelled WebMail

Moving on to the offer.

Zimbra 10 Pack
10 Email Accounts
10 GB Storage
Unlimited Domains
MailChannels Relay
Online Webmail
Zimbra Desktop
Price: $5.00/month or $50/year
Promocode for yearly payment: Z9WFY2GL3ZN-ZIMBRAYEARLY

Order Link: https://drserver.net/mail.php?pk_campaign=LES

Extra Deal: Try the above mail hosting plan for just $1 dollar for the first month with code "JQJGQHFVFB2NMDCT" (code is only valid on monthly billing cycle).

Moving on to our VPS servers…

VPS Features:
All VPS offers are powered by Virtualizor control panel.
All servers come with 1 IPv4 unlesss otherwise stated.
Custom ISO are possible for VPS only a quick ticket.
Free DNS hosting available with all VPS.
Free 1x manual snapshot available with all VPS.
IPv6 right now is available in Dallas.
IPv4 rDNS is only available for Dallas.
The VPS in this offer are not managed, however we can provide you with application support and install the applications, you require for FREE.
All VPS are hosted on powerful E5 nodes with minimum of 128 GB RAM and SSDs in RAID-10.

and now the offers…

KVM-XS
2 CPU Cores
2048 MB RAM
45 GB SSD Disk
2048 GB Bandwidth
1 IPv4
/64 IPv6
KVM
Linux/Windows
Free DNS Hosting included
Free 1 manual snapshot included
Location: Dallas
Price: $5/mo or $50/year
Promocode(Monthly): 8RKY9I70ED1JI-VPS2GB-M
Promocode(Yearly): KVMXS-YEARLY
Order link: https://portal.drserver.net/?cmd=cart&action=add&id=148

KVM-S
4 CPU Cores
4096 MB RAM
90 GB SSD Disk
4096 GB Bandwidth
1 IPv4
/64 IPv6
KVM
Linux/Windows
Free DNS Hosting included
Free 1 manual snapshot included
Location: Dallas
Price: $7/mo or $70/year
Promocode(Monthly): LET-It-GO
Promocode(Yearly): KVMS-YEARLY
Order link: https://drserver.net/vps.php?pk_campaign=LES

DNS Hosting is also available as a standalone service as well.

DNS Hosting Features
Powered by PowerDNS and HostBill
Ability to create multiple types of DNS records
Easy and centralized management
DNSSEC
and more...

and now the offer:

DNS-1
DNS Hosting for 1 zone
PowerDNS
Dallas Location of Nameservers
White-Label NS Domain
Price: $0/month
Link: https://portal.drserver.net/?cmd=cart&action=add&id=155

Special Offer: Completely free forever for 1 zone. Use it to test it - we can offer a potential discount for people who help us iron out any issues with the system. We would love to get some feedback on it.

If you wish to get more zones, we offer them as premium plan.

DNS-5
DNS Hosting for 5 zones
PowerDNS
Dallas Location of Nameservers
White-Label NS Domain
Price: $1/month
Link: https://portal.drserver.net/?cmd=cart&action=add&id=154

More options for DNS hosting are available here: https://portal.drserver.net/?/cart/dns/ .

Last, but not by importance: THE DEDICATED SERVERS.

Dedicated Servers Features
All offers come with 1 IPv4 unless otherwise stated.
rDNS is available.
Free DNS Hosting for 10 zones available with every server.
Custom ISO are possible through a quick ticket. We can load any OS you need. This does not apply to NO-IPMI servers.
Bandwidth is upgrade-able to 1 Gbps for free(on non-Atom servers only). Ticket us for more details.
We are an unmanaged provider, but we will do our best to assist with the configuration of your applications and getting your servers up and running.
We can offer you CUSTOM-BUILT dedicated servers. Please open a ticket to discuss your requirements.

Intel® Atom™ C2750 (8-Core, 2.4GHz)
RAM: 8 GB DDR3
Disk: 1 x 500 GB SATA
Bandwidth: 100 Mbps
1 IPv4
NO-IPMI, you are limited to the OS, which are available on order form
Location: Dallas
Price: $12/mo OR $120/year
Promocode(Monthly): YBDX4U70Q
Promocode(Yearly): 6IER7WVC-NOIPMI
Order link: https://drserver.net/dedicated.php?pk_campaign=LES

Intel® Atom™ C2750 (4-Core, 2.4GHz)
RAM: 8 GB DDR3
Disk: 1 x 200 GB SSD
Bandwidth: 100 Mbps
1 IPv4
Location: Dallas
Price: $13/mo OR $130/year
Promocode(Monthly): YBDX4U70Q
Promocode(Yearly): 1VIVHOVA8VS3-DELLIPMI
Order link: https://drserver.net/dedicated.php?pk_campaign=LES

Intel® Xeon® E-2134 (4-Core, 8-Thread, 3.5GHz)
RAM: 16 GB DDR4
Disk: 1 x 480 GB SSD
Bandwidth: 100 Mbps or 1 Gbps(30 TB)/via ticket
1 IPv4
Location: Dallas
Price: $56/mo OR $560/year
Promocode(Monthly): YBDX4U70Q
Promocode(Yearly): 4UHYIKNFTAIG-ESERIES
Order link: https://drserver.net/dedicated.php?pk_campaign=LES

Intel® Xeon® E-2136 (6-Core, 12-Thread, 3.3GHz)
RAM: 16 GB DDR4
Disk: 1 x 480 GB SSD
Bandwidth: 100 Mbps or 1 Gbps(30 TB)/via ticket
1 IPv4
Location: Dallas
Price: $66/mo OR $660/year
Promocode(Monthly): YBDX4U70Q
Promocode(Yearly): 4UHYIKNFTAIG-ESERIES
Order link: https://drserver.net/dedicated.php?pk_campaign=LES

About us:
drServer started offering service around November of 2013, so we’re close to 7 years old now. We are a family-owned hosting company, ARIN Member and a RIPE LIR. We own all our hardware. The doctor is still here and still stronger than ever and can satisfy all your hosting needs.

Useful Links Section:
Terms of Service: https://drserver.net/termsofservice.php?pk_campaign=LES
AUP: https://drserver.net/aup.php?pk_campaign=LES
Ticket us: https://portal.drserver.net/?/tickets/new/
Discord: http://discord.gg/3H5RfvY
Facebook: https://www.facebook.com/drserver.net/
Twiter: https://twitter.com/drservervps

FAQ:
Q: Do you allow gameservers?
Because most gameservers generally attract (D)DoS attacks, we currently do not allow them on our network.
This also applies to voiceservers such as Teamspeak and Mumble.
Q: Can I run a VPN?
Private VPN servers are perfectly fine with us. Public ones, however, are not.
Q: What’s your refund policy?
We do have a 30-day refund policy for your first service with us.
Q: What payment methods are accepted?
We accept payments via PayPal.
Q: Do you have a test IP/file?
Yes.
Q: Do you offer instant setup?
Servers on this offer are instantly provisioned, subject to stock availability.
Q: Why my order was marked as fraud?
The usual reason for an order, being marked as fraud is if you place it from a VPN/Server IP. We do not allow such kind of orders, so if you intend to order with a VPN, it will be marked as fraud. If you are on vacation/holiday and live in a different country, please contact us prior to ordering.

Network Info:
Dallas, USA
Test IPv4: 192.138.210.63
Test IPv6: 2604:0880:0052:0000:0000:0000:01e5:657b
Test file(IPv4): http://lg-dal.ipv4.drserver.net/100MB.test
Looking glass(IPv4): http://lg-dal.ipv4.drserver.net/
Test file(IPv6): http://lg-dal.ipv6.drserver.net/100MB.test
Looking glass(IPv6): http://lg-dal.ipv6.drserver.net/

All network ports have DDoS protection. Our bandwidth mix includes: Level 3, Cogent, Hurricane Electric, GTT, Telia, Equinix Peering, DECIX Peering, Private Peering.

Thanks for reading the thread! Please let us know if you have any questions!

Have a good day!

Install Ubuntu from ISO on IPv6-only KVM Server in SolusIO

yoursunny — Wed, 28 Apr 2021 04:56:30 +0000

This article is originally published on yoursunny.com blog https://yoursunny.com/t/2021/SolusIO-IPv6-ISO/

I recently obtained a KVM virtual server on SolusIO platform, and I want to install Ubuntu 20.04 Server from the official ISO image.
This is not as easy as I hoped, but I figured it out.

Note: if you are in a hurry, skip the "Background" and start from "Part 1" section.

Background: SolusIO cannot Mount ISO Image

SolusIO is a virtual infrastructure management solution published by Plesk International Gmbh, the same company behind the popular SolusVM software.
They describe SolusIO to be the successor of SolusVM, with more focus on the self-service approach for end users.

SolusIO inherits the same clean user interface from SolusVM, and is easy to use.
However, as a power user, I notice several features are missing in SolusIO.
One of these features is the ability to install the operating system from an ISO image.

Presently, SolusIO only supports installing operating systems from the provided templates.
While a template installation is convenient, I prefer to install from official ISO images so that I can have better control over what goes into my system, and avoid vulnerabilities such as the debianuser backdoor.

An easy way to load a ISO installer is through netboot.xyz, a hosted service that can boot a server over the Internet and download the installer of many Linux and BSD distributions.
Even if the VPS hosting platform does not support mounting ISO images, it is possible to install iPXE bootloader per Tip: Install OS via netboot.xyz without ISO support, and then start netboot.xyz from there.

However, this method did not work for me.
The iPXE package, as distributed in most operating systems, only supports IPv4.
To make it work on my IPv6-only server, I would have to recompile iPXE with IPv6 enabled, which could be a complicated task.
I need another way.

Part 1: Boot from ISO on Hard Disk

I thought: can I download the ISO image and load it from hard disk, and start the installer, just like netboot.xyz does, but without going through the network?
I searched for "how to boot ISO from hard disk", and found a helpful guide from Ubuntu documentation site: Grub2/ISOBoot.
Piecing together the information, I found the exact steps to start the Ubuntu installer.

Install Debian 10 from SolusIO template.

As much as I love Ubuntu, it does not work for some reason.

SSH into the server as root, and download official Ubuntu ISO image.

wget https://releases.ubuntu.com/focal/ubuntu-20.04.2-live-server-amd64.iso

Modify /etc/grub.d/40_custom file, and append the following text:

menuentry "Ubuntu 20.04 ISO" {
 set isofile="/root/ubuntu-20.04.2-live-server-amd64.iso"
 rmmod tpm
 loopback loop (hd0,1)$isofile
 linux (loop)/casper/vmlinuz boot=casper iso-scan/filename=$isofile noprompt noeject toram
 initrd (loop)/casper/initrd
}

In this snippet:

The path after isofile= is where we downloaded the ISO image.
(hd0,1) is /dev/sda1 written in a syntax recognized by the GRUB bootloader.
If the ISO image file is on a different disk partition, you may need different numbers.
Search for "drive number" on Grub2/ISOBoot page for more information.
The toram option copies the ISO image from the hard drive to the memory, which is necessary because the installer needs to reformat and overwrite the hard drive.
This implies that this method would only work on a machine with large enough memory to fit the entire ISO image, and would not work on 1GB or smaller systems.

Run update-grub.

This command generates /boot/grub/grub.cfg that is directly used by the GRUB bootloader.
It would include the menuentry entered in the last step.
Open VNC window in SolusIO.
Type reboot in SSH session.
A blue screen titled "GNU GRUB" should appear in VNC, but only for 3 seconds.
Quickly press the ⬇️ key, select "Ubuntu 20.04 ISO" menu, and press ENTER.
You might see a message:

error: no such module.

Press any key to continue..._

This is harmless, and you can press ENTER to bypass it.
A minute later, the Ubuntu installer should start, and display the "Please choose you preferred language" screen.

Part 2: Install Ubuntu from In-Memory ISO

Now that we have the installer started, but we need to take care of one more detail before proceeding.

On the very first "Please choose you preferred language" screen, press F2 key, which opens a shell.
Type the following commands:
```
losetup -d /dev/loop0
umount /isodevice
```
These commands umount the ISO image, so that the same hard drive can be used as an installation target.
Type exit to return to the installer.
The installer would attempt to detect the network, and it will probably fail because the KVM server is IPv6-only and the network does not support IPv6 autoconfiguration.

Here I select "Continue without network", because the downloaded ISO image contains all the essential packages.
The rest of installation process is same as any other Ubuntu Server installation.
The installed system will be without network configuration.
It's necessary to login via VNC, add IP address and routes with ip addr add and ip route add commands, before I can SSH into the server and upload my expertly written Netplan configuration.

Common Errors

Temporary failure in name resolution

When I'm downloading the official Ubuntu ISO image, I encountered this error:

# wget https://releases.ubuntu.com/focal/ubuntu-20.04.2-live-server-amd64.iso
--2021-04-28 01:48:26--  https://releases.ubuntu.com/focal/ubuntu-20.04.2-live-server-amd64.iso
Resolving releases.ubuntu.com (releases.ubuntu.com)... failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘releases.ubuntu.com’

It turns out that the Debian 10 template from SolusIO has configured an IPv4 address as the DNS server, which does not work in an IPv6-only network:

# cat /etc/resolv.conf
nameserver 10.0.2.3

To resolve the error, configure an IPv6 DNS server such as Cloudflare DNS, before downloading the ISO image:

echo 'nameserver 2606:4700:4700::1111' >/etc/resolv.conf

/etc/grub.d/40_custom: menuentry: not found

When I run update-grub command, I encountered this error:

# update-grub
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.19.0-16-amd64
Found initrd image: /boot/initrd.img-4.19.0-16-amd64
/etc/grub.d/40_custom: 2: /etc/grub.d/40_custom: menuentry: not found
done

This is because I mistakenly deleted the original content of /etc/grub.d/40_custom file, which starts with:

#!/bin/sh
exec tail -n +3 $0

The update-grub command expects every file in /etc/grub.d directory to be a bash script.
What the exec tail line does is that, it prints the content of this file starting from the third line, which happens to be our menuentry.
If this line is deleted, bash would interpret menuentry as a command name, which does not exist, thus causing the error.

To resolve the error, put these two lines back to the top of /etc/grub.d/40_custom.

Block probing did not discover any disks

The Ubuntu installer fails with this message:

Guided storage configuration

Block probing did not discover any disks. Unfortunately this means that
installation will not be possible.

This is because I did not run the commands to umount the ISO, so that the installer is unable to write to the hard drive that contains the ISO image.
Apparently this is a decade old bug.

To resolve the error, restart the server, enter the installer again, and remember to run the umount commands in a shell on the first screen.

Final Words

This article describes how to install Ubuntu 20.04 Server from the official ISO image on an IPv6-only KVM server managed by SolusIO platform.
The steps are verified on Hosterlabs IPv6 only servers - IPv6 Plus plan.

Using part of the IPv6 /64 block to provide public ips to wireguard clients

jnraptor — Tue, 29 Sep 2020 22:33:34 +0000

Thanks to @MaxKVM for providing an awesome hosting service. I have a ticket with them that they and their upstream provider have not been able to resolve, and I would like to get a second opinion here.

I get a /64 block of IPv6 address of which 1 is allocated to the eth0 interface on my VPS. I then allocate a /112 block to Wireguard outside of the eth0 address, and statically assign IPv6 address from this block to wireguard clients.

MaxKVM does not do routed IPv6, but uses on-link IPv6, so I have to enable proxy_ndp on my VPS so that the eth0 interface would respond to neighbor solication (NS) messages with a neighbor advertisement (NA) for addresses in the /112 block.

sudo sysctl -w net.ipv6.conf.all.proxy_ndp = 1
sudo ip -6 neigh add proxy 2402:xxxx:xxxx:xxxx::200:4 dev eth0

When I try to ping an external IPv6 address on my wireguard client, the upstream router of the VPS would then ask who has the 2402:xxxx:xxxx:xxxx::200:4 address so that it knows where to route the response to. The issue though is that the upstream router is sending NS messages with a fe80::xxxx:xxxx:xxxx:fdc0 (IPv6 EUI-64 address) and expecting a reply back to that fe80 address. See tcpdump output below.

jon@max1 /etc: sudo tcpdump -i eth0 -v 'icmp6[icmp6type]=icmp6-neighborsolicit or icmp6[icmp6type]=icmp6-neighboradvert'
04:32:07.414482 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::xxxx:xxxx:xxxx:fdc0 > ff02::1:ff00:4: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2402:xxxx:xxxx:xxxx::200:4
      source link-address option (1), length 8 (1): xx:xx:xx:xx:fd:c0
04:32:07.482930 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::yyyy:yyyy:yyyy:2d51 > fe80::xxxx:xxxx:xxxx:fdc0: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2402:xxxx:xxxx:xxxx::200:4, Flags [solicited]
      destination link-address option (2), length 8 (1): xx:xx:xx:xx:2d:51
04:32:07.550926 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::yyyy:yyyy:yyyy:2d51 > fe80::xxxx:xxxx:xxxx:fdc0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::xxxx:xxx:xxxx:fdc0
      source link-address option (1), length 8 (1): xx:xx:xx:xx:2d:51

Since I enabled ndp proxying, my VPS tries to respond back to the router's fe80 address with a NA, but determines that it cannot, and sends a NS asking for how to route to that address. As a result, my wireguard client gets a host unreachable error because it gets no response.

However, if I ping the global IPv6 address that is the IPv6 gateway (which is also the router) from the wireguard client, I will see a NS coming from that global IPv6 address. And because it is the gateway, my VPS has no problems with responding with a NA and IPv6 starts working on my wireguard client.

04:39:34.124527 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) 2402:zzzz:zzzz::1 > ff02::1:ff00:4: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2402:xxxx:xxxx:xxxx::200:4
      source link-address option (1), length 8 (1): xx:xx:xx:xx:fd:c0
04:39:34.718943 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32)  > 2402:zzzz:zzzz::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2402:xxxx:xxxx:xxxx::200:4, Flags [solicited]
      destination link-address option (2), length 8 (1): xx:xx:xx:xx:2d:51

Is it normal to block ICMPv6 access to the fe80 address of the upstream router?

For now though, I have switch to NATed IPv6 for my wireguard clients, but what a waste of the /64 block though.

Thanks
Jonathan

IPv6 for lazy dummies

flips — Wed, 17 Mar 2021 10:29:35 +0000

I just realized it's been too long since I read about and learned IPv6 (and so much stuff has also changed since back then).

Got a new VPS, and correct config is something like:

IP/subnet: 2b01:dead:beef:42::2/64
Gateway: 2b01:dead:beef::1

And this works fine. To me this looks like the gateway is on a different subnet (/48) than the interface.
Anyone wants to shed any light on this?

Enable IPv4 Access in EUserv IPv6-only VS2-free

yoursunny — Sun, 20 Dec 2020 17:20:37 +0000

This post is originally published on yoursunny.com blog https://yoursunny.com/t/2020/EUserv-IPv4/

EUserv is a virtual private server (VPS) provider in Germany.
Notably, they offer a container-based Linux server, VS2-free, free of charge.
VS2-free comes with one 1GHz CPU core, 1GB memory, and 10GB storage.
Although I already have more than enough servers to play with, who doesn't like some more computing resources for free?

There's one catch: the VS2-free is IPv6-only.
It neither has a public IPv4 address, nor offers NAT-based IPv4 access.
All you can have is a single /128 IPv6 address.

$ ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
546: eth0@if547:  mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether b2:77:4b:c0:eb:0b brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 2001:db8:6:1::6dae/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::5ed4:d66f:bd01:6936/64 scope link
       valid_lft forever preferred_lft forever

If I attempt to access an IPv4-only destination, a "Network is unreachable" error appears:

$ host lgger.nexusbytes.com
lgger.nexusbytes.com has address 46.4.199.225
$ ping -n -c 4 lgger.nexusbytes.com
connect: Network is unreachable

Not having IPv4 access severely restricts the usefulness of the VS2-free, because I would be unable to access many external resources that are not yet IPv6-enabled.
Is there a way to get some IPv4 access in the IPv6-only VS2-free vServer?

NAT64

Stateful NAT64 translation is a network protocol that allows IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP.
It relies on a dual-stack server, known as a NAT64 translator, to proxy packets between IPv6 and IPv4 networks.

There are a number of public NAT64 services in Europe that would enable IPv4 access from my server.
To use NAT64, all I need to do is changing the DNS settings in my server:

$ sudoedit /etc/resolvconf/resolv.conf.d/base
    nameserver 2a01:4f9:c010:3f02::1
    nameserver 2a00:1098:2c::1
    nameserver 2a00:1098:2b::1

$ sudo resolvconf -u

Note that on a Debian 10 system with resolveconf package, the proper way to change DNS servers is editing /etc/resolvconf/resolv.conf.d/base and then executing resolvconf -u to regenerate /etc/resolv.conf.
If you modify /etc/resolv.conf directly, the changes will be overwritten during the next reboot.

After making the changing, DNS responses for IPv4-only destinations would contain additional IPv6 addresses that belong to the NAT64 translator, which would facilitate the connection:

$ host lgger.nexusbytes.com
lgger.nexusbytes.com has address 46.4.199.225
lgger.nexusbytes.com has IPv6 address 2a00:1098:2c::1:2e04:c7e1
lgger.nexusbytes.com has IPv6 address 2a01:4f9:c010:3f02:64:0:2e04:c7e1
lgger.nexusbytes.com has IPv6 address 2a00:1098:2b::2e04:c7e1

$ ping -n -c 4 lgger.nexusbytes.com
PING lgger.nexusbytes.com(2a00:1098:2c::1:2e04:c7e1) 56 data bytes
64 bytes from 2a00:1098:2c::1:2e04:c7e1: icmp_seq=1 ttl=41 time=39.9 ms
64 bytes from 2a00:1098:2c::1:2e04:c7e1: icmp_seq=2 ttl=41 time=39.7 ms
64 bytes from 2a00:1098:2c::1:2e04:c7e1: icmp_seq=3 ttl=41 time=39.6 ms
64 bytes from 2a00:1098:2c::1:2e04:c7e1: icmp_seq=4 ttl=41 time=39.8 ms

It is easy to gain IPv4 access on the EUserv VS2-free container by using a public NAT64 service, but there are several drawbacks:

The IPv4 addresses of public NAT64 services are shared by many users.
If any other user misbehaves, the shared IPv4 address of the NAT64 translator could be blocklisted by the destination IPv4 service.
The NAT64 translator could apply rate limits if it gets busy.
While we can contact an IPv4-only destination by its hostname, it is still not possible to contact an IPv4 address:
```
$ ping 8.8.8.8
connect: Network is unreachable
```

IPv4 NAT over VXLAN

To get true IPv4 access on an IPv6-only server, we need to create a tunnel between the IPv6-only server and a dual-stack server, and then configure Network Address Translation (NAT) on the dual stack server.
Many people would think about using a VPN software, such as OpenVPN or WireGuard.
However, VPN is overkill, because there is a lighter weight solution: VXLAN.

VXLAN, or Virtual eXtensible Local Area Network, is a framework for overlaying virtualized layer 2 networks over layer 3 networks.
In our case, I can create a virtualized Ethernet (layer 2) network over an IPv6 (layer 3) network.
Then, I can assign IPv4 addresses to the virtual Ethernet adapters, in order to give IPv4 access to the previously IPv6-only VS2-free vServer.

I have a small dual-stack server in Germany, offered by Gullo's Hosting.
It is an OpenVZ 7 container.
It runs Debian 10, the same operating system as my VS2-free.
I will be using this server to share IPv4 to the VS2-free.

In the examples below:

2001:db8:473a:723d:276e::2 is the public IPv6 address of the dual-stack server.
2001:db8:6:1::6dae is the public IPv6 address of the IPv6-only server.
192.0.2.1 is the public IPv4 address of the dual-stack server.

After reverting the DNS changes from the previous section, I execute the following commands on the EUserv vServer to setup a VXLAN tunnel:

sudo ip link add vx84 type vxlan id 0 remote 2001:db8:473a:723d:276e::2 local 2001:db8:6:1::6dae dstport 4789
sudo ip link set vx84 mtu 1420
sudo ip link set vx84 up
sudo ip addr add 192.168.84.2/24 dev vx84
sudo ip route add 0.0.0.0/0 via 192.168.84.1

Note that I reduced the MTU of the VXLAN tunnel interface to 1420 from the default 1500.
This is necessary to accommodate the overhead of VXLAN headers, so that the encapsulated IPv6 packets can fit into the normal MTU.

On the dual-stack server, I execute these commands to setup its end of the tunnel and enable NAT:

sudo ip link add vx84 type vxlan id 0 remote 2001:db8:6:1::6dae local 2001:db8:473a:723d:276e::2 dstport 4789
sudo ip link set vx84 mtu 1420
sudo ip link set vx84 up
sudo ip addr add 192.168.84.1/24 dev vx84
sudo iptables-legacy -t nat -A POSTROUTING -s 192.168.84.0/24 ! -d 192.168.84.0/24 -j SNAT --to 192.0.2.1

It's worth noting that the command for enabling NAT is iptables-legacy instead of iptables.
Apparently, there are two variants of iptables that access different kernel APIs.
Although both commands would succeed, only iptables-legacy is effective in an OpenVZ 7 container.
This had me scratching my head for a while.

After these setup, I'm able to access IPv4 from the IPv6-only server:

$ traceroute -n -q1 lgger.nexusbytes.com
traceroute to lgger.nexusbytes.com (46.4.199.225), 30 hops max, 60 byte packets
 1  192.168.84.1  23.566 ms
 2  *
 3  213.239.229.89  34.058 ms
 4  213.239.229.130  23.615 ms
 5  94.130.138.54  24.077 ms
 6  46.4.199.225  23.955 ms

In Wireshark, these packets would look like this:

Frame 5: 146 bytes on wire (1168 bits), 146 bytes captured (1168 bits)
Linux cooked capture v1
Internet Protocol Version 6, Src: 2001:db8:6:1::6dae, Dst: 2001:db8:473a:723d:276e::2
User Datagram Protocol, Src Port: 53037, Dst Port: 4789
Virtual eXtensible Local Area Network
Ethernet II, Src: b6:ab:7c:af:51:d1 (b6:ab:7c:af:51:d1), Dst: be:ce:c9:cf:a7:f3 (be:ce:c9:cf:a7:f3)
Internet Protocol Version 4, Src: 192.168.84.2, Dst: 46.4.199.225
User Datagram Protocol, Src Port: 50047, Dst Port: 33439
Data (32 bytes)

Make Them Persistent

Effect of ip commands will be lost after a reboot.
Normally the VXLAN tunnel should be written into the ifupdown configuration file, but as I discovered earlier, OpenVZ 7 would revert any modifications to the /etc/network/interfaces file.
Thus, I have to apply these changes dynamically using a systemd service.

The systemd service unit for the IPv6-only server is:

[Unit]
Description=VXLAN tunnel to vps9
After=network-online.target
Wants=network-online.target

[Service]
ExecStartPre=ip link add vx84 type vxlan id 0 remote 2001:db8:473a:723d:276e::2 local 2001:db8:6:1::6dae dstport 4789
ExecStartPre=ip link set vx84 mtu 1420
ExecStartPre=ip link set vx84 up
ExecStartPre=ip addr add 192.168.84.2/24 dev vx84
ExecStartPre=ip route add 0.0.0.0/0 via 192.168.84.1
ExecStart=true
RemainAfterExit=yes
ExecStopPost=ip link del vx84

[Install]
WantedBy=multi-user.target

The systemd service unit for the dual-stack server is:

[Unit]
Description=VXLAN tunnel to vps2
After=network-online.target
Wants=network-online.target

[Service]
ExecStartPre=ip link add vx84 type vxlan id 0 remote 2001:db8:6:1::6dae local 2001:db8:473a:723d:276e::2 dstport 4789
ExecStartPre=ip link set vx84 mtu 1420
ExecStartPre=ip link set vx84 up
ExecStartPre=ip addr add 192.168.84.1/24 dev vx84
ExecStartPre=iptables-legacy -t nat -A POSTROUTING -s 192.168.84.0/24 ! -d 192.168.84.0/24 -j SNAT --to 192.0.2.1
ExecStart=true
RemainAfterExit=yes
ExecStopPost=iptables-legacy -t nat -D POSTROUTING -s 192.168.84.0/24 ! -d 192.168.84.0/24 -j SNAT --to 192.0.2.1
ExecStopPost=ip link del vx84

[Install]
WantedBy=multi-user.target

On both servers, this service unit file should be uploaded to /etc/systemd/system/vx84.service.
Then, I can enable the service unit with these commands:

sudo systemctl daemon-reload
sudo systemctl enable vx84

They will take effect after a reboot:

$ ip addr show vx84
4: vx84:  mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether f2:4c:5d:6c:4b:25 brd ff:ff:ff:ff:ff:ff
    inet 192.168.84.2/24 scope global vx84
       valid_lft forever preferred_lft forever
    inet6 fe80::f04c:5dff:fe6c:4b25/64 scope link
       valid_lft forever preferred_lft forever

$ ping -c 4 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=28.9 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=57 time=28.7 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=57 time=28.9 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=57 time=28.10 ms

Conclusion

This article describes two methods of gaining IPv4 access on an IPv6-only server such as the EUserv VS2-free.

Use a public NAT64 translator.
Establish a VXLAN tunnel to a dual-stack server, and then configure IPv4 addresses and NAT on the virtual Ethernet interfaces.

To workaround OpenVZ 7 limitation of not being able to modify /etc/network/interfaces, we use a systemd service unit to dynamically establish and teardown the VXLAN tunnel and related configuration.

How to Select Default IPv6 Source Address for Outbound Traffic in OpenVZ 7

yoursunny — Sun, 13 Dec 2020 23:45:31 +0000

This post is originally published on yoursunny.com blog https://yoursunny.com/t/2020/preferred-lft-vz7/

I bought a few Virtual Private Servers (VPS) on Black Friday, and have been busy setting them up.
Nowadays, most VPS comes with an IPv6 subnet that contains millions of possible addresses.
Initially, only one IPv6 address is assigned to the server, but the user can assign additional addresses as desired.
Given that I plan to run multiple services within a server, I added a few more IPv6 addresses so that each service can have a unique IPv6 address.

One of my servers is using OpenVZ 7 virtualization technology, in which I installed Debian 10 operating system.
Commonly, OpenVZ 7 uses virtual network device (venet) that does not have a MAC address.
venet devices are not fully IPv6 compliant, but still works if you statically assign IPv6 addresses.
Moreover, every IP address used in a container must be configured from the host node, because venet would drop ip-packets from the container with a source address, and in the container with the destination address, which is not corresponding to an ip-address of the container.
Therefore, I must use the VPS control panel, in this case SolusVM, to assign IPv6 addresses to my server:

In the Add IP section, the IPv6 subnet prefix 2001:db8:f1c1:8454:0964: is already shown.
Notice that I am putting a colon (:) in front of the suffix beef, so that they concatenate to the full address 2001:db8:f1c1:8454:0964::beef.
Forgetting this colon would cause "Invalid Entry" error.

After making this change in the SolusVM control panel, the /etc/network/interface file on my server is updated automatically:

# This configuration file is auto-generated.
# WARNING: Do not edit this file, otherwise your changes will be lost.
# Please edit template /etc/network/interfaces.template instead.
auto lo
iface lo inet loopback
# Auto generated venet0 interfaces
auto venet0
iface venet0 inet static
        address 127.0.0.1
        netmask 255.255.255.255
        broadcast 0.0.0.0
        up route add default dev venet0
iface venet0 inet6 static
        address ::2
        netmask 128
        up ip -6 r a default dev venet0
        up ip addr add 2001:db8:f1c1:8454:0964::2/80 dev venet0
        up ip addr add 2001:db8:f1c1:8454:0964::beef/80 dev venet0
auto venet0:0
iface venet0:0 inet static
        address 10.10.23.159
        netmask 255.255.255.255

I'm also seeing two IPv6 addresses:

$ ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: venet0:  mtu 1500 qdisc noqueue state UNKNOWN group default
    link/void
    inet 127.0.0.1/32 scope host venet0
       valid_lft forever preferred_lft forever
    inet 192.0.2.30/32 brd 192.0.2.30 scope global venet0:0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:f1c1:8454:0964::beef/80 scope global
       valid_lft forever preferred_lft forever
    inet6 2001:db8:f1c1:8454:0964::2/80 scope global
       valid_lft forever preferred_lft forever
    inet6 ::2/128 scope global
       valid_lft forever preferred_lft forever

I intend to host my secret beef recipes on its unique IPv6 address 2001:db8:f1c1:8454:0964::beef, and use the other address 2001:db8:f1c1:8454:0964::2 for outbound traffic such as pings and traceroutes.
However, I noticed that the wrong address is being selected for outgoing packets:

$ ping 2001:db8:9f16:8fc7::9

$ sudo tcpdump -n icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
10:25:18.264905 IP6 2001:db8:f1c1:8454:0964::beef > 2001:db8:9f16:8fc7::9: ICMP6, echo request, seq 1, length 64
10:25:18.265014 IP6 2001:db8:9f16:8fc7::9 > 2001:db8:f1c1:8454:0964::beef: ICMP6, echo reply, seq 1, length 64
10:25:19.264939 IP6 2001:db8:f1c1:8454:0964::beef > 2001:db8:9f16:8fc7::9: ICMP6, echo request, seq 2, length 64
10:25:19.265013 IP6 2001:db8:9f16:8fc7::9 > 2001:db8:f1c1:8454:0964::beef: ICMP6, echo reply, seq 2, length 64

I started searching for a solution, and learned that:

Default Address Selection for Internet Protocol version 6 (IPv6) is a very complicated topic.
An application can explicitly specify a source address.
For example, I can invoke ping -I 2001:db8:f1c1:8454:0964::2 2001:db8:9f16:8fc7::9 to use the desired source address.
Each local IPv6 address can be either "preferred" or "deprecated".
If the application does not specify a source address, the system would prefer to use a "preferred" address instead of a "deprecated" address.

As shown in the ip addr output above, currently both addresses are "preferred" on my server.
This means, both addresses are equally possible of being used as the default source address.
If I can make 2001:db8:f1c1:8454:0964::2 "preferred" and all other addresses "deprecated", I would achieve my goal of making 2001:db8:f1c1:8454:0964::2 the default source address for outbound traffic.

How can I set an IPv6 address as "deprecated"?
After some digging, I found that it is controlled by the preferred_lft (preferred lifetime) attribute.
This attribute indicates the remaining time an IP address is to remain "preferred".
Unless it is set to "forever", preferred_lft counts down every second, and the IP address becomes "deprecated" when it reaches zero.
If the IP address was added with preferred_lft set to zero, it would be "deprecated" since the beginning.

The command to change preferred_lft of an existing IPv6 address is:

sudo ip addr change 2001:db8:f1c1:8454:0964::beef/80 dev venet0 preferred_lft 0

This change takes effect immediately, and outgoing packets start using 2001:db8:f1c1:8454:0964::2 as source address, as I wanted.
However, after a reboot, both IPv6 addresses would become "preferred" again.

As we have seen, the /etc/network/interfaces file is adding IPv6 addresses in a post-up command that runs after ifupdown package brings the interface up.
Can we change this command and set preferred_lft to zero?

So I modified the /etc/network/interfaces file, changing that line to:

up ip addr add 2001:db8:f1c1:8454:0964::beef/80 dev venet0 preferred_lft 0

However, modifying /etc/network/interfaces in an OpenVZ 7 container would not work.
Although I can see the modification right away, after a reboot, the file is automatically restored to the default state, reverting any changes.

After poking around for a while, I figured out the solution: create a systemd service to change the preferred_lft attribute.
The following commands will do the magic:

sudo apt install -y jq
sudo mkdir -p /usr/local/bin

sudo tee /usr/local/bin/network-preferredlft.sh > /dev/null <<'EOT'
#!/bin/bash
set -e
set -o pipefail

ip -j addr show dev $IFACE \
  | jq -r '
    .[] | select(.addr_info) | .addr_info[] |
    select(.family=="inet6" and .scope=="global") |
    select(.local | (endswith(":1") or endswith(":2")) | not) |
    "ip addr change "+.local+"/"+(.prefixlen|tostring)+" dev "+env.IFACE+" preferred_lft 0"' \
  | sh
EOT

sudo chmod +x /usr/local/bin/network-preferredlft.sh

sudo tee /etc/systemd/system/network-preferredlft.service > /dev/null <<'EOT'
[Unit]
Description=Change preferred_lft
Documentation=https://yoursunny.com/t/2020/preferred-lft-vz7/
After=network-online.target
Wants=network-online.target

[Service]
Environment="IFACE=venet0"
Type=oneshot
ExecStart=/usr/local/bin/network-preferredlft.sh

[Install]
WantedBy=multi-user.target
EOT

sudo systemctl daemon-reload
sudo systemctl enable network-preferredlft

The script /usr/local/bin/network-preferredlft.sh retrieves a list of IP addresses assigned to the network interface specified by the environment variable $IFACE.
For each global-scope IPv6 address that does not end with :1 or :2, the preferred_lft attribute is changed to zero.

After executing the above command and rebooting, I can see that the IPv6 address 2001:db8:f1c1:8454:0964::beef is correctly marked as "deprecated" and no longer selected as the default source address.
Now I can securely host my secret beef recipes on 2001:db8:f1c1:8454:0964::beef without worrying about others discovering this "deprecated" IPv6 address through my outbound network traffic.

$ ip addr show dev venet0
2: venet0:  mtu 1500 qdisc noqueue state UNKNOWN group default
    link/void
    inet 127.0.0.1/32 scope host venet0
       valid_lft forever preferred_lft forever
    inet 192.0.2.30/32 brd 192.0.2.30 scope global venet0:0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:f1c1:8454:0964::beef/80 scope global deprecated
       valid_lft forever preferred_lft 0sec
    inet6 2001:db8:f1c1:8454:0964::2/80 scope global
       valid_lft forever preferred_lft forever
    inet6 ::2/128 scope global
       valid_lft forever preferred_lft forever

$ ping 2001:db8:9f16:8fc7::9

$ sudo tcpdump -n icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
11:03:40.185496 IP6 2001:db8:f1c1:8454:0964::2 > 2001:db8:9f16:8fc7::9: ICMP6, echo request, seq 1, length 64
11:03:40.185598 IP6 2001:db8:9f16:8fc7::9 > 2001:db8:f1c1:8454:0964::2: ICMP6, echo reply, seq 1, length 64
11:03:41.187229 IP6 2001:db8:f1c1:8454:0964::2 > 2001:db8:9f16:8fc7::9: ICMP6, echo request, seq 2, length 64
11:03:41.187273 IP6 2001:db8:9f16:8fc7::9 > 2001:db8:f1c1:8454:0964::2: ICMP6, echo reply, seq 2, length 64

This article explained how to change default IPv6 source address selection by marking an IPv6 address "deprecated" via a systemd service that invokes ip addr command after ifupdown brings up the network interface.
The described technique works in OpenVZ 7 and Debian 10, and has been tested in a VPS provided by Gullo's Hosting.
If you are using KVM and Ubuntu 20.04, check out How to Select Default IPv6 Source Address for Outbound Traffic with Netplan.

How to Select Default IPv6 Source Address for Outbound Traffic with Netplan

yoursunny — Mon, 07 Dec 2020 02:20:03 +0000

This post is originally published on yoursunny.com blog https://yoursunny.com/t/2020/preferred-lft-netplan/

One of my servers is using KVM virtualization technology, in which I installed Ubuntu 20.04 operating system manually from an ISO image.
Unlike a template-based installation, an ISO-installed Ubuntu 20.04 system manages its networks using Netplan, a backend-agnostic network configuration utility that generates network configuration from YAML files.
Most VPS control panels, including SolusVM and Virtualizer, are unable to generate the YAML files needed by Netplan.
IPv4 works out of box via DHCP, but IPv6 has to be configured manually.
To assign two IPv6 addresses to my server, I need to write the following in /etc/netplan/01-netcfg.yaml:

network:
  version: 2
  ethernets:
    ens3:
      dhcp4: true
      addresses:
        - 2001:db8:30fa:5877::1/64
        - 2001:db8:30fa:5877::beef/64
      routes:
        - to: ::/0
          via: 2001:db8:30fa::1
          on-link: true
      nameservers:
        addresses:
        - 2001:4860:4860::8888
        - 2606:4700:4700::1111

I intend to host my secret beef recipes on its unique IPv6 address 2001:db8:30fa:5877::beef, and use the other address 2001:db8:30fa:5877::1 for outbound traffic such as pings and traceroutes.
However, I noticed that the wrong address is being selected for outgoing packets:

$ ping 2001:db8:57eb:8479::2

$ sudo tcpdump -n icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
00:44:48.704099 IP6 2001:db8:30fa:5877::beef > 2001:db8:57eb:8479::2: ICMP6, echo request, seq 1, length 64
00:44:48.704188 IP6 2001:db8:57eb:8479::2 > 2001:db8:30fa:5877::beef: ICMP6, echo reply, seq 1, length 64
00:44:49.704011 IP6 2001:db8:30fa:5877::beef > 2001:db8:57eb:8479::2: ICMP6, echo request, seq 2, length 64
00:44:49.704099 IP6 2001:db8:57eb:8479::2 > 2001:db8:30fa:5877::beef: ICMP6, echo reply, seq 2, length 64

I started searching for a solution, and learned that:

Default Address Selection for Internet Protocol version 6 (IPv6) is a very complicated topic.
An application can explicitly specify a source address.
For example, I can invoke ping -I 2001:db8:30fa:5877::1 2001:db8:57eb:8479::2 to use the desired source address.
Each local IPv6 address can be either "preferred" or "deprecated".
If the application does not specify a source address, the system would prefer to use a "preferred" address instead of a "deprecated" address.

Currently, both addresses are "preferred" on my server:

$ ip addr show dev ens3
2: ens3:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 92:b6:ab:eb:04:00 brd ff:ff:ff:ff:ff:ff
    inet 192.0.2.30/24 brd 192.0.2.255 scope global dynamic ens3
       valid_lft 21599977sec preferred_lft 21599977sec
    inet6 2001:db8:30fa:5877::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 2001:db8:30fa:5877::beef/64 scope global
       valid_lft forever preferred_lft forever

This means, both addresses are equally possible of being used as the default source address.
If I can make 2001:db8:30fa:5877::1 "preferred" and all other addresses "deprecated", I would achieve my goal of making 2001:db8:30fa:5877::1 the default source address for outbound traffic.

Netplan gained support for preferred_lft setting very recently since version 0.100-0ubuntu4.
The syntax to specify preferred_lft of an IPv6 address is:

addresses:
  - 2001:db8:30fa:5877::1/64
  - 2001:db8:30fa:5877::beef/64:
      lifetime: 0

Notice that there is a colon (:) after the IPv6 address 2001:db8:30fa:5877::beef/64, because it is syntactically a map key instead of a string value.
The equivalent structure in JSON looks like:

{
  "addresses": [
    "2001:db8:30fa:5877::1/64",
    {
      "2001:db8:30fa:5877::beef/64": {
        "lifetime": 0
      }
    }
  ]
}

After applying this change, the IPv6 address 2001:db8:30fa:5877::beef is correctly marked as "deprecated" and no longer selected as the default source address.
Now I can securely host my secret beef recipes on 2001:db8:30fa:5877::beef without worrying about others discovering this "deprecated" IPv6 address through my outbound network traffic.

$ sudo netplan apply

$ ip addr show dev ens3
2: ens3:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 92:b6:ab:eb:04:00 brd ff:ff:ff:ff:ff:ff
    inet 192.0.2.30/24 brd 192.0.2.255 scope global dynamic ens3
       valid_lft 21598263sec preferred_lft 21598263sec
    inet6 2001:db8:30fa:5877::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 2001:db8:30fa:5877::beef/64 scope global deprecated
       valid_lft forever preferred_lft 0sec

$ ping 2001:db8:57eb:8479::2

$ sudo tcpdump -n icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
00:44:48.704099 IP6 2001:db8:30fa:5877::1 > 2001:db8:57eb:8479::2: ICMP6, echo request, seq 1, length 64
00:44:48.704188 IP6 2001:db8:57eb:8479::2 > 2001:db8:30fa:5877::1: ICMP6, echo reply, seq 1, length 64
00:44:49.704011 IP6 2001:db8:30fa:5877::1 > 2001:db8:57eb:8479::2: ICMP6, echo request, seq 2, length 64
00:44:49.704099 IP6 2001:db8:57eb:8479::2 > 2001:db8:30fa:5877::1: ICMP6, echo reply, seq 2, length 64

This article explained how to change default IPv6 source address selection by marking an IPv6 address "deprecated" via Netplan.
The described technique works in KVM and Ubuntu 20.04, and has been tested in a VPS provided by Spartan Host.
If you are using a OpenVZ 7 container, check out How to Select Default IPv6 Source Address for Outbound Traffic in OpenVZ 7.

THE AIO IP Related Thread. (IPv4 + IPv6 + ASN) (Only Providers and LIRs are allowed to post offers)

SGraf — Thu, 12 Nov 2020 12:44:08 +0000

Hi everyone!

By now there are a few Providers and LIRs that rent out & sell resources.
All future IP/ASN related commercial requests or questions are to be posted in this thread.

Only members with Provider or LIR tags are allowed to post offers in this thread.
Requests can be placed by anyone.

Good Luck

HE Tunnel Broker and OpenVZ Container with inception hosting

bolto90 — Thu, 16 Jul 2020 21:16:54 +0000

when i try to bring up the ipv6 tunnel interface I get the following error message has anyone else tried this.

add tunnel "sit0" failed: No such device

Cloudflare IPv4 to IPv6 not working?

bunsenb — Thu, 18 Jun 2020 03:42:48 +0000

Hi all, I just got a new NAT VPS and tried to set it up with Cloudflare and I am unable to access the nginx page that I have configured through Cloudflare (proxied) on my home (IPv4) or LTE (IPv4/IPv6) connection. Everything works fine if I turn off the Cloudflare proxy feature accessing the domain from my LTE connection. This worked with no issues when I was running mikho's NAT VPS a year or two but Cloudflare has changed their UI since then for DNS.

Is there something obvious I'm overlooking? The AAAA record is configured fine, it's just the IPv4->IPv6 proxy on their end that isn't working correctly.

Did you pick up a Mouse Storage box from Servarica ?

Rahul — Tue, 03 Dec 2019 14:22:13 +0000

if so, how are they now ? since the bench marking mania may have ended.

Btw the specs were

1 CPU cores shared
1GB RAM
500gb disk
100mbps with 2TB limit
/64 IPv6 included
12$/year
Montreal, Canada ( Not OVH)