Getting Started on a RHEL box

What is this page about?

I've just got my first tunnel going. Although all the information necessary to do this is available in the FAQ, it can be difficult to wade through all that knowledge when you don't really understand enough of the technology and terminology to make sense of it.

There will undoubtedly be errors and omissions in this page - it is the results of my experiments. I hope it is useful.

I have a static IPv4 address, so I've based the page on that. I might change it as I learn more about non-static tunnels.

Why have you picked such a crusty old pair of distros?

I standardised on RHEL-derived operating systems many years ago. I have a mixture of RHEL3, 4, and 5 boxes on my network. One day, I'll get round to updating them - but I've been saying that for years.

My main workstation is based on RHEL4, and my main server on RHEL3. These are the boxes I have used so far. I'll add anything relevant to RHEL5 (and 6) if it differs, and if I get round to it. I am very lazy, so don't hold your breath.

Getting a tunnel - sign-up

Signing up is simple. Just fill out the form at the Signup Page. There's nothing complicated there. I'll assume you get accepted (they accepted me, they must be accommodating!)

Getting a tunnel - requesting a tunnel

If you've just signed up successfully, you can request a tunnel from the menu at the top-left of most pages. This will cost you 10 ISK (and a further 5 if accepted). That's most of your initial allowance, so go carefully from here on in. It's very frustrating to run out of credit, and means you can't put full URLs into pages like this (the request links become disabled once your credit is too low).

Starting your tunnel

Firstly, get yourself a copy of aiccu. I used the Fedora 12 Source RPM, but that's because I was using a Fedora laptop as I started. You can also get aiccu from EPEL - that should build happily on either EL4 or EL3 (the Fedora version does), but I haven't actually tested that myself.

The aiccu configuration is in /etc/aiccu.conf. You need to put your username and password (which were emailed to you when your account was accepted) in there.

I set up my tunnel ID (which was emailed when my tunnel was granted). That's not important for a single tunnel, but it can't hurt. I also set the "verbose" flag to "true" (which helps during debug) and "behindnat" to "true".

Now comes the important bit - this took me a while to find. At the bottom of the file is a parameter "local_ipv4_override". Set this to the internal IP address of the machine that will be running the tunnel connection - so, in my case, this is "local_ipv4_override 10.0.0.3". Without this setting, any proto-41 packets that make it through your router will fail to get to your computer.

That should allow you to start your tunnel - simply use

aiccu start

If you've turned on verbose output in the config file, you'll see quite a bit of info, and you should be able to ping the other end of the tunnel (or anywhere else - try, for example, "ping6 ipv6.google.com").

Happy so far? You've just set up your tunnel. Well done. Have a swift half. But don't celebrate too heartily yet - you're not finished.

Getting your tunnel to start automagically

First, stop your tunnel (with "aiccu stop"). Try pinging a few things to satisfy yourself that is has actually gone down.

Now restart the tunnel with the initscript - type

service aiccu start

Your tunnel should now be back up, and your ping6 commands work again. Try it out.

If that works, you'll usually want to start the tunnel on boot. I start mine in runlevels 3, 4, and 5. you can do this with the simple command

chkconfig --level 345 aiccu on

If you want to pick different runlevels - change the command accordingly.

Keeping the tunnel up

OK, we're almost there. You now have a working tunnel, and can ping to your heart's content. You can visit IPv6-enabled websites and see all that glorious IPv6 goodness. But if you ignore your tunnel, it will die.

There are a couple of things going on here, and I don't pretend to understand all of it. But the fix is dead simple - just send some traffic through the tunnel on a regular basis. The simplest traffic you can send is a ping6, and you've got a cron daemon to do things on a regular basis - put the two together, and you've got a tunnel keep-alive.

I made a cron entry at /etc/cron.d/sixxs_tunnel, and it is simply this :-

0-59/20 * * * * root ping6 -c 1 ipv6.google.com > /dev/null

This sends a single ping to Google (who can afford the traffic) every 20 minutes, and throws the result away. This works for me - you might like to tune it a bit to suit. Or not.

Now watch your results

By this stage, you either have a working, resilient tunnel, or you hate me with a passion. Either way, you've finished.

Now, you need to keep an eye on your tunnel. SixXs will ping you twice an hour for about 3 minutes, and log the results. If your tunnel fails, you will be penalised by loss of credit. That means you can't do other stuff. Credit takes a long time to build up, so attend to any problems quickly.