Six into 4 won't go#

Wed, 02 Dec 2020 21:45:00 +0000

Advent of Blog, day 2: publishing IPv6 services to the IPv4 net

One of the nice things about IPv6 is that with a reasonably competent ISP (I would recommend Andrews & Arnold who have so far proven to be far more than just reasonably competent) for your home internet you can have squillions of internet addresses and run public services from any box in your home network. Servers under desks, or VMs or laptops or Raspberry Pis or ... - unlike the bad old days of IPv4 you don't have to decide on one single machine to forward port 443 to and have everything running on nginx "virtual hosts" on that one box.

As long as you're accessing them from the IPv6 internet, anyway. If you're stuck with legacy internet (in my case, my mobile provider, and when in some post-covid world they finally let me back into the office, $WORK's wifi) this doesn't help and you have to go back to forwarding ports. Here's a reasonably hassle-free way to do it though: sniproxy.

[SNI Proxy] proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine.

How we do it:

• pick one machine to be the proxy. Add a port forward in the router so that $YOUREXTERNALIPV4ADDRESS:443 is forwarded to $THISMACHINE:8443 (that 8443 could be anything really)

• set up DNS for each of your services such that they have an AAAA record with their actual global IPv6 address, and an A record of $YOUREXTERNALIPV4ADDRESS

• configure sniproxy something like this (in configuration.nix or some other file it imports):

  networking.firewall.allowedTCPPorts = [ 8443 ];
  services.sniproxy = {
    enable = true;
    config = ''
        resolver {
            nameserver 192.168.8.1      
            mode ipv6_only
        }
        listener 0.0.0.0:8443 {
            protocol tls
            reuseport yes
            table rewrites
        }
        table rewrites {
            ^(.*.telent.net)$ *:443
        }
    ''; 
  };
}

What this says is: "listen on ipv4 port 8443, when you get a request for a hostname ending in `telent.net`, forward to the same hostname, port 443, but resolved using IPv6".

Job's a good'un and that wraps it up for today. If I don't think of a better idea in the next 23 hours, tomorrow's topic has no Nix in it at all and is all about MQTT-controlled Wifi Christmas lights.