Sometimes we want to test software or do remote monitoring and testing that you may not want to pay a premium to do, or maybe you just want to do it as a hobby. In this post I will share some tips on where to find dirt-cheap providers of virtual servers (VPS).
I strongly advise against placing any production or critical workflows on any of these; use for testing or fun.
I wanted to document my Microsoft Azure saga in getting a public IPv6 address to work in a virtual machine without a load balancer in front of it. My needs were pretty simple and straightforward I wanted a virtual server that had a static IPv4 and IPv6 public addresses so that I can monitor my home network and other websites.
You would think this would be pretty easy, a few clicks and done? That wasn’t my experience on Azure and setting this up isn’t easy nor straightforward. Below is how to get it done, if this helps you – you can buy me a coffee or beer.
Posted in Blog, Cloud, Linux, Technology, Troubleshooting, Virtualization
Tagged azure, cloud, dual stack, ipv6, networking, virtual server, virtualization, vm, vmnet
If you’re looking to create a bootable USB drive to install multiple operating systems or other images you should take a look into Ventoy.
Ventoy is an open source tool that allows you to format the USB disk and drop any .iso image into the USB drive – magically making any .iso be bootable without having to reformat the USB disk multiple times when you want to image different things.
An aggregate quicklist of commands for use in IPv6 on Windows 10. This is nowhere near exhaustive nor is it intended to be authoritative at all; just a collection of commands I want to save for quick reference.
# Find out the INTERFACE-ID or "ZONE ID" to send outgoing packets thru
netsh interface ipv6 show interface
ping fe80::2080:218b:b6e7:8f35%4 (sends out ping via ID 4)
This post is intended to be a quick note to self on linux IPv6 commands, for quick reference when needed.
# Find the route decision for a given address.
ip route get 2a00:1450:4001:820::200e
ip -6 route
route -A inet6 (apt-get install net-tools) # equivalent to netstat -rn -A inet6
netstat -A inet6 -rn
ip -6 route show table 51820
ip -6 neigh
ip -6 neigh show proxy
# DHCPv6 release / renew
dhclient -6 -r ens18
dhclient -6 ens18
# Flush IPv6 neighbors cache
ip -family inet6 neigh flush any
# Find the route decision for a given address.
ip route get 2a00:1450:4001:820::200e
# Request a router advertisement (apt-get install -y ndisc6)
# Perform a Neighbor Solicitation (arp IPv4 equivalent) (apt-get install -y ndisc6)
ndisc6 2001:db8::42 eth0
# ping multicast address to have all link-local hosts to respond.
Good articles about IPv6:
Bonus section ‘ufw’ firewall
Check status of firewall and enable or disable.
# ufw status
# ufw enable
# ufw disable
View firewall rules and number to delete a specific rule.
# ufw status verbose
# ufw status numbered
Delete a firewall rule (from number of last cmd)
# ufw delete 12
Rules needed to allow IPv6 routing via wireguard to endpoint (no iptables forwarding would be needed on IPv6 as the other peer carries the public IP – they also should implement a firewall before using the below command!)
# ufw route allow in on eth0 out on wghub to 2602:xxx:730b:xxx:cafe::12
IPv4 firewall and routing rule to open Plex Media Server port 32400 and internal IPv4 space of wireguard peer.
# ufw allow in on eth0 out on wghub to 10.100.100.11 port 32400
# ufw route allow in on eth0 out on wghub to 10.100.100.11 port 32400
Add rule and get logs for matches of that rule:
# ufw allow log proto any from any to 192.168.1.x
# tail -f /var/log/ufw.log
Extra bonus iptables NAT forwarding
On VPS (public endpoint) forward IPv4 traffic on tcp/32400 to wireguard peer. (recall IPv6 doesn’t need a rule)
# iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 32400 -j DNAT –to 10.100.100.11:32400
Test your port forwards
For IPv6 I use:
A quick note / command snippet for filtering ICMPv6 packets when troubleshooting IPv6 autoconfiguration.
# tcpdump -i eth0 -v '(icmp6 && ip6 == 134) or (icmp6 && ip6 == 133) or (icmp6 && ip6 == 135) or (icmp6 && ip6 == 136)'
The most common ICMPv6 types are:
- unreachable: 1
- too-big: 2
- time-exceeded: 3
- echo-request: 128
- echo-reply: 129
- router-solicitation: 133
- router-advertisement: 134
- neighbor-solicitation: 135
- neighbor-advertisement: 136
Legacy IPv4 network space is exhausted, and new internet service providers like T-mobile 5G home internet run an IPv6 only network.
Sometimes you can’t use the IPv6 addresses due to your ISP not being mature enough to provide IPv6 prefix delegation in combination with the lack of advanced features on the T-mobile 5G home router like ‘bridge mode’ you may be stuck with a double NAT situation.
In 2021, I would say that implementing IPv6 on your network is almost mandatory. Major service providers like Netflix, Google, Cloudflare and others operate dual-stack networks.
I’ll admit that my home network running OPNsense firewall has had IPv6 disabled to avoid complexities since only 30% of the internet uses IPv6 today. However, I decided that its time to try to fix this since I wanted all my devices on my network to be able to pass IPv6 readiness tests like http://ipv6-test.com and http://test-ipv6.com.
Internet Service Provider (ISP) addresses
Router: Nokia 5G Fastmile (T-mobile home internet)
Provides all direct-connected devices with a NAT IPv4 addresses in the range of 192.168.12.0/24.
IPv6 addresses are from the public unicast T-mobile segment assigned to your router, however T-mobile IPv6 network does heavy inbound packet filtering. You won’t be able to ping or access your public unicast IPv6 addresses from anywhere (sucks right?)
To configure a dual-stack local area network in OPNSENSE, assume you have a ‘fresh install’ which already has IPv6 enabled on the system.
- Configure your WAN interface to obtain DHCPv6 addresses.
- Configure your LAN interface to Static IPv6
- assign static IPv6 of fdde:5453:540e:ff12::1
- Configure your LAN DHCPv6 service to this range
- range start: fdde:5453:540e:ff12::2
- range end: fdde:5453:540e:ff12:ffff:ffff:ffff:ffff
- Configure Firewall > NAT > Outbound
- set to ‘hybrid’
- Add manual rule
- interface WAN
- Version IPv6
- protocol any
- source LAN
- destination any
- translation target WAN address
- Configure Services > Router Advertisement LAN
- From ‘disabled’ to ‘Assisted’
- Save all settings and ensure all services are restarted.
Your clients on LAN should now get a local IPv6 address from DHCPv6, the outbound NAT rule should allow you to pass the IPv6 tests and communicate with IPv6 internet hosts via the single IPv6 WAN address that the T-mobile home router gives out.
I’m hoping that T-mobile becomes a more mature ISP in the future, while speeds are great there are several shortcomings to relying on 5G Home internet service for home use. These problems don’t exist in Comcast and AT&T Fiber:
– IPv6 Prefix Delegation (PD) so you can subnet all your networks.
– Packet filtering that you can’t disable or manage yourself. On AT&T fiber and comcast you can host your own remotely accessible VPN server. Not on T-mobile so beware if that’s your use case.
The following command will allow host 192.168.1.10 to have write access and mount this volume remotely, all while identifying changes as ‘root’ – this is helpful for a container data store when you have docker running on a VM in proxmox but want to piggyback from the resilient ZFS storage in proxmox.
zfs set sharenfs="[email protected]" gdata/containers
I’m experimenting with TunSafe which is a fork of wireguard that includes traffic obfuscation built-in. Traffic obfuscation is useful to hide VPN traffic from ISP’s network throttling which is done when network packet inspection identifies a tunnel protocol.
You will need a privileged container in proxmox.
Add this to container configuration file
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
Without this setting on the configuration file of the container tunsafe will not start. Error similar to:
~# systemctl status tunsafe.service
● tunsafe.service - TunSafe service
Loaded: loaded (/etc/systemd/system/tunsafe.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2021-01-24 19:22:59 UTC; 26s ago
Process: 6949 ExecStart=/opt/tunsafe/tunsafe start -d /opt/tunsafe/TunSafe.conf (code=exited, status=1/FAILURE)
Main PID: 6949 (code=exited, status=1/FAILURE)
Jan 24 19:22:59 tunsafe-gw systemd: Starting TunSafe service...
Jan 24 19:22:59 tunsafe-gw tunsafe: Loading file: /opt/tunsafe/TunSafe.conf
Jan 24 19:22:59 tunsafe-gw tunsafe: Started TCP listening socket on port 443
Jan 24 19:22:59 tunsafe-gw tunsafe: Error opening tun device
Jan 24 19:22:59 tunsafe-gw systemd: tunsafe.service: Main process exited, code=exited, status=1/FAILURE
Jan 24 19:22:59 tunsafe-gw systemd: tunsafe.service: Failed with result 'exit-code'.
Jan 24 19:22:59 tunsafe-gw systemd: Failed to start TunSafe service.
You can speed up resilvering times on ZFS (on linux) by temporarily changing the following settings:
echo 0 > /sys/module/zfs/parameters/zfs_resilver_delay
echo 512 > /sys/module/zfs/parameters/zfs_top_maxinflight
echo 5000 > /sys/module/zfs/parameters/zfs_resilver_min_time_ms
To reset back to defaults, do:
echo 2 > /sys/module/zfs/parameters/zfs_resilver_delay
echo 32 > /sys/module/zfs/parameters/zfs_top_maxinflight
echo 3000 > /sys/module/zfs/parameters/zfs_resilver_min_time_ms
A reboot of the system should also reset these defaults.