It's been a battle, but I've got a successful tunnel, persistent thru reboots, on eBox (1.3.15, but version should not matter).
My tunnel is a tunnelbroker.net /64 (I have 2x /48's, 2x /64's, but lets keep this simple!). All IP info, of course, is obscured, and should be replaced by your own. Also, $LAN will be used to denote internal iface, $WAN to denote external. This is not complete, by any means. Please, feel free to add / argue / contradict where appropriate, or just 'cause ya' don't like me!!
My tunnel info:
Global Tunnel ID: 12345 Local Tunnel ID: 123
Tunnel Endpoints
Server IPv4 address: 123.456.789.2
Server IPv6 address: 2001:456:abc0:123::1/64
Client IPv4 address: 98.76.54.32
Client IPv6 address: 2001:456:abc0:123::2/64
Available DNS Resolvers
Anycasted IPv6 Caching Nameserver: 2001:470:20::2
Anycasted IPv4 Caching Nameserver: 74.82.42.42
Routed IPv6 Prefixes and rDNS Delegations
Routed /64: 2001:456:abc1:123::/64
And, here's their example config, for linux-route2:
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 123.456.789.2 local 98.76.54.32 ttl 255
ip link set he-ipv6 up
ip addr add 2001:456:abc0:123::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr
Here's what I did, that worx (please note old and new. Old way was flaky, as the firewall default DROP policy loads AFTER Network loads, and only permits NEW connections of allowed sort. Thus, the tunnel being already connected, it is blocked, it seems, much of the time):
OLD WAY:sudo vim /etc/ebox/hooks/network.postsetconf
NEW WAY:sudo vim /etc/ebox/hooks/firewall.postsetconf
In that file, I've entered
#!/bin/sh
###When I get it all figured out, the following commented lines will automatically update my tunnel endpoint address, when it changes:
#https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=$IPV4ADDR&pass=$MD5PASS&user_id=$USERID&tunnel_id=$GTUNID
#$IPV4ADDR = The new IPv4 Endpoint (AUTO to use the requesting client's IP address)
#$MD5PASS = The MD5 Hash of your password
#$USERID = The UserID from the main page of the tunnelbroker (not your username)
#$GTUNID = The Global Tunnel ID from the tunnel_details page
ip tunnel add he-ipv6 mode sit remote 123.456.789.2 local 98.76.54.32 ttl 255
ip link set he-ipv6 up
ip addr add 2001:456:abc0:123::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -6 addr add 2001:456:abc1:123::1/64 dev $LAN
echo "nameserver 2001:470:20::2" >> /etc/resolv.conf
exit 0
Save and exit that file, then:
sudo chmod +x /etc/ebox/hooks/firewall.postsetconf
At this point, the next time you make any changes to your network settings, and save them, your tunnel will be created, and every time thereafter.
We're not quite done, tho. The default firewall settings will not permit tunnelbroker.net to ping our $WAN ip, to verify it's validity, nor will it permit any traffic from the $WAN, over the tunnel. I'm not sure quite what the correct way to define Protocol 41 for the firewall, so I've simply created rules from "External to eBox" permitting all ICMP from the IP on the IP-Update page (click your "Client IPv4 address: 98.76.54.32"), and ALL traffic from the Server Endpoint IP (Probably NOT the safest thing to do!!).
Voilla! Next reboot (sorry for the profane language), or next edit/save of network settings, and your tunnel should be golden! Now, for setting up the network behind it... To begin with, here:
sudo vim /etc/sysctl.conf
Locate the line that reads
#net.ipv6.ip_forward=1
, and UN-comment it (remove the #).
On server, as well, install radvd
sudo aptitude install radvd
Then,
sudo vim /etc/radvd.conf
and paste this in:
interface lan
{
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2001:456:abc1:123::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
Now, eBox will provide IPv6 addresses, to the internal network, hopefully even the VPN clients...
Hope this might help someone out!! Happy Hackin'!!
edit: code-snippets don't respect formatting flags... removed.
edit2: Added edit to sysctl.conf, to permit forwarding
edit3: Added radvd.conf, for those who might need it.