Overview
It is 2022 2023 and yet some major Internet services to this day do not have a presence in IPv6. Given that the majority of FABRIC sites are only reachable only via an IPv6 management address, a question arises how to communicate with those major services from those sites.
FABRIC Bastion hosts address the problem of experimenters SSH-ing into their VMs from either IPv4 or IPv6 networks, however what about if you need to install software in your VM available only from an IPv4 site and your VM has an IPv6 management address? Notably GitHub is one of those major sites that has no IPv6 presence, so how does one install software from GitHub?
Multiple answers exist:
- Nat64 servers: uses external servers that translate traffic between IPv4 and IPv6 networks with the help of a special DNS setup.
- SSH proxying: SSH software installed on end-user hosts and on FABRIC resources is enough to make this work.
From here on out we make an assumption that you already know how to login to your VM via a bastion host.
Reaching IPv4 resources via Nat64
By far the easiest although not always performant way to do this is to update your DNS configuration in the VM to use Nat64. There is a small number of publicly available servers that bridge the IPv4-IPv6 divide using a protocol called Nat64. Because the bandwidth through them can be limited, you may notice some downloads are slower than expected. Using these servers requires a modification of the Name Resolution system in each VM. Here is a simple script that can do this:
sudo sed -i '/nameserver/d' /etc/resolv.conf
sudo sh -c 'echo nameserver 2a00:1098:2c::1 >> /etc/resolv.conf'
sudo sh -c 'echo nameserver 2a01:4f8:c2c:123f::1 >> /etc/resolv.conf'
sudo sh -c 'echo nameserver 2a00:1098:2b::1 >> /etc/resolv.conf'
You can also use this Jupyter Notebook to achieve this result.
SSH Proxying
Using cURL with SSH proxy
- Start a proxy on the
laptop
:
In this scenario a user has a laptop
, there is a FABRIC bastion host bastion
and a remote sliver VM which needs access to GitHub we will call vm
. We will show how to set up an SSH proxy so you can reach IPv4 resources via cURL, git and docker tools.
laptop$ ssh -N -D localhost:5678 localhost
2. Start the reverse tunnel from vm
:
laptop$ ssh -J bastion-1.fabric-testbed.net -R localhost:4567:localhost:5678 <vm IPv6 address>
3. Verify the proxy is listening:
vm$ netstat -ntl | grep 4567
tcp 0 0 127.0.0.1:4567 0.0.0.0:* LISTEN
tcp6 0 0 ::1:4567
4. Use cURL with socks5h
proxy type (to ensure DNS resolution is done proxy-side). Note using -x instead of –proxy option – seems to work more reliably:
vm$ curl -x socks5h://localhost:4567 https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
Using GitHub via SSH proxy
Verify steps 1-4 above work. To enable git to use the proxy:
vm$ git config --global http.proxy 'socks5h://localhost:4567'
Now you can clone from github:
vm$ git clone https://github.com/fabric-testbed/InformationModel.git
Using Docker Hub via proxy
Verify steps 1-4 above work. For Docker hub edit ~/.docker/config.json:
{
"proxies":
{
"default":
{
"httpProxy": "socks5h://127.0.0.1:4567",
"httpsProxy": "socks5h://127.0.0.1:4567",
"noProxy": ""
}
}
}
Thanks for the reply, however if I am not wrong it is no need to employ this configuration since August. Once it already works transparently. Or should do I need do to this?
Thnks.,