VPN from IPv4 only to IPv6 only

Question

I want to access my home network on the go, but it can only be reached via IPv6 from outside. The network(s) I want to reach it from usually only have IPv4. (How) Can I access the whole home network with a server in between?

Let's assume the following:

Network A (Home):

• Internal IP range: 192.168.0.0/24 (I'd like to keep IPv4 internally for now)
• Machine A: aaaa:bbbb:cccc:dddd (IPv6 reachable from outside)
• Machine A (internal): 192.168.0.1

Network B (Remote):

• Internal IP range: 192.168.178.0/24
• Machine B (internal): 192.168.178.2
• Public IP: 1.2.3.4 (router)

Server:

• IPv4: 2.3.4.5
• IPv6: bbbb:cccc:dddd:eeee

Now I want to access 192.168.0.3 (network A) from 192.168.178.2 (network B). Can this be accomplished using OpenVPN / (SSH) tunnels / iptables / routing? If so: How?

Sorry, usually I have a half-working approach or at least an idea how to solve my problems, but I've been thinking about this all day and there's only chaos left in my head; so I better start from scratch. (Of course my idea is that the Server to connects the IPv6 network A with the IPv4 network B. But how?)

Bonus points if all traffic between network A & the server, and the server & network B (read: the internet) is encrypted.

Answer 1

You don't mention which operating systems you are using, so I can only give you generic advice:

You'll have to set up two tunnels:

• An IPv4-over-IPv6 tunnel between machine A and the server
• An IPv4-over-IPv4 tunnel between machine B and the server

On the home network you'll have to route traffic for 192.168.178.0/24 to machine A. If machine A is the default gateway then this will already be the case. Otherwise you'll have to add a static route on the default gateway to send that traffic to machine A. On machine A you'll have to configure a static route for 192.168.178.0/24 towards the IPv4-over-IPv6 tunnel to the server.

On the remote network you'll have to route traffic for 192.168.0.0/24 to machine B. If machine B is the default gateway then this will already be the case. Otherwise you'll have to add a static route on the default gateway to send that traffic to machine B. On machine B you'll have to configure a static route for 192.168.0.0/24 towards the IPv4-over-IPv4 tunnel to the server.

The server will need two static routes:

• 192.168.0.0/24 towards the IPv4-over-IPv6 tunnel to machine A
• 192.168.178.0/24 towards the IPv4-over-IPv4 tunnel to machine B

Now machines on the home network will send their packets for 192.168.178.0/24 to the default gateway. If this is not machine A then the default gateway will forward them to machine A. Machine A will forward them over the IPv4-over-IPv6 tunnel to the server. The server will forward them over the IPv4-over-IPv4 tunnel to machine B, who will forward the packets to the remote network.

Now machines on the remote network will send their packets for 192.168.0.0/24 to the default gateway. If this is not machine B then the default gateway will forward them to machine B. Machine B will forward them over the IPv4-over-IPv4 tunnel to the server. The server will forward them over the IPv4-over-IPv6 tunnel to machine A, who will forward the packets to the home network.

I explicitly wrote down each hop of the path in both directions. Communication will only work if every step described above works.

You can use many protocols and applications for setting up the tunnels. Plain IPvX-in-IPvY tunnels are the easiest, but provide no encryption. The same goes for GRE tunnels. OpenVPN is a bit more difficult to set up but does provide encryption. Take a look at the Linux IPv6 How-To and the Tunnel section of the Linux Advanced Routing How-To to see how to set up tunnels.