Online.net IPv6 Setup (with reverses!)

IPv6-LogoLet’s skip the lengthly introduction and get right into it: In this article, I’ll cover how to set up IPv6 connectivity to your online.net dedi, and how to set up reverse DNS records. If you want reverse DNS records (which you want if you’re hosting email), you’ll need to be running your own authoritative DNS server, which I won’t be covering here. As far as I know, there’s no way to get a PTR record for your address without running your own server check over here.

Online.net console

  1. Log in to your online.net console, and head over to Server > Network configuration.
  2. Order your IPv6 block ijzgllw. In a while, you’ll get a /48. Took about half an hour for me. When it’s ready, it’ll appear in the list with Done appearing in the Delegation Status column.
  3. Click the gear beside your delegation > Edit nameserver delegation. You will have to specify two nameservers. If you only have a single authoritative server, you can use a backup server service, like the one provided on afraid.org.
  4. Once finished, click the gear beside your /48 delegation again > Create subnet. This will create a /56, which you’ll assign to your server. Pick one you like. You can create as many subnets as you have servers.
  5. Note the address and DUID of your /56. That’s all we need from the console.

Your server

On your server, we’ll set up dhclient and configure your interfaces.

  1. Edit /etc/network/interfaces. Append the following:
    iface eth0 inet6 static
    #this enables ipv6 on eth0, and sets a static address
    address 2001:bbbb:cccc:100::1
    #replace the above with your /56 delegation, but make sure
    #it ends with ::1 (or whatever other number you want)
    netmask 56
    #specifies the netmask
    accept_ra 1
    #accepts router advertisements, you need this
    pre-up /sbin/dhclient -1 -v -pf /run/dhclient6.eth0.pid -lf /var/lib/dhcp/dhclient6.eth0.leases -cf /etc/dhcp/dhclient6.conf -6 -P eth
    #this will feed /etc/dhcp/dhclient6.conf (which we still have yet
    #to create) to dhclient when the interfaces are being loaded
  2. Create /etc/dhcp/dhclient6.conf, containing:
    interface "eth0" {
    send dhcp6.client-id 00:03:00:01:7a:c6:00:11:22:33;
    #replace above line with your DUID for you /56
    #don't forget the semicolon!
    request;
    }
  3. Reboot, or systemctl restart networking.

Reverse DNS

Very similar to how IPv4 PTR records work.

  1. Create a zone file for your /48. The zone file name will be the first three quartets, reversed, character separated by periods, followed by ip6.arpa. So for me, if I was assigned 2001:bbbb:cccc::, I’d go with c.c.c.c.b.b.b.b.1.0.0.2.ip6.arpa.
  2. Create the zone file as usual, with an IN PTR record for your server’s address (the one that ends with :1). This tool makes life easy for reversing the entire address.

That’s it! Remember to set up ip6tables or whatever firewall you prefer. Happy IPv6-ing!

Self-host Everything

I firmly believe that “cloud services” will be the downfall of the internet: instead of a free and open network, where anyone can provide services, we’re moving towards a few monolithic networks providing “free” services (in exchange for selling your data to advertisers, and showing you advertisements) and stomping out all smaller competition, Walmart-style.

cloud

There are several issues with depending on cloud service providers:

You are at the mercy of the service provider. What would happen if, say, Facebook chose to shut down services in your country tomorrow? How many people would you lose touch with? How many photos and messages would you lose forever? Better yet, how fucked would you be if Gmail disappeared?

Your data is most likely being vacuumed up by various nation-state attackers. As the Snowden slides revealed, virtually all major cloud service providers are providing your personal data directly to the NSA — however, it would be foolish to assume that only the NSA has your data. Because these cloud service providers are international, your data is most likely also provided to intelligence agencies in virtually all developed countries, from China to Russia to Israel. Why? Because these providers “must follow the law”, and operating in many countries means following the law in many countries.

Cloud services are a tempting target for attackers. Imagine if you could… oh I dunno, find nude pictures of many celebrities in a single datastore. If you had the skills, wouldn’t that be a juicy target? That being said, cloud services are usually fairly secure, but slip-ups still happen.

All “free” cloud services sell your data to advertising firms. There’s probably some sweatshop worker reading your emails right now to figure out whether to sell your male enhancement pills or sunglasses. I hope you’re not surprised, as you agreed to it in the EULA you accepted — how else did you think these services would get paid for? Interestingly, Google is mostly likely the least evil of the providers in this regard, because they do their own advertising. So at least your data stays with one company.

I bet you have a solution, LG. 

Of course. The answer is to self-host everything.

Running your own services lets your keep control of your data, and offers enhanced privacy and security. While running services requires a certain amount of technical competence, it’s far more straightforward (and cheaper) than many people assume. Find yourself a nice VPS host (DigitalOcean and Linode are good) or a host for dedicated servers (I’ve had good experiences with Online.net, Hetzner, and OVH), find some tutorials, pay a few bucks per month, build services, break services, fix services. Find a few technically-able friends to give you a hand, or a few privacy-aware friends to split the cost with. Some examples:

  • Email: Postfix and Dovecot, optionally Roundcube (webmail)
  • Chat: Prosody (XMPP)
  • Files: OwnCloud
  • Documentation: Mediawiki
  • Blog: WordPress
  • Search Engines: Searx
  • <a href="https://github this content.com/Kickball/awesome-selfhosted/blob/master/README.md” target=”_blank”>More

Floridaserversfront1

Won’t this be horrendously expensive?
For a few users, you can run all of the above on a $5/month DigitalOcean VPS.

Won’t things break?
Absolutely. But learning how to fix things when they break is what makes you a good sysadmin. Backup often, backup well.

Won’t it be inconvenient?
Absolutely. But that’s the whole appeal of cloud service providers: convenience, in exchange for your personal data. At some point, you’ll realize it’s just not worth it.

Will I be secure against hackers/nation-state attackers?
Kinda. You’ll be safe from certain types of attacks: the NSA storing and analyzing every email you send via Gmail, for instance. If you’re specifically targeted, no, you’ll get #rekt anyway via the attacker compromising/compelling your hosting provider, putting malware on your home computer, or being beaten with a wrench until you give up your encryption keys. But self-hosting keeps your data out of the massive, easy-to-access pools of personal data on cloud services — it makes it more difficult for attackers to get at your data, and making attacker’s jobs more difficult is something we should all strive to do.

Humor me: try it out today. Get a domain name, fire up a $5 VPS on DigitalOcean, find an inital server setup and securing your server guides, then follow the ISPmail tutorial and set up email services (DigitalOcean and Linode have excellent knowledge bases of tutorials: see 1 and 2). Test it out, find features you want, find tutorials to implement them. Do something dumb, break something, then figure out how to fix it. Find some friends, work together, and free yourself of the cloud service botnet.

Prism_slide_5

Poettering vs Linux

Before the event, before He Who Shall Not Be Named, the Linux community lived in unruly harmony with the other unicies. And while SysV was the defacto standard, everyone who had two brain cells immediately swapped that shit out for something more daemontools-like. And the SysAdmins would play, play because they worried not; for their supervisor programs were doing their handiwork and the systems ran smoothly. Truly, the land was happy, far and wide.

Then the Dark One appeared, and first claimed, “I will take the Blight of Jobs, known as mDNS, and make it run on Linux.” And he cast a great pox upon the community, but most did not notice, because most of us weren’t gay cocksuckers. And this irked him, so he cast another blight, “I will fix your audio” buy viagra without prescription. And using the pox, he built upon it and filled many a distribution with his sludge. And the users did gnash their teeth for a few years as the pox-sludge was incomplete and annoying. And before the users could turn on him, he snuck out like a thief in the night, claiming that it was not his handiwork.

Now the dark one was really pissed, for the pox-sludge did not do its purpose. So he found employ in that vile place, the House of Red Fedoras, a place filled with gnomes that only cared for bilking money from unsuspecting business people. And he did come upon a plan, so devious in nature and grand in scope, that the gnomes of Red Fedoras did endorse it, seeing that it would lead to many lucrative and unnecessary service contracts. And he brought forth his third and final curse, systemd, which was meant to “replace icky SysV” but in reality, it was forged from a shard of the Dark One’s corrupt soul, and its code would bind all others in darkness as they succumbed to its temptations. And one after another, projects agreed to bend their knee before it, and darkness descended upon the land.

systemd