A Step by Step Guide on How to Set Up Teredo Tunneling…

What is Teredo? A Microsoft-supported tunnel that is established directly from your client machine. Teredo was meant to be used only by applications that specifically request it. For this reason, a host that has Teredo enabled would only ever use Teredo to connect to IPv6-only machines. If IPv4 is an option, it will always prefer that. So, why talk about it first? Because it ships with both Windows XP SP2 and Windows Vista/7 – enabled by default in the latter two, though not enabled for “general application use” by default – and we can expect it to be used to get to IPv6-only content, as tunnel brokers, on the outside, may seem like more work to set up. And indeed, with the release of an ipv6 capable uTorrent and HE’s provisioning of Teredo relay servers, Teredo traffic has spiked sharply.

Setting up Teredo

And here’s the step by step guide on how to set up Teredo. Again, keep in mind, IPv4 will always be preferred. go6.net will show you with an IPv4 address if all you have is Teredo.

Windows XP SP2

  • Realize that Teredo in Windows XP does not support Hide NAT, aka PAT, aka many-to-1 NAT, aka what your home router does. In Teredo language, that kind of NAT is called “Symmetric NAT”, and it’s just not supported by the Teredo implementation in XP. You can still experiment some by either sticking a host onto the Internet directly, without a home router in between. If you have an additional public IP address, you could also set up a Static NAT (aka 1-to-1 NAT), which Teredo calls a “Cone NAT” (if you allow all incoming) or “Restricted Cone NAT” (if you disallow incoming connections), and which is supported. My experiments with my router’s “DMZ” setting, to see whether that will get around the issue, have been less than successful. While Teredo claimed I was behind “cone” NAT, I still had no connectivity.
  • Add the IPv6 protocol to your interface. Control Panel | Network Connections -> Right-Click “Properties” on your LAN or WiFi connection, “Install…”, “Protocol”, “Add…”, choose “Microsoft TCP/IP version 6″, hit “OK” until you’re out again.
  • Open a command line – “cmd” from Start | Run – and run “ipconfig /all”. You should now see a “link local” IPv6 address, which looks something like “fe80::214:85ff:fe2f:8f06%4″. This won’t be useful for connecting to anything “out there”, but it’ll let you know IPv6 is up and running.
  • Configure Teredo. Assuming you are in the US, the command would be “netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com”. If you are elsewhere in the world, you may be able to find a closer Teredo server.
  • If you are on a Windows domain – as opposed to a home workgroup – Teredo will disable even if you configure it. You can get around that with the command “netsh interface ipv6 set teredo enterpriseclient”
  • The command to see the configured Teredo parameters is “netsh int ipv6 show teredo”, and the message indicating that a user is behind PAT and thus Teredo won’t work here is “Error : client behind symmetric NAT”
  • Use an IPv6-only host to test connectivity. If you can connect tohttp://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • A useful command to use while trying different configurations is “netsh int ipv6 renew”, which will re-negotiate the Teredo tunnel. “netsh int ipv6 show route” will show you ipv6 routes.
  • Keep in mind that Windows XP will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.
  • Lastly, there are reports that Firefox 2 on Windows XP does not handle IPv6 well. Try Firefox 3, or Internet Explorer.

Windows Vista

  • IPv6 and Teredo both are enabled by default in Windows Vista. Teredo also supports Hide-NAT aka PAT aka what your home router does. Woo, we’re done? Not so fast, young Arakin: In order to avoid IPv6 connectivity issues caused by default Teredo tunnels, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses. Teredo is meant to be used by applications that specifically request its use, and that does not include any browsers.
  • Thus, we need to hoodwink Vista. If the criteria is “has only link-local or Teredo addresses”, why, then we need to supply another address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • Vista would now resolve names to IPv6 addresses, but we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14″. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • Keep in mind that Windows Vista will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

[Edit 2010-02-24 - added Windows 7 and Troubleshooting sections]

Windows 7 [this is the same procedure as for Vista, tested on Win7 x64]

[Edit 2010-04-09 - replaced kludgy workaround for disappearing default route with elegant workaround received through comment]

  • IPv6 and Teredo both are enabled by default in Windows 7, just as in Vista. Also as in Vista, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long asthe system only has link-local and Teredo IPv6 addresses.
  • Thus, we need to hoodwink Win7. As with Vista, we will provide a 6to4 address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • In order for Win7 to resolve names to IPv6 addresses, we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14″. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. Try to ping ipv6.google.com or connect to http://ipv6.google.com/.
  • Keep in mind that Win7 will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

In my testing, Win7 would deactivate the default ipv6 route when there was no ipv6 traffic. Thanks to Sam Karim, I can present a fix for this issue: Configure Teredo to be “Default Qualified” so it will not enter into “Dormant” state.

On Windows 7 Business and better:

  • Run “gpedit.msc” from the Start Menu by typing it into the search bar or “Run” bar.
  • Navigate to Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies
  • Double click the “Teredo Default Qualified” setting, change it from “Not Configured” to “Enabled”, and click OK, then close gpedit.msc.
  • The setting should take effect rather quickly, but you can do “gpupdate /force” to force a refresh.

On Windows 7 Home Premium and Starter editions, you will need to manually create a registry key.

  • Open regedit from the Start Menu by typing it into the search bar or “Run” bar
  • Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
  • Right-click the “Windows” Key and choose New -> Key, create a “TCPIP” Key (observe case)
  • Right-click the “TCPIP” Key and choose New -> Key, create a “v6Transition” Key (observe case)
  • Right-click the “v6Transition” Key and choose New -> String Value, create an entry called “Teredo_DefaultQualified” with a value of “Enabled” (observe case, note the underscore)

Old workaround for reference until I have fully tested the above new-and-improved methods:

Create a text file, name it “fix-ipv6.cmd” (make sure you can see file extensions!) and paste these lines into it:

  1. REM Because Win7 gets rid of ipv6 routes
    netsh interface ipv6 delete route ::/0 interface=14
    netsh interface ipv6 add route ::/0 interface=14
    REM Optionally, run a continuous ping here instead of through a task
    REM ping -t ipv6.google.com
  2. Change the ID of the interface in this text file to the ID of the Teredo interface on your system
  3. Create a task to run a continuous ping. Optionally, just un-comment the ping command in the file you just created.
    Control Panel | System and Security | Schedule tasks
    Create task (on the right)
    General pane: Give it a name, “Run whether user is logged on or not”, “Configure for: Windows 7″
    Triggers: “New”, “At Startup”, hit “OK”
    Actions: “New”, “Start a program”, enter “ping” into “Program/script” and “ipv6.google.com -t” into “Add arguments (optional)”
    Conditions: Uncheck “Start the task only if the computer is on AC power”
    Settings: Check “Run task as soon as possible after a scheduled start is missed”, “If the task fails, restart every” and uncheck “Stop the task if it runs longer than”
  4. After reboot, you’ll need to right-click your “fix-ipv6″ and “Run as administrator”

In my testing, this workaround kept the ::/0 route active. You can check using “route print -6″ – you want to see the ::/0 route in both active and persistent routes. When it is inactive, it shows up only in persistent.

If this all sounds like more trouble than it’s worth, then using a tunnel broker may be the ticket for you.

Google and v6

You can add a Google-v6-savvy DNS server, such as HE’s 2001:470:20::2, to your LAN or WiFi connection, and this will give you both ipv4 and ipv6 addresses for Google. However, as Windows will always prefer ipv4 if all you have is Teredo, ipv6 won’t be used in that case.

Troubleshooting

  • Test ipv6 DNS lookup from command line. Note the ping fails to resolve the name, but nslookup can resolve it. This means our DNS server has the entry, but we haven’t configured Win7 yet to use v6 addresses.
    >ping ipv6.google.com
    Ping request could not find host ipv6.google.com. Please check the name and try again.
    >nslookup ipv6.google.com
    Non-authoritative answer:
    Name:    ipv6.l.google.com
    Addresses:  2001:4860:b009::93
    2001:4860:b009::63
    2001:4860:b009::67
    2001:4860:b009::69
    2001:4860:b009::68
    2001:4860:b009::6a
    Aliases:  ipv6.google.com
  • Check that the ::/0 route has been added correctly. Open netsh, navigate to interface ipv6, and enter show route. This is what you want to see:
    netsh interface ipv6>show route
    Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
    ——-  ——–  —  ————————  —  ————————
    No       Manual    256  ::/0                       14  Local Area Connection* 9
  • On my system, after changing the IPv6 address of the LAN interface, that route goes into “limbo”. Meaning show route does not show it, but route print does. In that case, you can delete and re-create it, again from netsh’s interface ipv6 context:
    delete route ::/0 “Local Area Connection* 9″
    add route ::/0 “Local Area Connection* 9″
  • show teredo is useful to see whether Teredo connectivity is there. You want to see your state as “qualified”
    netsh interface ipv6>show teredo
    Teredo Parameters
    ———————————————
    Type                    : client
    Server Name             : teredo.ipv6.microsoft.com.
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : qualified
    Client Type             : teredo client
    Network                 : unmanaged
    NAT                     : symmetric (port)
    NAT Special Behaviour   : UPNP: No, PortPreserving: No
    Local Mapping           :  —
    External NAT Mapping    : —
  • In order for DNS to resolve IPv6 addresses, the LAN/WiFi interface must have a 6to4 address without a default route, Teredo must be working, and a default route through Teredo must be configured. Miss one of those three, and you won’t be able to resolve ipv6 DNS.
About these ads
7 comments
  1. Francesco Pretto said:

    Interesting enough, even having a “VirtualBox Host-Only Ethernet Adapter” will mark the teredo tunnel “offline” with reason “client is in a managed network”. In two computers of mine, uninstalling Virtualbox fixed the problem, and reinstalling it re-triggered it.

  2. Francesco Pretto said:

    Another tip to overcome the limitation with dns resolution that is forced to ipv4 only address if there are no ipv6 unique local addresses or the only ipv6 addresses are teredo ones is to add the key AddrConfigControl = 0 (DWORD) in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters .

    Great article, thanks.

    • Esmaeil said:

      Hi Francesco.. Thanks for reading this article… Great comments and tips…

  3. I’m seeking to get a competent author, lengthy time in this area. Excellent post!

    • Esmaeil said:

      My pleasure… Thanks for the compliment… What do you need an author for?

  4. Luke_M said:

    Hi,

    This is very interesting stuff you’ve written here. A couple of quick questions:

    By utilizing these suggestions in implementing teredo, would it be possible for XP sp3 to be just as safe on the internet as an updated Linux distro?

    Next, is there a book I could get that would thoroughly explain all the techy stuff you mentioned in this post…a book directed to total newbs in this area? I am not familiar at all with any networking type stuff; I don’t even know what ipv4 or ipv6 is, and I’ve never set up my own hard firewall…just have always used the router the isp provided. After a few hdd failures…most because of malware picked up somewhere, I’ve decided I need to really dig into network security and learn all I can. I’ve learned that prevention is a much better gameplan than trying to fix the problems once they’ve happened.

    Any help would be greatly appreciated!

    • Esmaeil said:

      Hi Luke… Thanks for the comment and reading my article:
      -For the first question, I’d have to say NO… Microsoft does not recommend using Windows XP anymore (any SP) because it is simply not safe any more against new types of attacks… You should go for at least Windows 7 if you want to be safe… By the way, teredo tunneling is a tunneling technique used specifically in some networking scenarios to connect two hosts and cannot be used to connect you to the internet.

      -For the second question, I am so happy to hear that from you… There are not many people like you who prefer to learn more about information security… In order for it to be more interesting and not boring or difficult, I’d suggest you learn first about network and then about security. For this purpose you can start with the Network+ course from CompTIA company and then go ahead with Microsoft MCSE (Microsoft Systems Solutions Expert) study packs which will teach you so many things you will need to know… I think if you go to a bookshop and have a look at the pack, you will be able to pick the right one which you need… I’d suggest you go for all of them if you are an IT person…

      If you want something to teach you quick tips, this is really good: http://books.google.com.my/books/about/Network_Security_Illustrated.html?id=3HPXuoDALakC&redir_esc=y

      or maybe the Security+ book will also suit you but you should know that it is a tough book for beginners.

      I hope it could help.

      Thanks,
      Esmaeil

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 61 other followers

%d bloggers like this: