Sharing an IPv6 tunnel from a Windows machine

I've had an IPv6 tunnel from Hurricane Electric for nearly a year now, but through that time it has only ever been to one machine. Today I decided to try to allow every other machine on my network to have global IPv6 connectivity too, and was quite surprised at how little information there was out there when using a Windows box as the tunnel end-point. Not surprising really, but I decided to press on, as that is the only machine I have on 24/7. I've written this guide in the hope that it helps someone else.

Firstly, you'll need a tunnel from a tunnel broker. I used Hurricane Electric, but there are others out there. Once you have the tunnel you will need to tell the broker your IPv4 endpoint (this is the public IP address of the computer that will be routing the IPv6, as given by your ISP), and make it pingable.

Once you have done that, you will have the following data available to you. In this example I have simplified the numbers a little. You should change them to what you are actually given while setting it up:

Server IPv4 Address:

Server IPv6 Address: 2001:db8:abc1:def::1/64

Client IPv4 Address:

Client IPv6 Address: 2001:db8:abc1:def::2/64

Routed /64: 2001:db8:abc2:def::/64

You are given more, but this all we need for now. Note that the Client IPv4 address is the address given by your ISP, and not necessarily the IPv4 address of your tunnel end. In my case, as I'm behind NAT on a private network, the tunnel actually ends at

Firstly, if you have not already done so, you will need to enable IPv6 on all machines. Linux should be enabled by default. Newer versions of Windows are also enabled by default, but if it is not, the command "ipv6 install" or "netsh interface ipv6 install" should do it.

Now to set up the tunnel. In my example, I was using Windows Server 2003, but this should work for any version of Windows with netsh installed (XP SP2+)

Open a command prompt and type the following commands:

c:\> netsh

netsh> interface ipv6

netsh interface ipv6>

This will put us into the IPv6 context of netsh and will save a lot of typing.

Next, we need to make the tunnel. I am using the example address from above; you should replace them with your own. Also note that I use the LAN IPv4 address for my end point. This is needed for the tunnel to work, but the broker doesn't need to know this.

netsh interface ipv6> add v6v4tunnel IP6Tunnel

netsh interface ipv6> add addr IP6Tunnel 2001:db8:abc1:def::2

That's the tunnel set up. Don't bother testing it yet though, as we don't have a gateway set up. We also need to set up forwarding (allowing interfaces to forward traffic not meant for them) and advertising (telling other hosts where the router is). You will also need the name of your LAN interface. To find this out, either type "show interface", or open your network connections window. In my case it is "Local Area Connection". In this article, I have specified interfaces by name, but using "show interface" will also give you the ID of the interface (in my case, "Local Area Connection" is 5 and "IP6Tunnel" is 7) which can be substituted to save typing.

netsh interface ipv6> set interface IP6Tunnel forwarding=enabled

netsh interface ipv6> set interface "Local Area Connection" forwarding=enabled advertise=enabled

Now we need to add some routes, and tell Windows to broadcast these out to other machines on the network. We will set up three routes: one is your routed /64, and we will say that anything there is on the local connection; The next is the tunnel itself, and the final one is the default gateway. We will also broadcast all of these to the rest of the network.

netsh interface ipv6> add addr 2001:db8:abc2:def::1 "Local Area Connection"

netsh interface ipv6> add route 2001:db8:abc2:def::/64 "Local Area Connection" publish=yes

netsh interface ipv6> add route ::/0 "IP6Tunnel" 2001:db8:abc1:def::1 publish=yes

And that should be it. Any IPv6 enabled machine on your LAN should now get a global IPv6 address and route. Note that I have not covered DNS. In my case this wasn't an issue as my DNS server could already handle AAAA records, but yours may not.

Written by dezza on 2010-05-12 13:47:29.

Reply 1

Please note that when using the addr line is server 2008r2 you need this syntax for it to be accepted:: netsh interface ipv6> add address "Local Area Connection" 2001:db8:abc2:def::1

Posted by med3912 on 2011-06-20 06:56:47.

Add Comment

Only Registered users can add comments. If you would like to register, please do so by clicking the register link to the left.