A server application for automating IPv6 tunnel (SIT/GRE) creation and management.
- Automated IPv6 prefix management and delegation
- SIT and GRE tunnel creation and management
- Automatic /64 prefix allocation from /44 pools
- Client configuration generation with proper IPv6 formatting
- RESTful API with authentication
- Automatic ULA address generation for tunnel endpoints
- Support for dual prefix delegation (primary and secondary)
- User-based tunnel management with limits
- Systemd service integration with installation scripts
- Advanced security features (since v0.0.6):
- Traffic rate limiting (50 Mbps for both upload and download)
- Email port blocking (SMTP, POP3, IMAP)
- DDoS protection with rate limiting
- SYN flood protection
- ICMPv6 flood protection
- Automatic security rules application for new tunnels
- Fragment packet protection
- Port scanning protection
- New connection rate limiting
- Go 1.23 or newer
- PostgreSQL (Supabase)
- Linux with sit and gre modules
- Root privileges for tunnel management
- Traffic Control (tc) for bandwidth management
- iptables for security rules
- Clone the repository:
git clone https://github.com/kofany/tunnelbroker.git
cd tunnelbroker- Copy and customize configuration files:
cp .env.example .env
cp cmd/config/config.example.yaml cmd/config/config.yaml- Edit configuration files:
.env- set database credentialscmd/config/config.yaml- configure IPv6 prefixes, server address and API key
- Run the installation script:
sudo ./scripts/systemd/install.sh- Clone the repository:
git clone https://github.com/kofany/tunnelbroker.git
cd tunnelbroker- Copy and customize configuration files:
cp .env.example .env
cp cmd/config/config.example.yaml cmd/config/config.yaml- Edit configuration files:
.env- set database credentialscmd/config/config.yaml- configure IPv6 prefixes, server address and API key
- Install dependencies:
go mod download- Build and install the service:
go build -o /usr/local/bin/tunnelbroker cmd/tunnelbroker/main.go
cp /etc/systemd/system/tunnelbroker.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable tunnelbroker
systemctl start tunnelbrokerTo remove the service and all its components:
sudo ./scripts/systemd/uninstall.sh- Upload and download limited to 50 Mbps per tunnel
- Implemented using tc HTB qdisc
- Separate ingress and egress traffic shaping
- SYN flood protection (1 packet/second limit)
- ICMPv6 flood protection (1 packet/second limit)
- General DDoS protection (10000 packets/second limit)
- New connection rate limiting (50 connections/second)
- Blocked email ports:
- SMTP: 25, 465, 587, 2525
- POP3: 110, 995
- IMAP: 143, 993
- Fragment packet blocking
- TCP flag manipulation protection
- Port scanning protection
- Automatic security rules application for new tunnels
The server listens on port 8080 by default. Configuration is stored in /etc/tunnelbroker/.
The server listens on 127.0.0.1:8080 by default. All endpoints require the X-API-Key header.
- Create a tunnel:
POST /api/v1/tunnels
{
"type": "sit|gre",
"user_id": "hex4",
"client_ipv4": "x.x.x.x"
}- Update client IP:
PATCH /api/v1/tunnels/{tunnel_id}/ip
{
"client_ipv4": "x.x.x.x"
}- Delete tunnel:
DELETE /api/v1/tunnels/{tunnel_id}- List tunnels:
GET /api/v1/tunnels?user_id={user_id}- Get tunnel details:
GET /api/v1/tunnels/{tunnel_id}Version: v0.0.6
- Added automatic security rules application for new tunnels
- Added traffic rate limiting (50 Mbps up/down)
- Added DDoS protection
- Added email port blocking
- Added fragment packet protection
- Added port scanning protection
- Added connection rate limiting
- All messages translated to English
- Proper IPv6 address formatting
- Full API implementation
- Database integration with Supabase
- Automatic tunnel configuration generation
- Support for both SIT and GRE tunnels
MIT