以下以 Debian 系统为例,其它系统请按实际网络工具和服务管理方式自行调整。
在 HE Tunnel Details 里你会看到 4 个关键字段:
- Server IPv4 Address:HE 隧道服务器的 IPv4(HE 端)
- Client IPv4 Address:你这台机器对外的公网 IPv4(出口 IP / EIP 显示的公网地址)
- Server IPv6 Address:HE 端的 IPv6(通常以
::1结尾) - Client IPv6 Address:你端的 IPv6(通常以
::2结尾)
在华为云轻量上,还有一个你必须清楚的:
- 私有 IPv4(VPC IP):你实例网卡上真实存在的 IPv4(一般是
172开头那个)
本教程约定命名:
SERVER_IPV4= Server IPv4 Address(HE 端 IPv4)CLIENT_IPV4= Client IPv4 Address(你的公网出口 IPv4)SERVER_IPV6= Server IPv6 Address(HE 端 IPv6,常见::1)CLIENT_IPV6= Client IPv6 Address(你端 IPv6,常见::2)LOCAL_IPV4= 私有 IPv4(VPC IP)(本机网卡真实地址,用于ip tunnel ... local)
申请 HE 隧道
这部分网上教程很多,这里不展开。只要确保隧道申请完成后,能进入 Tunnel Details 页面并看到上述参数即可。
1. 在 HE 控制台准备参数
进入 HE Tunnel Broker → Tunnel Details,记录:
Server IPv4 Address→SERVER_IPV4Client IPv4 Address(公网出口 IPv4)→CLIENT_IPV4Server IPv6 Address→SERVER_IPV6Client IPv6 Address→CLIENT_IPV6Routed /64→ROUTED /64(可选,用于本机或容器额外 IPv6)
2. 确认本机私有 IPv4
在 Debian 执行:
ip -4 addr show scope global
也可以在华为云控制台的实例详情里查看网卡 IP。记下这个 VPC 私网 IPv4,也就是 LOCAL_IPV4。
3. 创建并启用 HE 6in4(sit)隧道
先清理旧隧道:
ip tunnel del he-ipv6 2>/dev/null || true
创建隧道,把尖括号替换成你自己的值:
ip tunnel add he-ipv6 mode sit \
remote <SERVER_IPV4> \
local <LOCAL_IPV4> \
ttl 255
启用接口:
ip link set he-ipv6 up
给隧道接口添加 IPv6 地址:
ip -6 addr add <CLIENT_IPV6>/64 dev he-ipv6
添加 IPv6 默认路由:
ip -6 route replace ::/0 dev he-ipv6
4. 验证隧道是否就位
查看隧道接口 IPv6:
ip -6 addr show dev he-ipv6
查看 IPv6 路由:
ip -6 route
测试与 HE 端连通性:
ping6 -c 3 <SERVER_IPV6>
5. 外部访问本机应该用哪个 IPv6
本教程统一使用 CLIENT_IPV6 作为外部访问本机的 IPv6,也就是 HE 分配给你、通常以 ::2 结尾的那个地址。
示例:
SSH
ssh -6 root@[<CLIENT_IPV6>]HTTPS
https://[<CLIENT_IPV6>]/
6. 仅对 IPv6 生效的 nftables 防火墙
因为 HE IPv6 通常绕过云安全组,建议本机用 nftables 单独管理 IPv6 入站。
保存为 /etc/nftables.conf:
#!/usr/sbin/nft -f
flush ruleset
table ip6 filter6 {
chain input {
type filter hook input priority 0;
policy drop;
iif "lo" accept
ct state established,related accept
ip6 nexthdr icmpv6 icmpv6 type {
nd-neighbor-solicit,
nd-neighbor-advert,
packet-too-big,
time-exceeded,
destination-unreachable
} accept
ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } drop
ip6 nexthdr icmpv6 drop
tcp dport { 22, 443 } accept
}
chain forward {
type filter hook forward priority 0;
policy drop;
}
chain output {
type filter hook output priority 0;
policy accept;
}
}
应用并设置开机自启:
nft -f /etc/nftables.conf
nft list ruleset
systemctl enable --now nftables
7. 开机自动添加 HE 隧道
7.1 配置文件 /etc/he-ipv6.conf
SERVER_IPV4="填_HE_Server_IPv4"
LOCAL_IPV4="填_你服务器网卡上的私有IPv4(VPC IP)"
CLIENT_IPV6="填_HE_Client_IPv6(通常::2)"
SERVER_IPV6="填_HE_Server_IPv6(通常::1)"
字段说明:
SERVER_IPV4:HE 的 Server IPv4 AddressLOCAL_IPV4:本机网卡真实的 私有 IPv4(VPC IP)CLIENT_IPV6:HE 的 Client IPv6 Address(常见::2)SERVER_IPV6:HE 的 Server IPv6 Address(常见::1)
7.2 脚本 /usr/local/sbin/he-ipv6.sh
#!/usr/bin/env bash
set -euo pipefail
CONF="/etc/he-ipv6.conf"
[ -r "$CONF" ] || { echo "Missing $CONF"; exit 1; }
source "$CONF"
TUN="he-ipv6"
require() {
local v="$1"
[ -n "${!v:-}" ] || { echo "Missing $v in $CONF"; exit 1; }
}
require SERVER_IPV4
require LOCAL_IPV4
require CLIENT_IPV6
require SERVER_IPV6
start() {
ip -6 route del ::/0 dev "$TUN" 2>/dev/null || true
ip -6 addr flush dev "$TUN" 2>/dev/null || true
ip link del "$TUN" 2>/dev/null || true
ip tunnel add "$TUN" mode sit remote "$SERVER_IPV4" local "$LOCAL_IPV4" ttl 255
ip link set "$TUN" up
ip -6 addr add "${CLIENT_IPV6}/64" dev "$TUN"
ip -6 route replace ::/0 dev "$TUN"
ping6 -c 1 -W 2 "$SERVER_IPV6" >/dev/null 2>&1 || true
}
stop() {
ip -6 route del ::/0 dev "$TUN" 2>/dev/null || true
ip -6 addr flush dev "$TUN" 2>/dev/null || true
ip link del "$TUN" 2>/dev/null || true
}
case "${1:-}" in
start) start ;;
stop) stop ;;
restart) stop; start ;;
*) echo "Usage: $0 {start|stop|restart}"; exit 2 ;;
esac
赋权:
chmod +x /usr/local/sbin/he-ipv6.sh
7.3 systemd 服务 /etc/systemd/system/he-ipv6.service
[Unit]
Description=Hurricane Electric IPv6 (6in4) tunnel
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/he-ipv6.sh start
ExecStop=/usr/local/sbin/he-ipv6.sh stop
[Install]
WantedBy=multi-user.target
启用并启动:
systemctl daemon-reload
systemctl enable --now he-ipv6.service
systemctl status he-ipv6.service --no-pager
8. 最终验证
推荐按下面顺序检查:
ip -6 addr show dev he-ipv6
ip -6 route
ping6 -c 3 "$(grep '^SERVER_IPV6=' /etc/he-ipv6.conf | cut -d'\"' -f2)"
ssh -6 root@[你的CLIENT_IPV6]