Tunnelbroker config for UniFi Security Gateway

config.gateway.json

{
	"interfaces": {
		"tunnel": {
			"tun0": {
				"address": [
					"YOUR-ALLOCATED-IPV6-PREFIX-FROM-TUNNELBROKER"
				],
				"description": "Tunnelbroker IPv6 Tunnel",
				"encapsulation": "sit",
				"firewall": {
					"in": {
						"ipv6-name": "WANv6_IN"
					},
					"local": {
						"ipv6-name": "WANv6_LOCAL"
					},
					"out": {
						"ipv6-name": "WANv6_OUT"
					}
				},
				"local-ip": "YOUR-ROUTER-PUBLIC-IPV4-ADDRESS",
				"multicast": "disable",
				"remote-ip": "YOUR-TUNNELBROKER-REMOTE-IPV4-ADDRESS",
				"ttl": "255"
			}
		}
	},
	"protocols": {
		"static": {
			"interface-route6": {
				"::/0": {
					"next-hop-interface": {
						"tun0": "''"
					}
				}
			}
		}
	}
}

UniFi Tunnelbroker.md

UniFi Tunnelbroker Configuration

This GitHub Gist details the manual configuration needed on a UniFi controller to enable IPv6 tunneling with Hurricane Electric's Tunnelbroker service.

Setup

This is what works for me personally. Stuff you'll need to do to adapt this to your ends:

• Replace "local-ip" with your USG's public IPv4 address.
• Replace "remote-ip" with the address of your Tunnelbroker tunnel server.
• Replace "address" with the IPv6 address that your are allocated.

Installation

Follow these instructions and drop your config.gateway.json file in the correct location e.g. /usr/lib/unifi/data/sites/$NAME/.

how exactly do you now use a tunnel with a USG if you have a dynamic ipv4 address?

It's a bit tricky. I had to update the config manually whenever my IPv4 address changed which was thankfully not that often. I imagine it would be possible to automate this (maybe a crontab running on the controller that does sed -i on the JSON file and then hits up the API URLs to force AP reprovisions?) but it would be a massive hack.

You also need to make sure the IP address is updated at the Tunnelbroker side which is easy enough to do using curl in a crontab.