Sign up for an account at tunnelbroker
Once signed up - choose Create Regular Tunnel
Enter the IPv4 address of the external interface of your firewall. Note - this must be able to receive and respond to ping from arc.he.net - the webpage will give you an IP address to allow ping for if it can't ping your firewall.
I had to open for incoming ping from he.net
iptables -A INPUT -p icmp -s 22.214.171.124 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
If your OUTPUT policy is not ACCEPT and doesn't allow ping then you may have to add some stuff there too.
You will need to forward protocol 41 to your inside box (my desktop is on the internal 192.168.1 network):
iptables -t nat -A PREROUTING -i eth0 -p 41 -j DNAT --to 192.168.1.x iptables -t filter -A FORWARD -i eth0 -p 41 -d 192.168.1.x -j ACCEPT
Head to pugio.net - there is a shell script to enable the interface and a launchctl plist to enable at launch
Test with ping6 - for example:
chris$ ping6 pugio.net PING6(56=40+8+8 bytes) 2001:xxxxxxxxxxxx --> 2002:4540:22b0::1 16 bytes from 2002:4540:22b0::1, icmp_seq=0 hlim=56 time=231.701 ms 16 bytes from 2002:4540:22b0::1, icmp_seq=1 hlim=56 time=209.833 ms ^C --- pugio.net ping6 statistics --- 3 packets transmitted, 2 packets received, 33.3% packet loss round-trip min/avg/max/std-dev = 209.833/220.767/231.701/10.934 ms