IPv6 and Internet Connection Sharing on Windows

I move house and apply for installation of Cable Modem network recently. For network topology needed in home, I chosen to use Internet Connection Sharing (ICS) on Windows XP. When using the default settings of ICS, DHCP server and DNS cache server are enabled. The default IP setting of ICS server is and the DHCP range is within and

Install IPv6 support and 6to4 relay

For the feature of IPv6, in Windows XP (above SP2), we can install the driver with

C:\>ipv6 install


There are modules for IPv6 tunneling such as Teredo, 6to4 and isatap. If there are native IPv6 support, the modules are disabled by default. If there is no native IPv6 but the PC has a public IPv4 address, the 6to4 tunnel will be enabled by default.

My Windows XP ICS server is Teredo tunnel disabled and 6to4 tunnel enabled but the default 6to4 relay routing function is broken. I can obtain its v6 address as gateway but failed to transfer the request. According to my test, the ONLY ONE workable 6to4 relay is ipv6-lab-gw.cisco.com. We can use

C:\>netsh interface ipv6 6to4 set relay ipv6-lab-gw.cisco.com enable

to enable a new relay for 6to4 tunnel.

Make the Teredo tunnel work with ICS

To enable the Teredo service, using the netsh command with

C:\>netsh interface ipv6 set teredo client

. There will be a IPv6 address prefixed by 2001: and a gateway :: shown with the ipconfig command. The tragedy is, with ICS enabled, the Teredo will be at the position of host-specific relay and cannot obtain an IPv6 address. I have no idea if this scenario is caused by modules conflicts or pre-defined policy rules by Windows. The way to make Teredo work is to disable 6to4 relay with

C:\>netsh interface ipv6 6to4 set state disabled

. IP address obtained for a short time after this command.


Although without 6to4 tunneling, there are no IPv6 address for ICS members provided by ICS DHCP server, the network is more stable. By the way, the Facebook App malfunctioned within ICS plus broken 6to4 tunnel environment.

On the other hand, if you want to make the isatap work, try this command:

C:\>netsh interface ipv6 isatap set router isatap.sjtu.edu.cn
C:\>netsh interface ipv6 isatap set state enabled

where the tunnel router is provided by 上海交通大学.

Enjoy it. 🙂

Script to check tunnel status periodically on Windows

This post is delayed for more than 10 months because I forgot about it. Sorry about that.

To improve the availability of the reverse-tunnel, we would check up the status periodically via Scheduled Tasks. Now, we need to write a batch script and add it into Windows.

First, the script I wrote:


SET _SERVER={Server ip}
SET _PORT={Server port}

SET _SERVICE={Your service name installed in Windows}

start /MIN /B netstat.exe -nav -p TCP | FIND /C "%_SERVER%:%_PORT%" | FIND "1" > nul 2>&1

start /MIN /B net stop %_SERVICE%
start /MIN /B net start %_SERVICE%

Actually, I’m a newbie of batch script in Windows and the script may be ugly. The script first defined some variables we will use later: the destination server’s ip and port, and the service name we installed in Windows.

The main function is TUNNEL_CHECK. We start a command without creating a new window (/B) or minimizing it (/MIN). For netstat.exe, we list all active connections numerically (-an) and filtered with TCP only (-p TCP). Then we count the lines (/C) matched to our server string by FIND. We will restart the service if there is error exist. Otherwise, exit the program.

Second, we shall add this script into Windows. Open the the configure window via: Start > All Programs > Accessories > System Tools > Scheduled Tasks. Then create a new task with the script. I’ll list the settings when editing the task.

In the Schedule tab of the task, we need two schedules. One is Run at system startup and another one is ran periodically: In my settings, the script is a Repeat task for every 1 hour and its duration is 23 hours. The tasks itself is Scheduled as Daily from 12:00 AM every 1 Day.

Generally speaking, this script will run at system start-up, and every hour of every day. To avoid any problem, I uncheck all boxes in the Settings tab. Another note is to set up the task ran as a valid user. This step will make it run at system start-up successfully. If the user is password-protected, we shall also set the password.

It’s all the details of my checking script. Enjoy it. 🙂

How to Make a Custom Service on Windows

The next step is to make a custom start-up service for Windows. That is , if we reboot it remotely, the connection will also be established automatically.

First, for a startup service, the reference page is: Set up an SSH tunnel as a Windows service using putty (plink).

1. Download the kit and install it.

2. Use the command to insert a new service with srvany:

cmd > insrsrv {service name} {location of srvany program}

3. Install the service’s detail for register. Coping the following entries to a .reg file, modifying the corresponding commands, and then double-click it to install. Note: the reverse-slash (‘\’) must write twice for escape.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}\Parameters]
“Application”=”{location of plink}\\plink.exe”
“AppDirectory”=”{location of directory of plink}
“AppParameters”=”{ssh arguments}

4. After install it. You can use this command for testing.

cmd > net [start/stop] {service name}

5. When start up the service, check at the server side by netstat.

Second, for the detail when plink could not detect the host ssh key, the reference here: Add host keys for putty (plink) for the system user.

In default the connection is established by the owner. But a service is ran by the system who cannot retrieve the host key we presently used. To overcome this problem, the steps listing:

1. Connect server by hand to get the host key in local pc (as a double check).

2. Open regedit and find out the key: HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys.

3. Export these entries from menu and modify the exported file’s entry header to:


4. Save and install it by double click. Then check the service for correctness.

Till now, the auto-login ssh tunnel service on Windows constructed. Then the next step is to check its connection and may it keep alive.

SSH Tunnel and Auto-login with Plink and Puttygen

The first part to finish my own Remote Desktop environment is to established a reverse tunnel connection. And by the way, to use auto-login without a plain-text password shown on command line.

First, to established a ssh tunnel, the command and corresponding arguments are:

plink -ssh -2 -R {dest pc ip}:{dest pc port}:{local pc ip}:{local pc port} -l {username} -i {ppk file} {remote pc tunnel ip}

This command indicate that we construct a Reverse tunnel with version 2 protocol from SSH. We will also bind a tunnel of the two specific ip:port pair. And we use auto-login method with the key-pair file (-i) which was generated from PuttyGen.

The references for common ssh and the specific server setting is at Reverse Tunneling. It is more important for the GatewayPort and the ClientAliveInterval settings. The detail will be shown in the later articles.

Second, to the automatic login strategy, the hint is to use PuttyGen, which also provided by the same vendor of Putty. The reference is Use PuTTYgen to generate a private/public key pair. And the short brief steps are listing:

1. Open PuttyGen, and generate your own DSA or RSA key-pair.

2. You can input the phrase for protecting the saved private key-pair file.

3. Copy the text in the public key section and paste it into your server, the ~/.ssh/authorized_keys file (one key per line).

4. Use plink/putty to check the auto-login function.

Now, the reverse tunnel connection established. The next step is to make it as a start-up service.

Remote desktop behind NAT on Windows

My network accessing rights in the rental hosting is behind NAT. What IPs we have are all private (192.168.x.x). Although we can use SSH to build a tunnel (even reverse tunnel) to bind the port for remote accessing and ignore the effects of NAT, there are many issues need to be solved.

The whole view of my chosen configuration is:

HOME (192.168.x.x) <– NAT <–> NETWORK <–> DEST_TUNNELED (LINUX)

And here I list the problems I encounter here. The solution may be written as another topic and linked externally.

First, for the Remote Desktop (RDP) in Windows XP SP3 (seems since SP2), it does not support the lookback (127.0.x.x) connections. The reason may be to avoid some user to connect from the same PC locally. In this situation, the connection will be disconnected and the only way to recover is rebooting forcedly.

But we still need the loopback function. Because if we using SSH tunnel for connections, the binding port is localhost ( in local. But the default policies of Windows is to denied this kind of connections.

So I turn to use UltraVNC, a well-known remote control application on Windows. Another reason for chosen VNC is that almost 90% of my work (and home)  PC environments are Linux-based. Despite of VNC and RDP, I don’t wanna to install another clients in which not provided by the distribution.

P.S. Although UltraVNC provided some plug-ins such as NAT-to-NAT, single-click and so on, they are not feasible for my environments. One reason is that my destination computer are all Linux (and Windows PC are still behind another firewall too). So the solution based on listen mode, the NAT-to-NAT plug-in are all revoked by myself.

Second, to simplify the software installation in Windows, the SSH application I used is plink. Plink is a command-line interface for Putty’s back-end where Putty is also another well-known SSH clients in Windows. Because it can be used within command line, it is the best choice – to be a Windows services on system start-up and auto-connection.

The main reason I chosen plink for connection are: 1) It is small but compact; 2) It is installed-free (green); And 3) it is well-known and still in maintenance.

Details of SSH Tunnel and Auto-login with Plink and Puttygen.

Third, to insert a new services for Windows, I use the Windows Resources Kit which provided by Microsoft. Because it is also produced from the same vendor, the compatibilities and stabilities may be the highest one, I think.

Details of How to Make a Custom Service for Windows.

Fourth, to check the connection established periodically, I wrote a simple batch script to achieve. The script will check for the connection from local. Restart the tunnel service when disconnected. And with the Windows’ scheduler abilities, it will check periodically.

Details of Script to check tunnel status periodically on Windows.

Fifth, to maintain the connection, we change the server setting for SSH. The parameter will ask the clients whether it is still alive. This will prevent the connection be disconnected by the network devices between the edges.

Details of how to avoid SSH connection closed. (TBD)

Finally, my own remote desktop environments built successfully. And it works fine. Although the uploading from my home is still slow, I can control its status remotely.