ipv6 at home, part 2.5: Google, DHCPv6, speed tests, troubleshooting, various

This blog post is part of a series on ipv6. In part 1, I provided an overview of ipv6 and looked at Teredo, the technology built into Windows Vista; in part 2, I looked at AYIYA tunnels through aiccu, using sixxs net as a tunnel broker. I also got stuck for a very long time on trying to use Windows as a router for an ipv6 subnet on that setup, and ultimately failed to make that work.

Part 2.5 is going to be an in-between – a collection of ipv6-related tidbits that will, hopefully, be useful, but have no particular cohesion.

Google services on ipv6

Back in January, Google announced that they had moved a number of their services to be multi-homed. To avoid causing issues for people with Vista that didn’t have functioning ipv6 connectivity, this is an opt-in service. That is achieved by using a DNS server that peers with Google for ipv6 addresses.

Unless you work for an ISP, you are not going to peer your own servers with Google. However, several tunnel brokers, including Hurricane Electric and sixxs, offer DNS servers that can serve up Google ipv6 addresses.

Here’s an example nslookup:

> www.google.com
Server:  UnKnown
Address:  2001:470:20::2

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  2001:4860:b002::68
Aliases:  www.google.com

As you can see, both A (ipv4) and AAAA (ipv6) records are being returned. In order for Vista to use the ipv6 address, you need to use the ipv6 address of the DNS server. If you query DNS over ipv4 and get both A and AAAA records, Vista will prefer an ipv4 address.

You can test which address is going to be used by running “ping http://www.google.com”, which will show the numerical address that the OS is trying to reach.


If you are using a software tunnel such as AYIYA over aiccu, then you can set the DNS server to be used manually, through the Control Panel. If you are using an ipv6-capable router or firewall, however, you can send out that information over DHCPv6.

Cisco has a clear and concise paper on DHCPv6. From an implementation standpoint, it is very simple: Decide whether DHCPv6 is only going to serve DNS addresses, or whether it is going to handle all ipv6 address assignment, too. Then set flags for your RA (Router Advertisement) Configuration: “O” (“Other Parameters”) if RA handles addresses and DHCPv6 handles DNS, or “M” (“Managed”) if DHCPv6 handles addresses and DNS.

An RFC draft dated July 2005 suggests to expand RA to be able to hand out DNS server addresses without the need for DHCPv6. That draft has not yet been adopted, and I have yet to see an implementation in a major vendor’s routing OS.

[Update 2008-08-02] Jeremy points out that the above statement about implementation being “very simple” is rather brash. He’s correct, and explains the differences between Windows and Linux/Unix in this regard in his company blog. With lots of references to “dueling RFCs”, fun. For a broader view of ipv6 and its real-world applications, and a much more in-depth view than “okay how do I get this to work at home anyhow”, definitely do follow his blog.

Speed Test

If you’d like to compare your ipv6 speed to your ipv4 speed, you can do so through an ipv6 speed test offered by the University of Maine. The test can actually run in both ipv6 and ipv4, which makes it useful for comparison.

ftp.isc.org is reachable through ipv6 as well – if you can find a suitably large file there, it could serve as a measure of download speed over ipv6.


This may have to be a “paragraph-in-perpetual-progress”. A few of the tools I found useful are:

Wireshark, in case you need to see what is happening to your ipv6 packets – are they leaving on the interface you think they should be leaving on, do you see return packets?

netsh is full of useful commands in its “interface ipv6” context, among them:

show route – does that just, shows you the ipv6 routing table

show siteprefixes – you’ll get a list of all the ipv6 prefixes (networks) configured on your machine

show prefixpolicies – you’ll see a list of which prefixes are preferred in which order. This is explained in more detail at ipv6 Day. Note that my own attempts to “fiddle with” prefix policy left me in a state where Vista would not function for ipv6 traffic at all.

reset – resets all ipv6 settings to default. Really useful if you’ve done a little too much fiddling. Needs a reboot.

show addresses – will show you the ipv6 addresses and their lifetime

show interfaces – configured interfaces and their up/down state

ipconfig /release6 and ipconfig /renew6 can be used to release/renew RA or DHCPv6 addresses

Turning off unused tunnel interfaces

Windows comes with built-in Teredo, ISATAP and 6-to-4 tunnel interfaces. These can become a distraction when configuring an alternative way to access ipv6, such as through your router or a third-party tunnel application.

Courtesy of ipv6 Day comes a description of registry settings to turn these off. There are a lot of possible combinations, including some that will turn off ipv6 entirely, which can come in handy in corporate environments.

The TL;DR for turning off all Windows built-in tunnels is:

  • In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\
  • Create a DWORD called DisabledComponents
  • Set it to “1”
  • Reboot

ipv4 exhaustion counters

Hurricane Electric, my preferred tunnel broker, offers a number of widgets and applications to keep track of ipv4 address space exhaustion. That includes Vista / Win 7 gadgets, Google Desktop and iGoogle gadgets, iPhone/iPod touch apps, and a web widget.

The “days remaining” are to be taken with a grain of salt. 676 days to complete ipv4 exhaustion! (As of August 2nd 2009) Actually, what is likely to happen is that we’ll see ipv4 space become more and more expensive, to the point where it is no longer economically feasible to own large portions of it just for access purposes – we’ll see hosting companies running it for decades, and your typical office running on v6 with a way to reach v4 over a tunnel. The reverse of today’s situation – eventually.

ipv6 certification

[Update 2009-08-06 – More detail on DNS requirements for this cert program]

Hurricane Electric also offers a fun ipv6 certification. What’s interesting about it is that it’s almost completely results-based. The first few levels (“Newbie” and so on) are just a questionnaire, but to reach the coveted “Sage” level, it’ll be doing real tasks, such as sending/receiving SMTP email over ipv6.

Achieving this entirely from home has one more than one challenge – you need a DNS server that will let you set AAAA records, will act as delegation for ipv6 PTR records, has its own AAAA entry and will respond to ipv6 queries, and you will need ipv6 glue for your DNS server at the TLD. There are a number of free ones available. These will let you set AAAA records, and usually also function for RDNS delegation. None of them are reachable over ipv6. A combination of afraid.org, v6ns.org and a BIND server on your machine will get you all the way to “Guru”, but you won’t get “Sage” that way, as you’ll be missing the TLD glue.

The certification tests use the same domain you start out with throughout, or a subdomain thereof. If you want “smooth sailing”, choose a domain you own on a registrar that supports ipv6 glue.

It’s a worthwhile exercise in that you’ll find that ipv6 connectivity itself is really not the issue – finding real-world applications that support ipv6 is the larger challenge. You’ll also learn more about ipv6 DNS than you truly ever wanted to know.

ipv6 address space – think about registering yours

If you are involved in a corporate networking group, you may want to think about how you are going to handle ipv6 space. Traditionally, you get your address assignments from your ISP. This creates an amount of pain when moving ISPs. In ipv4, that’s public-facing addresses, while the internal network can stay untouched. In ipv6, everything uses public addresses – no more NAT (pending discussion, there are address translation efforts underway for ipv4/ipv6 translation – which doesn’t change the situation w/ regards to your ipv6 space). That means an ISP move could potentially require you to renumber everything, down to the last printer and desktop.

You can plan for this, by avoiding static assignments wherever possible, and always thinking about “how would I switch this to an entirely different subnet if I had to?” every step of the way.

Or, if you qualify, you can get a direct assignment of ipv6 space from ARIN. This used to be trivially easy as an “early adopter”, but that policy has been discontinued. Now, you need to be either a) eligible for direct ipv4 assignment (that’s getting tougher and tougher by the month) or b) already have a direct ipv4 assignment, and show that you use it efficiently.

It’ll be interesting to see how this policy evolves as ipv4 space becomes ever scarcer – will ARIN just stop assigning v6 space directly to end users, or will we see policies that are not tied to v4 eligibility?

[Edit 2009-08-02]

As Jeremy points out in a comment, ULA space (Unique Local Address as per RFC4193) is a the solution to receiving address space from your ISP, but wanting to avoid the pain of needing to re-do addressing of your entire network when moving ISPs. As long as the devices you give these addresses to do not need connectivity to the Internet, that is: As per the RFC, “They [the ULA addresses] are not expected to be routable on the global Internet”. In practice, that translates into a requirement to filter out ULA space at the BGP border router. SixXs has a page to register ULAs. As they point out, while there is no requirement to register ULAs, collisions (which are not very likely but can happen) can be dealt with by registering ULAs anyway.


ipv6 at home, Part 2: Tunnel brokers, Windows “AYIYA” tunnel

Has it been 2 months? High time to get on with the planned ipv6 series, then. If you are entirely new to ipv6, it may pay to read part 1: overview.

In this installation, I will cover the use of the SixXS tunnel broker to create an ipv6-over-ipv4 tunnel from your Windows PC, on XP or Vista. This may sound like so much gobble-de-gook – some background is in order. Feel free to skip down to the nuts-and-bolts section if tunneling is an “old hat” to you.

To recap, there are three major ways that a Windows PC will gain access to the ipv6 Internet: Teredo, which is covered in part 1 – bordering-on-easy to set up on Vista, but the most inefficient way  to gain access, and limited in its usefulness under XP.  Tunnel brokers, which I will cover in this part and parts 3/4. And native ipv6 access provided by your ISP, which I’d love to cover, but will need help doing so as none of the ISPs in my area offer it.

Tunnel Types

The “tunnel” that is being brokered here is ipv6 traffic encapsulated in ipv4. A machine on your network acts as your local tunnel endpoint, and your tunnel broker has a device “out there” that acts as the other end. You only have direct ipv4 connectivity. Your tunnel broker is connected both to ipv4 and ipv6. When a machine on your network desires to reach an ipv6 address, it will send the packet to your local tunnel endpoint. That machine wraps the ipv6 packet in an ipv4 header, and sends it over your ipv4 connection to the tunnel broker’s endpoint. There, the ipv6 packet is removed from its wrapper, and sent on its way to the ipv6 destination. Return traffic flows similarly, with the tunnel broker wrapping, and your machine unwrapping.

While this sounds relatively straightforward, the details of how this “wrapping” and “unwrapping” work (encapsulation and decapsulation for those who want to sound technical about it) impose certain restrictions on how you can deploy this in your own network.  Consequently, there are a number of tunnel brokers available, but only a few of these offer tunnels that will work behind “NAT”, a.ka. what your home router does to your traffic before it hits your ISP’s network.

The three major ways of configuring ipv6-over-ipv4 tunnels, then, are:

  • Static 6-to-4 tunnels, using IP protocol  41. These are well suited to being deployed on an ipv6-capable router. Which most folk do not have at home. I will cover this setup in part 4, using a Juniper SSG-5 firewall as an example endpoint.
  • AICCU/AYIYA tunnels, which are offered by SixXS. These can traverse NAT, and I will cover them in this article. They use PC client software. They’ll run on pretty much any OS out there – I will cover Windows only in this post.
  • Hexago TSP tunnels, which can also traverse NAT. I intend to cover this in part 3, and see how it stacks up against SixXS. These also use PC client software.

Configuring an AYIYA tunnel

Let’s get into the “nuts-and-bolts” of setting up a SixXS tunnel, then. SixXS offers POPs (Points of Presence) all over the globe, and just recently added free 10GBit connectivity. This bodes well for good speed when using the service.  They offer three types of tunnels: AICCU/AYIYA (Anything-in-Anything), which traverses NAT and which I will cover here; AICCU/Heartbeat, which is meant for use without NAT, but with a dynamic IP; and a “plain” static 6-to-4 tunnel, which is meant for static IPs and will usually be terminated on a router, not a PC.

SixXS offer a good overview of how to get a tunnel running in their “10 Steps to ipv6” document. I’ll run through those steps with you.

But before I do, one more word about how the SixXS AYIYA tunnel works: You’ll receive a /64 tunnel subnet, for which SixXS will only route the endpoints – the PC running the AICCU utility, and the SixXS end. If you want to get any of your other machines at home onto ipv6, you’ll need to request a /48 subnet from SixXS. These actions – requesting a tunnel, requesting a subnet, changing tunnel properties – cost “ISK”, a virtual currenty SixXS uses. You gain ISK by signing up, and thereafter by having a functioning tunnel up and running.

1) Sign up with SixXS. In fact, first sign up with LinkedIn, or Xing, both “professional” social networking sites.  The reason is that the amount of SixXS “ISK” you receive upon signup with a LinkedIn or Xing profile is sufficient to request a /48 subnet right away, while without those profiles, it’ll just be enough to request a tunnel, after which you’d have to have the tunnel up and running for a week to accumulate enough ISK to request a subnet. SixXS will warn you that signup is handled by people, and it may be weeks before you get your account. In my case, I received it within a day, and was assigned 75 ISK – plenty to start experimenting.

[Update] As has been pointed out in the comments, signing up with SixXS means handing over some of your personal data, such as your name, and having that published in the whois directory. If that makes you nervous, SixXS is not for you.

2) Log in, and request a tunnel. You’ll want an AYIYA tunnel, which happens to be the default setting. Remember to specify your city and country! This will impact your speed, as SixXS will allocate you a POP (tunnel endpoint) close to you. In the next step, select a POP, and give a reason for selecting this POP as well as describe what you’ll use the tunnel for. Again, tunnel requests are processed by people – so be polite, do give a reason, and you’ll get your tunnel set up quickly. Note there will be no email notification when the tunnel is live – just check the SixXS page. SixXS will send you email notification when the tunnel request has been granted, and if you’re smarter than Yours-Truly, you’ll check the right email account.

3) Once you have your tunnel, and if you have enough ISK, and intend to get other machines in your home onto IPv6, request a subnet. This is again, assigned manually to you – in “less than a week” according to the SixXS confirmation page. Usually it takes just a few hours.

4) Set up AICCU. This gets just a tad involved at present, so I’ll abandon the numbering and step you through this.

Update 4/10/2008 – I have had big network slowdown issues after installing Tun/Tap 901 on Vista64. It’s uninstalled again, and I will update again when I know more – such as whether I can reproduce that issue, and how.

Update 7/28/2009 – Upon using OpenVPN 2.1-rc19 in Vista64, I couldn’t even ping the default gateway through aiccu any more, though this worked in XP64. Time to move on from this post. (2009-08-06: that was possibly coincidence)

Update 8/6/2009 – Some notes on behavior when a PoP goes down added.

There’re two parts to an AICCU/AYIYA tunnel: A “Tun/Tap” driver, and the “AICCU” application. Tun/Tap is part of the OpenVPN project. This could be fairly straightforward, but at current is not, due to versioning.

Tun/Tap exists in a version “801”, which has been tested on Windows 2000 and XP, but exists for Vista only in an experimental version, for XP64 in an experimental version, and for Vista64 not at all.

Tun/Tap version “901” works on Windows 2000 / XP / Vista. The version available at SixXS at present will not install on 64-bit Windows, but there is a way around that, see below.

AICCU comes in two flavors for Windows: A GUI version, which is nice and user-friendly, but which, as of this writing, does not support the “901” Tun/Tap driver. And a console version, which does support that driver version, but which is, by its nature, considerably less user-friendly. I expect this to change. The GUI AICCU is at version “2006.07.23” as of April 5th 2008, while the Console AICCU is at “2008.03.15”. At present, then, we’ll use the GUI version to create a configuration file, and use the Console version to set up the actual tunnel. Once the GUI version has been updated, this additional step of needing to use a Console application to establish the tunnel will be unnecessary.

To start, download the tap32 driver version “901”, the AICCU GUI application, and if the GUI application is still at version “2006.07.23” when you do your downloading, also the Console application. If you are running XP64 or Vista64 and the tap32 driver on the SixXS page refuses to install – which it did for me – you may will also need to download the latest build of OpenVPN 2.1.

[Update: I would generally recommend installing a current version of the TAP driver from an OpenVPN package at this point]

Install the tap32 driver, using “addtap.bat”. This failed for me on XP64 and Vista64, so I used the 2.1-rc79 2.1-rc19  install of OpenVPN instead, choosing to only install the “TAP-Win32 Virtual Ethernet Adapter”, nothing else. On Vista, you’ll get a prompt asking you whether you really mean it and you trust the driver; on XP, you won’t which you may also see in XP, depending on the OpenVPN version.

Start the GUI version of AICCU and log in. NB: If you are running Vista, you must start it as Administrator by right-clicking, “Run as Administrator”.

Choose your tunnel.

Lastly, choose Save Configuration from the menu under the SixXS logo. This will save your configuration in c:\windows\aiccu.conf (hence, the need to run as Administrator in Vista), where the Console version can find it.

Close the GUI version – you may have to right-click it in your task bar and choose “Quit”.

Now open a command line – which, in Vista, you may will also have to do as Administrator – navigate to where you downloaded the Console version of AICCU, and execute it using the “start” argument. You expect to see something along these lines:

aiccu-2008-03-15-windows-console.exe start
Succesfully retrieved tunnel information for T15039
[warning] Couldn't open registry key: SYSTEM\CurrentControlSet\Control\Class\{4D
36E972-E325-11CE-BFC1-08002BE10318}000\ComponentId (t2/2 vs 0/0 vs 1)
Renaming adapter 'Local Area Connection 2' to 'aiccu' and using it
[AYIYA-start] : Anything in Anything (draft-02)
[AYIYA-tun->tundev] : (Socket to TUN) started

Open a browser, and go to go6.net. If everything’s working, you expect to see “You are using IPv6 from” at the top of the page. NB: Firefox 2 may have issues with IPv6. Use Firefox 3 or IE instead.

[Update: go6.net can be temperamental. On a few occasions, it showed me as coming in from IPv4 although the IPv6 tunnel was fully functional. You can cross-check by going to ipv6.google.com, which is, well, Google,  on an IPv6-only address]

Note that the tunnel uses an MTU of 1280. This may cause issues with large packets, if machines in the path block IPv6 Path MTU Discovery. You can work around this issue by manually setting the MTU of the tunnel interface.

netsh interface ipv6 set interface aiccu mtu=1280

Vista-specific twist: As with Teredo, Vista refuses to resolve ipv6 addresses, because your physical interface only has a link-local address. There’s a discussion of this in part 1 – I’ll just give you the quick-and-dirty instructions here: Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use the equivalent of 2002:81a8:102:: with a netmask of 48. Do not configure a default gateway for this address.

Running the tunnel as a service

At this point, you can manually start your tunnel. To get the tunnel to come up every time Windows starts, some more work is needed: We are going to install the Console version of AICCU as a service.

Before I show you how to do that, one quick note: I am using the tap901 driver included in OpenVPN because I run XP64 and Vista64. If the steps here sound like way too much work, and you run a 32-bit version of Windows, you can just install the older tap801 driver, and use the GUI version of AICCU, which includes its own service installer. Once a newer AICCU GUI version that works with the tap901 driver becomes available, many of the steps here will become unneccessary, as well.

Download the “srvany” application. Extract its contents into a directory of your choice, c:\aiccu in my case. Copy / rename the Console version of AICCU into this same directory, as aiccu.exe. This is for simplicity’s sake, really.

Now open a command line – as Administrator if running Vista! – navigate to c:\aiccu, and run this command:

instsrv.exe aiccuService c:\aiccu\srvany.exe

Next, you’ll need to edit the registry. So open up regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aiccuService, and add a key named “Parameters“, and under it, a String value called “Application“, set to “c:\aiccu\aiccu.exe start“.

It’s time to test this service. If AICCU is still running, stop it. Open up Start | Control Panel | Administrative Tools | Services, find aiccuService, and choose Action | Start. You expect the service to start without errors.

You’ll also want to verify that the service is set to “Automatic” (by default, it will be), and you may have to open its Properties, and check “Allow service to interact with desktop” on the “Log On” tab.

Navigate to go6.net once more to verify that you are indeed using ipv6. NB: It may take a minute for the system to start using IPv6 once the service has been started.

[Update] I have not had consistent results with getting a hybrid ipv4/ipv6 site such as go6.net to display my ipv6 address, even when ipv6 is working through an AYIYA tunnel. You can always test with an ipv6-only site such as ipv6.google.com.

aiccu behavior when a PoP goes down

While re-testing aiccu, the PoP my tunnel terminates on went down, and was, after a day or so, flagged “down” by SixXS. I requested a new tunnel to a different PoP, re-configured aiccu to use that tunnel, deleted the old tunnel in the SixXs web interface (which has it still “sticking around”, though) and am not having a whole lot of joy:

C:\aiccu>aiccu tunnels
T22555 2001:4978:f:3a1::2 ayiya uschi02

C:\aiccu>aiccu start
[error] Couldn’t show tunnel T15039: 500 This PoP is unfortunately currently down, see http://www.sixxs.net/pops/status/ for more information.
[error] Couldn’t retrieve first tunnel for the above reason, aborting

I’ve reached out to SixXS to see whether they can’t remove the old, down tunnel completely from my handle. This would be considered a bug in aiccu, I’d say.

[Update] This was my own fault: The new tap driver no longer requires admin rights per release notes, so I ran aiccu from an unprivileged prompt. While aiccu.conf can indeed be read, aiccu still somehow “remembered” the old tunnel. Run aiccu from an elevated cmd prompt, and the problem disappears.

IPv6 to the rest of your network

[This section is work-in-progress. The instructions in this section do not make for a functioning router setup at present]

[Update 2009-07-28: I could not get this to work. Addresses are given out, Wireshark shows traffic routing from the LAN to the aiccu interface and traffic coming back in to the aiccu interface, but not being routed back out the LAN interface. At this point, I’ll give up – if you know how to get Windows to route ipv6 traffic, clue me in, and I’ll retest]

Are we done yet? Well, if your own machine is all you’re connecting, yeah, you’re done. Otherwise, you’ll need that subnet you requested earlier, and you’ll have to set your Windows machine up to route for the rest of your network. This will be done through command line – I’ll assume you’re familiar on how to operate it, by now.

The SixXS POP will usually allocate you a /48 subnet, which is sufficient for over 65,000 physical networks. More than you’ll ever need at home, or for your fledgling business, for that matter. The easiest way to get going is to take the address you’ve been assigned, and replace the /48 with a /64, like so: “2001:4830:126a::/48” becomes “2001:4830:126a::/64”. If you want to get deeper into subnetting, you can use a handy IPv6 subnet calculator.

Start by listing your network interfaces using the command “netsh interface ipv6 show interface”

C:\>netsh interface ipv6 show interface
Querying active state…

Idx  Met   MTU    State         Name
—  —-  —–  ————  —–
7     2   1280  Disconnected  Teredo Tunneling Pseudo-Interface
6     0   1400  Disconnected  Network Connect Adapter
5     0   1500  Connected     aiccu
4     0   1500  Connected     Local Area Connection
3     1   1280  Connected     6to4 Pseudo-Interface
2     1   1280  Connected     Automatic Tunneling Pseudo-Interface
1     0   1500  Connected     Loopback Pseudo-Interface

Of the subnet you chose above, use the “::1” address for your Ethernet or WiFi LAN connection. In this example case, the address will be  “2001:4830:126a::1”. Add this address to your LAN interface:

C:\>netsh interface ipv6 add address interface=”Local Area Connection” address=2001:4830:126a::1

Next, add your subnet to the routing table, using the interface number you got with the show interface command, and instruct Windows to publish this route in router advertisements:

C:\>netsh interface ipv6 add route 2001:4830:126a::/64 interface=4 publish=yes

In Vista, the route most likely already was added when you configured the address. In that case, modify the route to have it published, and verify:

C:\>netsh interface ipv6 set route 2001:4830:126a::/64 interface=4 publish=yes

C:\>netsh interface ipv6 show route
Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
——-  ——–  —  ————————  —  ————————
Yes      Manual    256
2001:4830:126a::/64         4  Local Area Connection

Enable routing (forwarding) and router advertisements on your LAN interface:

C:\>netsh interface ipv6 set interface interface=4 forwarding=enabled advertise=enabled

Enable routing on your aiccu tunnel interface, too:

C:\>netsh interface ipv6 set interface interface=5 forwarding=enabled

And lastly, allow ICMP messages necessary for Path MTU Discovery through your Windows host firewall:

netsh firewall set icmpsetting type=11 mode=enable
netsh firewall set icmpsetting type=2 mode=enable

At this point, all other IPv6-enabled machines in your LAN network should receive addresses in your /64 subnet range, and be able to route to IPv6 addresses through the machine your AYIYA tunnel runs on.


On my Comcast connection here in Western MA, going through a NJ SixXS POP, I get about 300k/sec download from an ipv6 server, whereas my Hurricane static tunnel gives me about 700k/sec. Your mileage will vary – do some speedtests when you can.

SixXS works, and works well. I wish the OpenVPN / GUI / Console gyrations were not necessary – setup of an AYIYA tunnel on 64-bit Windows is less than straightforward. On the other hand, SixXS has POPs worldwide, is free, and offers tunnels that don’t need a hardware router – that’s worth a lot.