diff --git a/docs/tunneling/iptunnel.md b/docs/tunneling/iptunnel.md
index 366fab2..b99f41f 100644
--- a/docs/tunneling/iptunnel.md
+++ b/docs/tunneling/iptunnel.md
@@ -69,3 +69,55 @@ ip link add <interface> type vxlan id <vni> remote <remote> local <local> dstpor
 ```
 `<vni>` (**V**irtual Extensible LA**N** **ID** ) is the ID of the VLAN. This can range from 1 to 16777216 (2^24). It must be the same for both peers and must not already be used.
 `<dstport>` is the port which is used for the VXLAN connection. It must be open on UDP. The port must be the same for both peers. Officially VXLAN has port 4789, but for historical reasons Linux uses port default 8472. If you specify a 0 as port, the default port default 8472 is used. If you don't specify a port, you get a warning.
+
+## IP tunnel over UDP
+
+Tunnels at Layer 3 (IP level) can be problematic. For example, NATs or firewalls can drop the packets. To work around this, it is possible to encapsulate the encapsulated packets again into a UDP packet. For this you can use either FOU or GUE. With FOU you have to specify the protocol to be encapsulated manually, but FOU does not need an extra header. With GUE you don't have to specify the protocol, GUE uses its own header.
+
+Keep in mind that the more tunnel mechanisms are used, the more headers are generally used. This leads to a reduction in MTU. This means that less data can be transmitted per packet. A high MTU is therefore desirable.
+
+### Foo-over-UDP (FOU)
+
+Use the following command to enable FOU for a port:
+```
+ip fou add port <lport> ipproto <proto>
+```
+Replace `<lport>` with your local port. You have to open this port on UDP in your firewall. Replace `<proto>` with the protocol you want to encapsulate (e.g. `gre` or `sit`).
+
+Add the following command to the actual tunnel command:
+```
+encap fou encap-dport <rport>
+```
+
+For example:
+```
+ip link add <interface> type gre remote <remote> local <local> ttl 255 encap fou encap-dport <rport>
+```
+Replace `<rport>` with the remote port of your peer.
+
+If you want to stop using a port for FOU, you can use the following command:
+```
+ip fou del port <lport>
+```
+
+If you get the following error message, you can try to load the FOU kernel module:
+```
+RTNETLINK answers: No such file or directory
+Error talking to the kernel
+```
+```
+modprobe fou
+```
+
+### Generic UDP Encapsulation (GUE)
+
+Use the following command to enable FOU for a port:
+```
+ip fou add port <lport> gue
+```
+Replace `<lport>` with your local port. You have to open this port on UDP in your firewall.
+
+Add the following command to the actual tunnel command:
+```
+encap gue encap-dport <rport>
+```