From 4bc5e7b87d8a81493ad0cf79a1830bd21e632370 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Tue, 3 Jan 2023 01:41:59 +0100 Subject: [PATCH] add docs for fou and gue MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/iptunnel.md | 52 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/docs/tunneling/iptunnel.md b/docs/tunneling/iptunnel.md index 366fab2..b99f41f 100644 --- a/docs/tunneling/iptunnel.md +++ b/docs/tunneling/iptunnel.md @@ -69,3 +69,55 @@ ip link add type vxlan id remote local dstpor ``` `` (**V**irtual Extensible LA**N** **ID** ) is the ID of the VLAN. This can range from 1 to 16777216 (2^24). It must be the same for both peers and must not already be used. `` is the port which is used for the VXLAN connection. It must be open on UDP. The port must be the same for both peers. Officially VXLAN has port 4789, but for historical reasons Linux uses port default 8472. If you specify a 0 as port, the default port default 8472 is used. If you don't specify a port, you get a warning. + +## IP tunnel over UDP + +Tunnels at Layer 3 (IP level) can be problematic. For example, NATs or firewalls can drop the packets. To work around this, it is possible to encapsulate the encapsulated packets again into a UDP packet. For this you can use either FOU or GUE. With FOU you have to specify the protocol to be encapsulated manually, but FOU does not need an extra header. With GUE you don't have to specify the protocol, GUE uses its own header. + +Keep in mind that the more tunnel mechanisms are used, the more headers are generally used. This leads to a reduction in MTU. This means that less data can be transmitted per packet. A high MTU is therefore desirable. + +### Foo-over-UDP (FOU) + +Use the following command to enable FOU for a port: +``` +ip fou add port ipproto +``` +Replace `` with your local port. You have to open this port on UDP in your firewall. Replace `` with the protocol you want to encapsulate (e.g. `gre` or `sit`). + +Add the following command to the actual tunnel command: +``` +encap fou encap-dport +``` + +For example: +``` +ip link add type gre remote local ttl 255 encap fou encap-dport +``` +Replace `` with the remote port of your peer. + +If you want to stop using a port for FOU, you can use the following command: +``` +ip fou del port +``` + +If you get the following error message, you can try to load the FOU kernel module: +``` +RTNETLINK answers: No such file or directory +Error talking to the kernel +``` +``` +modprobe fou +``` + +### Generic UDP Encapsulation (GUE) + +Use the following command to enable FOU for a port: +``` +ip fou add port gue +``` +Replace `` with your local port. You have to open this port on UDP in your firewall. + +Add the following command to the actual tunnel command: +``` +encap gue encap-dport +```