From 1f5dbc082a543cf8f77f7d869e833047c0f2f74c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Mon, 2 Jan 2023 17:13:44 +0100 Subject: [PATCH 1/8] add gre / gretap docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/gre.md | 55 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 docs/tunneling/gre.md diff --git a/docs/tunneling/gre.md b/docs/tunneling/gre.md new file mode 100644 index 0000000..b38a778 --- /dev/null +++ b/docs/tunneling/gre.md @@ -0,0 +1,55 @@ + +# Generic Routing Encapsulation (GRE) + +*Note:* GRE tunnels are unencrypted. + +GRE tunnels on layer 3 of the ISO/OSI model. + +## Configuring with ip + +To create a tunnel, you can use the following command: +``` +ip link add type gre remote local ttl 255 +``` +Replace `` with the desired interface name, `` with the IPv4 of the peer and `` with your own IPv4. + +If you want to establish the tunnel over IPv6 instead, you can replace the `mode gre` with `mode ip6gre`. + +To delete a tunnel, you can use the following command: +``` +ip link del +``` + +To assign an IP address to the interface, you can use the following command: +``` +ip link del +``` + +To assign an IP address to the interface, you can use the following command: +``` +ip addr add dev +``` +Replace `` with your own link-local address. + +### Automatic start with ifupdown + +If you want to start the GRE tunnel automatically, you can use an ifupdown template which is placed under `/etc/network/interfaces.d`: +``` +auto +iface inet6 manual + pre-up ip link add type gre remote local ttl 255 + up ip addr add dev + post-down ip link del +``` + +The interface can then be stopped and started accordingly: +``` +ifup +``` +``` +ifdown +``` + +## GRETAP + +GRETAP tunnels operate on layer 2 of the ISO/OSI model. To use a GRETAP tunnel, you only have to change the mode: For IPv4 `gretap` and for IPv6 `ip6gretap`. From 636478377dfc2ac1cb4c3b4cd33f4cf84434f23a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Mon, 2 Jan 2023 17:25:45 +0100 Subject: [PATCH 2/8] add command to start the tunnel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/gre.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/tunneling/gre.md b/docs/tunneling/gre.md index b38a778..fc0e7bc 100644 --- a/docs/tunneling/gre.md +++ b/docs/tunneling/gre.md @@ -10,6 +10,7 @@ GRE tunnels on layer 3 of the ISO/OSI model. To create a tunnel, you can use the following command: ``` ip link add type gre remote local ttl 255 +ip link set dev up ``` Replace `` with the desired interface name, `` with the IPv4 of the peer and `` with your own IPv4. From 54746d3618a5551a40e39260e209e73268b03359 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Mon, 2 Jan 2023 17:31:25 +0100 Subject: [PATCH 3/8] add sit docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/index.md | 1 + docs/tunneling/{gre.md => iptunnel.md} | 14 ++++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) rename docs/tunneling/{gre.md => iptunnel.md} (76%) diff --git a/docs/tunneling/index.md b/docs/tunneling/index.md index 9150e6f..2b48962 100644 --- a/docs/tunneling/index.md +++ b/docs/tunneling/index.md @@ -3,3 +3,4 @@ - [fastd](fastd) - [WireGuard](wireguard) +- [IP tunnel](iptunnel) diff --git a/docs/tunneling/gre.md b/docs/tunneling/iptunnel.md similarity index 76% rename from docs/tunneling/gre.md rename to docs/tunneling/iptunnel.md index fc0e7bc..90539c3 100644 --- a/docs/tunneling/gre.md +++ b/docs/tunneling/iptunnel.md @@ -1,11 +1,13 @@ -# Generic Routing Encapsulation (GRE) +# IP tunnel -*Note:* GRE tunnels are unencrypted. +*Note:* IP tunnels (includes GRE, GRETAP and SIT) are unencrypted. + +## Generic Routing Encapsulation (GRE) GRE tunnels on layer 3 of the ISO/OSI model. -## Configuring with ip +### Configuring with ip To create a tunnel, you can use the following command: ``` @@ -32,7 +34,7 @@ ip addr add dev ``` Replace `` with your own link-local address. -### Automatic start with ifupdown +#### Automatic start with ifupdown If you want to start the GRE tunnel automatically, you can use an ifupdown template which is placed under `/etc/network/interfaces.d`: ``` @@ -54,3 +56,7 @@ ifdown ## GRETAP GRETAP tunnels operate on layer 2 of the ISO/OSI model. To use a GRETAP tunnel, you only have to change the mode: For IPv4 `gretap` and for IPv6 `ip6gretap`. + +## Simple Internet Transition (SIT) + +SIT tunnels can be created in the same way as GRE tunnels. The difference is that you write `type sit` instead of `type gre`. SIT tunnels are designed to encapsulate IPv6 packets, so a SIT tunnel must be established over IPv4. From 584e6e021e3bdbb3a173734b1da92a331128d84c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Tue, 3 Jan 2023 01:11:13 +0100 Subject: [PATCH 4/8] add vxlan docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/iptunnel.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/tunneling/iptunnel.md b/docs/tunneling/iptunnel.md index 90539c3..366fab2 100644 --- a/docs/tunneling/iptunnel.md +++ b/docs/tunneling/iptunnel.md @@ -1,7 +1,7 @@ # IP tunnel -*Note:* IP tunnels (includes GRE, GRETAP and SIT) are unencrypted. +*Note:* IP tunnels (includes GRE, GRETAP, SIT and VXLAN) are unencrypted. ## Generic Routing Encapsulation (GRE) @@ -60,3 +60,12 @@ GRETAP tunnels operate on layer 2 of the ISO/OSI model. To use a GRETAP tunnel, ## Simple Internet Transition (SIT) SIT tunnels can be created in the same way as GRE tunnels. The difference is that you write `type sit` instead of `type gre`. SIT tunnels are designed to encapsulate IPv6 packets, so a SIT tunnel must be established over IPv4. + +## VXLAN + +For VXLAN the type is changed to `vxlan`. Furthermore there are two additional parameters: +``` +ip link add type vxlan id remote local dstport +``` +`` (**V**irtual Extensible LA**N** **ID** ) is the ID of the VLAN. This can range from 1 to 16777216 (2^24). It must be the same for both peers and must not already be used. +`` is the port which is used for the VXLAN connection. It must be open on UDP. The port must be the same for both peers. Officially VXLAN has port 4789, but for historical reasons Linux uses port default 8472. If you specify a 0 as port, the default port default 8472 is used. If you don't specify a port, you get a warning. From 4bc5e7b87d8a81493ad0cf79a1830bd21e632370 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Tue, 3 Jan 2023 01:41:59 +0100 Subject: [PATCH 5/8] add docs for fou and gue MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/iptunnel.md | 52 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/docs/tunneling/iptunnel.md b/docs/tunneling/iptunnel.md index 366fab2..b99f41f 100644 --- a/docs/tunneling/iptunnel.md +++ b/docs/tunneling/iptunnel.md @@ -69,3 +69,55 @@ ip link add type vxlan id remote local dstpor ``` `` (**V**irtual Extensible LA**N** **ID** ) is the ID of the VLAN. This can range from 1 to 16777216 (2^24). It must be the same for both peers and must not already be used. `` is the port which is used for the VXLAN connection. It must be open on UDP. The port must be the same for both peers. Officially VXLAN has port 4789, but for historical reasons Linux uses port default 8472. If you specify a 0 as port, the default port default 8472 is used. If you don't specify a port, you get a warning. + +## IP tunnel over UDP + +Tunnels at Layer 3 (IP level) can be problematic. For example, NATs or firewalls can drop the packets. To work around this, it is possible to encapsulate the encapsulated packets again into a UDP packet. For this you can use either FOU or GUE. With FOU you have to specify the protocol to be encapsulated manually, but FOU does not need an extra header. With GUE you don't have to specify the protocol, GUE uses its own header. + +Keep in mind that the more tunnel mechanisms are used, the more headers are generally used. This leads to a reduction in MTU. This means that less data can be transmitted per packet. A high MTU is therefore desirable. + +### Foo-over-UDP (FOU) + +Use the following command to enable FOU for a port: +``` +ip fou add port ipproto +``` +Replace `` with your local port. You have to open this port on UDP in your firewall. Replace `` with the protocol you want to encapsulate (e.g. `gre` or `sit`). + +Add the following command to the actual tunnel command: +``` +encap fou encap-dport +``` + +For example: +``` +ip link add type gre remote local ttl 255 encap fou encap-dport +``` +Replace `` with the remote port of your peer. + +If you want to stop using a port for FOU, you can use the following command: +``` +ip fou del port +``` + +If you get the following error message, you can try to load the FOU kernel module: +``` +RTNETLINK answers: No such file or directory +Error talking to the kernel +``` +``` +modprobe fou +``` + +### Generic UDP Encapsulation (GUE) + +Use the following command to enable FOU for a port: +``` +ip fou add port gue +``` +Replace `` with your local port. You have to open this port on UDP in your firewall. + +Add the following command to the actual tunnel command: +``` +encap gue encap-dport +``` From 280b1dd109d6828360cd36f66c4215794a93c926 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Tue, 3 Jan 2023 01:44:09 +0100 Subject: [PATCH 6/8] move hint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/iptunnel.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/tunneling/iptunnel.md b/docs/tunneling/iptunnel.md index b99f41f..468a7a5 100644 --- a/docs/tunneling/iptunnel.md +++ b/docs/tunneling/iptunnel.md @@ -76,6 +76,15 @@ Tunnels at Layer 3 (IP level) can be problematic. For example, NATs or firewalls Keep in mind that the more tunnel mechanisms are used, the more headers are generally used. This leads to a reduction in MTU. This means that less data can be transmitted per packet. A high MTU is therefore desirable. +If you get the following error message, you can try to load the FOU kernel module: +``` +RTNETLINK answers: No such file or directory +Error talking to the kernel +``` +``` +modprobe fou +``` + ### Foo-over-UDP (FOU) Use the following command to enable FOU for a port: @@ -100,15 +109,6 @@ If you want to stop using a port for FOU, you can use the following command: ip fou del port ``` -If you get the following error message, you can try to load the FOU kernel module: -``` -RTNETLINK answers: No such file or directory -Error talking to the kernel -``` -``` -modprobe fou -``` - ### Generic UDP Encapsulation (GUE) Use the following command to enable FOU for a port: From 1455755292bbf20228fa5fb9ae3ca05d451aa941 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Tue, 3 Jan 2023 01:57:22 +0100 Subject: [PATCH 7/8] add command to show ports used by fou MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/iptunnel.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/tunneling/iptunnel.md b/docs/tunneling/iptunnel.md index 468a7a5..3eaee1f 100644 --- a/docs/tunneling/iptunnel.md +++ b/docs/tunneling/iptunnel.md @@ -74,7 +74,13 @@ ip link add type vxlan id remote local dstpor Tunnels at Layer 3 (IP level) can be problematic. For example, NATs or firewalls can drop the packets. To work around this, it is possible to encapsulate the encapsulated packets again into a UDP packet. For this you can use either FOU or GUE. With FOU you have to specify the protocol to be encapsulated manually, but FOU does not need an extra header. With GUE you don't have to specify the protocol, GUE uses its own header. -Keep in mind that the more tunnel mechanisms are used, the more headers are generally used. This leads to a reduction in MTU. This means that less data can be transmitted per packet. A high MTU is therefore desirable. +Keep in mind that the more tunnel mechanisms are used, the more headers are generally used. This leads to a reduction in MTU. This means that less data can be +transmitted per packet. A high MTU is therefore desirable. + +The currently used ports can be displayed with the following command: +``` +ip fou show +``` If you get the following error message, you can try to load the FOU kernel module: ``` From 22b7950058078c730aa992f48d41e011b187153c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Tue, 3 Jan 2023 02:32:28 +0100 Subject: [PATCH 8/8] add section how to set the port and ip addresses for fou MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/iptunnel.md | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/docs/tunneling/iptunnel.md b/docs/tunneling/iptunnel.md index 3eaee1f..ee4dc6b 100644 --- a/docs/tunneling/iptunnel.md +++ b/docs/tunneling/iptunnel.md @@ -82,6 +82,20 @@ The currently used ports can be displayed with the following command: ip fou show ``` +If you want to stop using a port for FOU, you can use the following command: +``` +ip fou del port +``` + +If the error message `RTNETLINK answers: Invalid argument` appears when stop using a port, this may be because you have not specified exactly which port should not be longer used. If you want to not using a port anymore, you must specify the same parameters as you did when you created it: +``` +$ ip fou show +port 5001 gue local 192.168.179.2 peer 192.168.179.3 peer_port 6002 +$ ip fou del port 5001 +RTNETLINK answers: Invalid argument +$ ip fou del port 5001 gue local 192.168.179.2 peer 192.168.179.3 peer_port 6002 +``` + If you get the following error message, you can try to load the FOU kernel module: ``` RTNETLINK answers: No such file or directory @@ -110,11 +124,6 @@ ip link add type gre remote local ttl 255 encap fou ``` Replace `` with the remote port of your peer. -If you want to stop using a port for FOU, you can use the following command: -``` -ip fou del port -``` - ### Generic UDP Encapsulation (GUE) Use the following command to enable FOU for a port: @@ -127,3 +136,16 @@ Add the following command to the actual tunnel command: ``` encap gue encap-dport ``` + +### Set souce port and IP addresses manually + +To set the souce port and IP addresses of both peers, there are three additional parameters for fou and one for tunnel: +``` +ip fou add port [gue|ipproto ] peer_port local peer +``` +``` +ip link add [...] encap [...] encap-sport +``` +Here `` is the own port and `` is the port of the peer. `` is its own IP address and `` is the IP address of the peer. + +Specifying the source IP address can prevent an attacker with a wrong source IP address from sending an encapsulated tunnel packet (e. g. GRE or SIT) that has the correct source address in the UDP tunnel. However, this procedure does not protect against IP spoofing.