CRXN
/
docs
mirror of https://codeberg.org/CRXN/docs.git
1
0
Fork 0
Code Releases Activity
docs/docs/tunneling/iptunnel.md

2.6 KiB
Raw Blame History

IP tunnel

Note: IP tunnels (includes GRE, GRETAP, SIT and VXLAN) are unencrypted.

Generic Routing Encapsulation (GRE)

GRE tunnels on layer 3 of the ISO/OSI model.

Configuring with ip

To create a tunnel, you can use the following command:

ip link add <interface> type gre remote <remote> local <local> ttl 255
ip link set dev <interface> up

Replace <interface> with the desired interface name, <remote> with the IPv4 of the peer and <local> with your own IPv4.

If you want to establish the tunnel over IPv6 instead, you can replace the mode gre with mode ip6gre.

To delete a tunnel, you can use the following command:

ip link del <interface>

To assign an IP address to the interface, you can use the following command:

ip link del <interface>

To assign an IP address to the interface, you can use the following command:

ip addr add dev <interface> <ll>

Replace <ll> with your own link-local address.

Automatic start with ifupdown

If you want to start the GRE tunnel automatically, you can use an ifupdown template which is placed under /etc/network/interfaces.d:

auto <interface>
iface <interface> inet6 manual
    pre-up ip link add <interface> type gre remote <remote> local <local> ttl 255
    up ip addr add dev <interface> <ll>
    post-down ip link del <interface>

The interface can then be stopped and started accordingly:

ifup <interface>

ifdown <interface>

GRETAP

GRETAP tunnels operate on layer 2 of the ISO/OSI model. To use a GRETAP tunnel, you only have to change the mode: For IPv4 gretap and for IPv6 ip6gretap.

Simple Internet Transition (SIT)

SIT tunnels can be created in the same way as GRE tunnels. The difference is that you write type sit instead of type gre. SIT tunnels are designed to encapsulate IPv6 packets, so a SIT tunnel must be established over IPv4.

VXLAN

For VXLAN the type is changed to vxlan. Furthermore there are two additional parameters:

ip link add <interface> type vxlan id <vni> remote <remote> local <local> dstport <dstport>

<vni> (Virtual Extensible LAN ID ) is the ID of the VLAN. This can range from 1 to 16777216 (2^24). It must be the same for both peers and must not already be used. <dstport> is the port which is used for the VXLAN connection. It must be open on UDP. The port must be the same for both peers. Officially VXLAN has port 4789, but for historical reasons Linux uses port default 8472. If you specify a 0 as port, the default port default 8472 is used. If you don't specify a port, you get a warning.