Re: [gentoo-user] PPP Tunnel using iproute2/tun interface

[Mick <michaelkintzios@gmail.com>]

[-- Attachment #1: Type: Text/Plain, Size: 3584 bytes --]

On Wednesday 21 Mar 2012 02:05:03 Michael J. Hill wrote:
> Hello,
> 
> In testing, I have gotten this setup to work by manually completing the
> necessary steps; however, I am now looking to have everything completed
> automatically so as to ensure my setup persists over a reboot.
> 
> Firstly, an outline of what I am doing:
> * I have a Gentoo VM running at home, functioning as my firewall/router,
> which works perfectly fine. * Said VM has established an IPSEC tunnel to a
> dedicated server using OpenSWAN. This also works perfectly fine. * A tun0
> interface is created on both devices, setting up an IPIP PPP tunnel that
> sits on top of the IPSEC tunnel. * Firewall and Routing rules are in place
> to perform policy-based routing over this tun0 interface. This again,
> works perfectly fine.
> 
> For the rest, the following configuration is worth noting:
> * The dedicated server is running CentOS 6, not that this is of necessary
> import for this configuration. * 172.18.0.1 resides on the dedicated
> server.
> * 10.0.0.1 is the management IP of my Gentoo VM, and serves as its identity
> as well. * 172.18.1.0/24 is the network utilized for the tunnel, with
> 172.18.1.1 on the dedicated server, and 172.18.1.2 on the Gentoo VM.
> 
> In effect, the first thing I need to do, is automate the IPIP PPP tunnel
> setup so that the device can persist over a reboot. I can create it
> manually right now, no problem, with the following command strings: # ip
> tunnel add tun0 mode ipip remote 172.18.0.1 local 10.0.0.1
> # ip addr add 172.18.1.2/24 dev tun0
> # ip link set tun0 mtu 1500
> # i p link set tun0 up
> 
> This all works perfectly fine, and tun0 is created after running the first
> command. Now I need this to persist a reboot. I wanted to handle this
> through OpenRC, since I can then do dependency resolution, and make sure
> the tunnel comes up only if the IPSEC tunnel is up and running. That being
> said, I added the following to /etc/conf.d/net: 

Shouldn't you create the ipip tunnel here first?

Something like:

iptunnel_tun0="mode ipip remote 172.18.0.1 ttl 255" #not sure if local is 
required, you can try with & without.


> link_tun0="ipsec0"  #Not sure this is correct, shouldn't it be an iface?

> config_tun0="172.18.1.2 netmask 255.255.255.0 brd 172.18.1.255"
> dns_servers_tun0="10.0.1.2"
> routes_tun0=(
> "64.20.39.38/32 via 172.18.1.1"
> "default via 172.18.1.1 table ipsec"
> )
> mtu_tun0="1500"
> iptunnel_tun0_remote="172.18.0.1"
> iptunnel_tun0_local="10.0.0.1"
> iptunnel_tun0_mode="ipip remote ${iptunnel_tun0_remote} local
> ${iptunnel_tun0_local} dev ${link_tun0}" rc_net_tun0_need="ipsec"
> preup() {
> # If the link does not exist, return now, it's a tunnel!
> ip link show dev ${IFACE} 2>/dev/null || return 0
> }
> 
> Now, the configuration does reflect an additional item not in my original
> setup, which links tun0 to the ipsec0 interface. I've tested with and
> without this, and it doesn't work. Attempting to bring up the interface
> using rc-service results in the following error: Cannot find device "tun0"
> * ERROR: interface tun0 does not exist
> * Ensure that you have loaded the correct kernel module for your hardware
> * ERROR: net.tun0 failed to start
> 
> I could easily script all this out, and probably call it through rc.local,
> but I'd rather be able to utilize the dependency resolution to make sure
> all the necessary components are up.
> 
> Any insights on getting it to behave?
> 
> Michael Hill

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]