[gentoo-user] PPP Tunnel using iproute2/tun interface

[gentoo-user] PPP Tunnel using iproute2/tun interface

[Michael J. Hill]

[-- Attachment #1: Type: text/plain, Size: 3093 bytes --]

Hello, 

In testing, I have gotten this setup to work by manually completing the necessary steps; however, I am now looking to have everything completed automatically so as to ensure my setup persists over a reboot. 

Firstly, an outline of what I am doing: 
* I have a Gentoo VM running at home, functioning as my firewall/router, which works perfectly fine. 
* Said VM has established an IPSEC tunnel to a dedicated server using OpenSWAN. This also works perfectly fine. 
* A tun0 interface is created on both devices, setting up an IPIP PPP tunnel that sits on top of the IPSEC tunnel. 
* Firewall and Routing rules are in place to perform policy-based routing over this tun0 interface. This again, works perfectly fine. 

For the rest, the following configuration is worth noting: 
* The dedicated server is running CentOS 6, not that this is of necessary import for this configuration. 
* 172.18.0.1 resides on the dedicated server. 
* 10.0.0.1 is the management IP of my Gentoo VM, and serves as its identity as well. 
* 172.18.1.0/24 is the network utilized for the tunnel, with 172.18.1.1 on the dedicated server, and 172.18.1.2 on the Gentoo VM. 

In effect, the first thing I need to do, is automate the IPIP PPP tunnel setup so that the device can persist over a reboot. I can create it manually right now, no problem, with the following command strings: 
# ip tunnel add tun0 mode ipip remote 172.18.0.1 local 10.0.0.1 
# ip addr add 172.18.1.2/24 dev tun0 
# ip link set tun0 mtu 1500 
# i p link set tun0 up 

This all works perfectly fine, and tun0 is created after running the first command. Now I need this to persist a reboot. I wanted to handle this through OpenRC, since I can then do dependency resolution, and make sure the tunnel comes up only if the IPSEC tunnel is up and running. That being said, I added the following to /etc/conf.d/net: 
link_tun0="ipsec0" 
config_tun0="172.18.1.2 netmask 255.255.255.0 brd 172.18.1.255" 
dns_servers_tun0="10.0.1.2" 
routes_tun0=( 
"64.20.39.38/32 via 172.18.1.1" 
"default via 172.18.1.1 table ipsec" 
) 
mtu_tun0="1500" 
iptunnel_tun0_remote="172.18.0.1" 
iptunnel_tun0_local="10.0.0.1" 
iptunnel_tun0_mode="ipip remote ${iptunnel_tun0_remote} local ${iptunnel_tun0_local} dev ${link_tun0}" 
rc_net_tun0_need="ipsec" 
preup() { 
# If the link does not exist, return now, it's a tunnel! 
ip link show dev ${IFACE} 2>/dev/null || return 0 
} 

Now, the configuration does reflect an additional item not in my original setup, which links tun0 to the ipsec0 interface. I've tested with and without this, and it doesn't work. Attempting to bring up the interface using rc-service results in the following error: 
Cannot find device "tun0" 
* ERROR: interface tun0 does not exist 
* Ensure that you have loaded the correct kernel module for your hardware 
* ERROR: net.tun0 failed to start 

I could easily script all this out, and probably call it through rc.local, but I'd rather be able to utilize the dependency resolution to make sure all the necessary components are up. 

Any insights on getting it to behave? 

Michael Hill 


[-- Attachment #2: Type: text/html, Size: 3505 bytes --]

Re: [gentoo-user] PPP Tunnel using iproute2/tun interface

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 3584 bytes --]

On Wednesday 21 Mar 2012 02:05:03 Michael J. Hill wrote:
> Hello,
> 
> In testing, I have gotten this setup to work by manually completing the
> necessary steps; however, I am now looking to have everything completed
> automatically so as to ensure my setup persists over a reboot.
> 
> Firstly, an outline of what I am doing:
> * I have a Gentoo VM running at home, functioning as my firewall/router,
> which works perfectly fine. * Said VM has established an IPSEC tunnel to a
> dedicated server using OpenSWAN. This also works perfectly fine. * A tun0
> interface is created on both devices, setting up an IPIP PPP tunnel that
> sits on top of the IPSEC tunnel. * Firewall and Routing rules are in place
> to perform policy-based routing over this tun0 interface. This again,
> works perfectly fine.
> 
> For the rest, the following configuration is worth noting:
> * The dedicated server is running CentOS 6, not that this is of necessary
> import for this configuration. * 172.18.0.1 resides on the dedicated
> server.
> * 10.0.0.1 is the management IP of my Gentoo VM, and serves as its identity
> as well. * 172.18.1.0/24 is the network utilized for the tunnel, with
> 172.18.1.1 on the dedicated server, and 172.18.1.2 on the Gentoo VM.
> 
> In effect, the first thing I need to do, is automate the IPIP PPP tunnel
> setup so that the device can persist over a reboot. I can create it
> manually right now, no problem, with the following command strings: # ip
> tunnel add tun0 mode ipip remote 172.18.0.1 local 10.0.0.1
> # ip addr add 172.18.1.2/24 dev tun0
> # ip link set tun0 mtu 1500
> # i p link set tun0 up
> 
> This all works perfectly fine, and tun0 is created after running the first
> command. Now I need this to persist a reboot. I wanted to handle this
> through OpenRC, since I can then do dependency resolution, and make sure
> the tunnel comes up only if the IPSEC tunnel is up and running. That being
> said, I added the following to /etc/conf.d/net: 

Shouldn't you create the ipip tunnel here first?

Something like:

iptunnel_tun0="mode ipip remote 172.18.0.1 ttl 255" #not sure if local is 
required, you can try with & without.


> link_tun0="ipsec0"  #Not sure this is correct, shouldn't it be an iface?

> config_tun0="172.18.1.2 netmask 255.255.255.0 brd 172.18.1.255"
> dns_servers_tun0="10.0.1.2"
> routes_tun0=(
> "64.20.39.38/32 via 172.18.1.1"
> "default via 172.18.1.1 table ipsec"
> )
> mtu_tun0="1500"
> iptunnel_tun0_remote="172.18.0.1"
> iptunnel_tun0_local="10.0.0.1"
> iptunnel_tun0_mode="ipip remote ${iptunnel_tun0_remote} local
> ${iptunnel_tun0_local} dev ${link_tun0}" rc_net_tun0_need="ipsec"
> preup() {
> # If the link does not exist, return now, it's a tunnel!
> ip link show dev ${IFACE} 2>/dev/null || return 0
> }
> 
> Now, the configuration does reflect an additional item not in my original
> setup, which links tun0 to the ipsec0 interface. I've tested with and
> without this, and it doesn't work. Attempting to bring up the interface
> using rc-service results in the following error: Cannot find device "tun0"
> * ERROR: interface tun0 does not exist
> * Ensure that you have loaded the correct kernel module for your hardware
> * ERROR: net.tun0 failed to start
> 
> I could easily script all this out, and probably call it through rc.local,
> but I'd rather be able to utilize the dependency resolution to make sure
> all the necessary components are up.
> 
> Any insights on getting it to behave?
> 
> Michael Hill

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] PPP Tunnel using iproute2/tun interface

[Michael J. Hill]

[-- Attachment #1: Type: text/plain, Size: 4667 bytes --]

From: "Mick" <michaelkintzios@gmail.com> 

To: gentoo-user@lists.gentoo.org 
Sent: Wednesday, March 21, 2012 5:37:51 AM 
Subject: Re: [gentoo-user] PPP Tunnel using iproute2/tun interface 

On Wednesday 21 Mar 2012 02:05:03 Michael J. Hill wrote: 
> Hello, 
> 
> In testing, I have gotten this setup to work by manually completing the 
> necessary steps; however, I am now looking to have everything completed 
> automatically so as to ensure my setup persists over a reboot. 
> 
> Firstly, an outline of what I am doing: 
> * I have a Gentoo VM running at home, functioning as my firewall/router, 
> which works perfectly fine. * Said VM has established an IPSEC tunnel to a 
> dedicated server using OpenSWAN. This also works perfectly fine. * A tun0 
> interface is created on both devices, setting up an IPIP PPP tunnel that 
> sits on top of the IPSEC tunnel. * Firewall and Routing rules are in place 
> to perform policy-based routing over this tun0 interface. This again, 
> works perfectly fine. 
> 
> For the rest, the following configuration is worth noting: 
> * The dedicated server is running CentOS 6, not that this is of necessary 
> import for this configuration. * 172.18.0.1 resides on the dedicated 
> server. 
> * 10.0.0.1 is the management IP of my Gentoo VM, and serves as its identity 
> as well. * 172.18.1.0/24 is the network utilized for the tunnel, with 
> 172.18.1.1 on the dedicated server, and 172.18.1.2 on the Gentoo VM. 
> 
> In effect, the first thing I need to do, is automate the IPIP PPP tunnel 
> setup so that the device can persist over a reboot. I can create it 
> manually right now, no problem, with the following command strings: # ip 
> tunnel add tun0 mode ipip remote 172.18.0.1 local 10.0.0.1 
> # ip addr add 172.18.1.2/24 dev tun0 
> # ip link set tun0 mtu 1500 
> # i p link set tun0 up 
> 
> This all works perfectly fine, and tun0 is created after running the first 
> command. Now I need this to persist a reboot. I wanted to handle this 
> through OpenRC, since I can then do dependency resolution, and make sure 
> the tunnel comes up only if the IPSEC tunnel is up and running. That being 
> said, I added the following to /etc/conf.d/net: 

Shouldn't you create the ipip tunnel here first? 

Something like: 

iptunnel_tun0="mode ipip remote 172.18.0.1 ttl 255" #not sure if local is 
required, you can try with & without. 


> link_tun0="ipsec0" #Not sure this is correct, shouldn't it be an iface? 

> config_tun0="172.18.1.2 netmask 255.255.255.0 brd 172.18.1.255" 
> dns_servers_tun0="10.0.1.2" 
> routes_tun0=( 
> "64.20.39.38/32 via 172.18.1.1" 
> "default via 172.18.1.1 table ipsec" 
> ) 
> mtu_tun0="1500" 
> iptunnel_tun0_remote="172.18.0.1" 
> iptunnel_tun0_local="10.0.0.1" 
> iptunnel_tun0_mode="ipip remote ${iptunnel_tun0_remote} local 
> ${iptunnel_tun0_local} dev ${link_tun0}" rc_net_tun0_need="ipsec" 
> preup() { 
> # If the link does not exist, return now, it's a tunnel! 
> ip link show dev ${IFACE} 2>/dev/null || return 0 
> } 
> 
> Now, the configuration does reflect an additional item not in my original 
> setup, which links tun0 to the ipsec0 interface. I've tested with and 
> without this, and it doesn't work. Attempting to bring up the interface 
> using rc-service results in the following error: Cannot find device "tun0" 
> * ERROR: interface tun0 does not exist 
> * Ensure that you have loaded the correct kernel module for your hardware 
> * ERROR: net.tun0 failed to start 
> 
> I could easily script all this out, and probably call it through rc.local, 
> but I'd rather be able to utilize the dependency resolution to make sure 
> all the necessary components are up. 
> 
> Any insights on getting it to behave? 
> 
> Michael Hill 

-- 
Regards, 
Mick 

----- Original Message -----
Thanks for the help. It did give me some insight on where to look next, and now it works perfectly. The problem was in part the ordering I was using, and more specific, iptunnel_tun0_mode should have been iptunnel_tun0="mode xxxxxx". That would've resulted in the creation of the interface. I've included my final config for anybody else who may be interested in such a setup: 

link_tun0="ipsec0" 
iptunnel_tun0_remote="172.18.0.1" 
iptunnel_tun0_local="10.0.0.1" 
iptunnel_tun0="mode ipip remote ${iptunnel_tun0_remote} local ${iptunnel_tun0_local} dev ${link_tun0}" 
mtu_tun0="1500" 
config_tun0="172.18.1.2 netmask 255.255.255.0 brd 172.18.1.255" 
dns_servers_tun0="10.0.1.2" 
routes_tun0="64.20.39.38/32 via 172.18.1.1 
default via 172.18.1.1 table 1 " 
rules_tun0="fwmark 1 table 1" 

rc_net_tun0_need="ipsec" 

preup() { 
ip link show dev ${IFACE} 2>/dev/null || return 0 
} 

[-- Attachment #2: Type: text/html, Size: 5503 bytes --]