What is it?

IP Tunneling is a method of connecting & routing private IP addresses over a different network.

I think it's the easiest method of connecting disconnected nodes, or for disconnecting connected nodes.

Setting up IP Tunneling requires both ends of the connection to be directly connected to each other. In other words, if one of the systems you want to connect is behind NAT, this won't work. IP tunnels are not encrypted; it's 'plaintext' encapsulation. This really shouldn't matter for SWN, as we don't use wep anyway. IP tunnels can be encrypted if you want, however, they are not standard between OSes.

As with many things related to this project, setting up IP Tunneling may create a security issue on your network. Using a firewall is a very good idea.

How does it work?

http://www.seattlewireless.net/images/uploaded/15511.1017118716.jpg

In the above picture, A, Net1, and SIN are all one router.

Setup

Most OS's support IP Tunneling. It's a standard RFC RFC2003. All of this setup assumes you have a basic understanding of networking.

OpenBSD

Here are the basic commands for setting up the tunnel, and the binding the local IPs to them. You will need to set the correct IPs in this example for it to work.

ifconfig gif0 giftunnel 128.9.160.197 128.9.160.199 up
ifconfig gif0 10.0.0.197 10.0.0.199 netmask 255.255.255.252 up

At this point, you should be able to ping 10.0.0.199, provided your link partner & you have set the correct items up.

however, you may want to route other traffic over this link:

route add -net 10.13.0.0 -netmask 255.255.0.0  10.0.0.197

This will send all traffic from 10.13.*.* over the tunnel.

You should end up with something like this:

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        physical address inet 128.9.160.197 --> 128.9.160.199 
        inet6 fe80::290:27ff:fe85:11b6%gif0 -> :: prefixlen 64 scopeid 0x15
        inet 10.0.0.197  --> 10.0.0.199  netmask 0xfffffffc 

# ifconfig gif4 create
ifconfig: SIOCGIFFLAGS: Device not configured
  1. You need to reconfig your kernel to add support for more tunneling interfaces.

# config -e -u -o /bsd.new /bsd
OpenBSD 2.9 (GENERIC) #653: Sat Apr 28 13:57:59 MDT 2001
    deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
History is empty
Enter 'help' for information
ukc> change gif
252 gif count 4 (pseudo device)
change [n] y
count [4] ? 10
252 gif changed
252 gif count 10 (pseudo device)
ukc> quit
Saving modified kernel.
#

Then, once you boot & test your new 'config' on your kernel via "boot> boot /bsd.new" from the boot loader, you can then swap the two kernels, and your system should be ready to go.

# ifconfig -a | grep gif
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
gif2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
gif3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
gif4: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif5: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif6: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif7: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif8: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif9: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

Windows 2000 server

(Shamelessly stolen from here)

- [ On Windows Controll Panel ]

  1. Open Routing and Remote Access
  2. In the console tree, click the server you use
    • & select Routing Interface

  3. R-click Routing Interface & choose 'New IP tunnel'

  4. In interface name, type a name for the tunnel, and click OK
  5. In the console tree, click IP Routing, r-click General,
    • and then click New Interface
  6. In Interfaces, click the IP-in-IP tunnel you just created
  7. On the Tunnel tab
    • - Local address : IP address of the router - Remote address: IP address of the tunnel endpoint

FreeBSD

You need to "ifconfig create" it first. Have a look at /etc/defaults/rc.conf on how to do it automatically. Hint: search for "gif_interfaces".

Then put the necessary lines into your /etc/rc.conf:

gif_interfaces="gif0"     # Examples typically for a router.
gifconfig_gif0="128.9.160.199 128.9.160.197"     # Examples typically for a router.
ifconfig_gif0="inet 10.0.0.197 10.0.0.199 netmask 255.255.255.192"  # test me; is the syntax correct?

then reboot...

---or---

You can do it manually:

# ifconfig gif0 create
# gifconfig gif0 128.9.160.199 128.9.160.197
# ifconfig gif0 10.0.0.197 10.0.0.199 netmask 255.255.255.192

You may need to add some routes...

# route add -net 10.13.0.0 netmask 255.255.0.0 gateway 10.0.0.197

When you are done, you should get something like this:

# ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 128.9.160.199 --> 128.9.160.197
        inet6 fe80::201:2ff:fec1:c8b%gif0 prefixlen 64 scopeid 0x6
        inet 10.0.0.197 --> 10.0.0.199 netmask 0xffffffc0 

It's that easy. --EricJohanson

PS. Don't do this if you are not on the local console of the box. :)

Linux

You need to enable IP Tunneling in the kernel. Most distros have this enabled by default... but if not, you'll have to rebuild...

make menuconfig -> Networking Options -> TCP/IP networking -> IP: tunnel

When you are done, you should have a kernel module named ipip.o. (older 2.2 kernels will also have new_tunnel.o, but this was merged in 2.4)

The docs are really lacking & out of date. All of the references in the howto are RE: 2.2. I can't seem to find a good source of info on the new 2.4 ipip.o module. I know you need to have a new version of Net Tools to make it work. If you have the 'iptunnel' command, you should be ready to go.

Under 2.2, we are still debugging the process to get true encapsulated IPIP tunnels setup. If anyone would like to play with this config, let me know.

Under 2.4, the following rc script should get you going:

 
# this should be the IP address of the remote server 
REMOTEIP=64.81.178.37
 
# this is the (routable) IP of the local server
LOCALIP=216.254.21.186

# this is the private (10 net) IP of this end of the tunnel
PRIVATELOCAL=10.13.13.13

# this is the private (10 net) IP of that end of the tunnel
PRIVATEREMOTE=10.13.13.14

# add routes to these networks (separate by spaces)
REMOTENET="$PRIVATEREMOTE/32 20.0.0.0/8 192.168.1.0/24"
 
# this can be whatever; 
TUNDEV=gir

# STOP EDITING HERE
 
start() 
{ 
        iptunnel add ${TUNDEV} mode ipip remote ${REMOTEIP} local ${LOCALIP} ttl 255
        ifconfig ${TUNDEV} ${PRIVATELOCAL} pointopoint ${PRIVATEREMOTE}
          # Note: check the above syntax; each linux seems to want a slightly different 'pointopoint' syntax. -EricJohanson
        for net in ${REMOTENET}; do
                route add -net $net dev ${TUNDEV}
        done
} 
 
stop() 
{ 
        ifconfig ${TUNDEV} down
        iptunnel del ${TUNDEV} 
} 
 
case "$1" in 
        start) 
                start ;; 
        stop) 
                stop ;; 
        restart) 
                stop 
                start ;; 
esac 

What's been known to work

  1. Freebsd 4.4 stable -> OpenBSD 2.9

  2. Freebsd 4.4 stable -> same

  3. Linux 2.4.7 -> OpenBSD 2.9

  4. Linux 2.4.17 -> OpenBSD 2.9

  5. Linux 2.4.21 -> FreeBSD 5.1

  6. Linux 2.6.8 -> FreeBSD 5.2.1

Other options

Cipe vtun


We've got options with our IP tunnels as well. IPsec or PPTP, good tools for unix are FreeSWAN or PoPToP.

Comments

The tun/tap modules create the kernel devices that are used by tunneling drivers. I think VTun is the userspace software of choice for setting up the tunnels on Linux. If you would like to experiment with tunneling, please let me know. I am interested in playing with VTun and also seeing how the various OS's tunneling software interacts (eg. tunneling between Linux and Win2k/OpenBSD/etc).

StartideRising mentions on his infopage about using the Ricochet modems for IP Tunneling purposes. Perhaps some users with otherwise ununused Ricochet modems can get together or loan out their modems for some trial runs between nodes. The Ricochet modems have extended range and the old ones do not need the Ricochet network in order to talk directly to each other.

Also OpenVPN might be worth checking out.. They do encrypted tunnelling over UDP or TCP also with tun/tap.

IpTunnel (last edited 2008-05-15 14:12:54 by mattw)