LARTC - Apr 2005 - IP Tunneling

Hello
I have /25 addressed on a box (virtual devices on eth0) and I want to
tunnel some of these addresses to my home network. One address to my
gateway (a.b.c.d, external IP) and one address to my internal network
(192.168.0.0/24-style). I will use the tunnels for irc, smtp and surfing.
What protocol and which technique is easiest and best to use?

One more thing. I don''t want to set up a bridge on eth0 at the /25-box
(like the OpenVPN-howto wants me to do). The configuration on that box
have to be intact if it''s possible, apart from the addresses I will
tunnel.

Regards
Jonathan

phonic@antisocial.nu wrote:
> Hello
> I have /25 addressed on a box (virtual devices on eth0) and I want to
> tunnel some of these addresses to my home network. One address to my
> gateway (a.b.c.d, external IP) and one address to my internal network
> (192.168.0.0/24-style). I will use the tunnels for irc, smtp and surfing.
> What protocol and which technique is easiest and best to use?
> 
> One more thing. I don''t want to set up a bridge on eth0 at the
/25-box
> (like the OpenVPN-howto wants me to do). The configuration on that box
> have to be intact if it''s possible, apart from the addresses I
will
> tunnel.
Have you considered trying to get SSH to tunnel things for you?  I
don''t know if this will meet your needs or not.  If not you are looking
at something like a GRE tunnel, IP-IP tunnel, PPTP tunnel, or IPSec tunnel. 
Save for SSH, all of these options are rather involved and complex to set up.



Grant. . . .

> phonic@antisocial.nu wrote:
>> Hello
>> I have /25 addressed on a box (virtual devices on eth0) and I want to
>> tunnel some of these addresses to my home network. One address to my
>> gateway (a.b.c.d, external IP) and one address to my internal network
>> (192.168.0.0/24-style). I will use the tunnels for irc, smtp and
>> surfing.
>> What protocol and which technique is easiest and best to use?
>>
>> One more thing. I don''t want to set up a bridge on eth0 at the
/25-box
>> (like the OpenVPN-howto wants me to do). The configuration on that box
>> have to be intact if it''s possible, apart from the addresses I
will
>> tunnel.
>
> Have you considered trying to get SSH to tunnel things for you?  I
don''t
> know if this will meet your needs or not.  If not you are looking at
> something like a GRE tunnel, IP-IP tunnel, PPTP tunnel, or IPSec tunnel.
> Save for SSH, all of these options are rather involved and complex to set
> up.
>
>
>
> Grant. . . .
>
Hello
I have looked at SSH tunneling, but what I know I think that''s not the
best solution for me. After some research, IPIP or GRE tunnel seems to fit
me best. But I don''t find any good documentation, neither the LARTC
howto
is brings up my problem.

I''d figured out that I will use iptunnel or similar to set up an
IPIP-tunnel, like:

iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h

and the same on the other side (just switching local and remote addresses)
to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
a.b.c.d (my public IP at home). But the connection betweeen me and the
remote host freezes, so I guess that''s not enough. What more do I have
to
do?

Regards
Jonathan

> Hello
> I have looked at SSH tunneling, but what I know I think that''s not
the
> best solution for me. After some research, IPIP or GRE tunnel seems to fit
> me best. But I don''t find any good documentation, neither the
LARTC howto
> is brings up my problem.
> 
> I''d figured out that I will use iptunnel or similar to set up an
> IPIP-tunnel, like:
> 
> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
> 
> and the same on the other side (just switching local and remote addresses)
> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
> a.b.c.d (my public IP at home). But the connection betweeen me and the
> remote host freezes, so I guess that''s not enough. What more do I
have to
> do?
Is the ""freeze that you are talking about data through the tunnel or
is it the initialization it''s self?  If it is the former, check to make
sure that your firewall is not blocking traffic that would be flowing through
the tunnel.  Namely if your filter table FORWARD chain policy is set to DROP and
you don''t have an explicit allow for traffic flowing through the tunnel
interface you will not be able to get things to work.  I''ll have to
play with GRE / IPIP tunnels to see if I can offer any advice.



Grant. . . .

If I''m going over stuff covered already on this list, please let me 
know!!  Sorry... this is my first post!!

If you''ve just used the iptunnel command, you''ll also need to
use
ifconfig with the pointopoint type to set up an interface to route 
traffic through.  The IP address''s on either end of the point to point 
interface should be the IP''s you want to route traffic between once 
you''ve reached the subnets at each end of the tunnel.  If you want to 
route more traffic across the link you use "ip route add 10.0.0.0/24 
dev ipiptunnelname" or similar.

Also, you can view the traffic either encapsulated, by running tcpdump 
on your physical interface, or un-encapsulated by running it on your 
pointopoint interface.

Dan!

On 27 Apr 2005, at 09:22, Taylor, Grant wrote:
>> Hello
>> I have looked at SSH tunneling, but what I know I think that''s
not the
>> best solution for me. After some research, IPIP or GRE tunnel seems 
>> to fit
>> me best. But I don''t find any good documentation, neither the
LARTC
>> howto
>> is brings up my problem.
>> I''d figured out that I will use iptunnel or similar to set up
an
>> IPIP-tunnel, like:
>> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
>> and the same on the other side (just switching local and remote 
>> addresses)
>> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
>> a.b.c.d (my public IP at home). But the connection betweeen me and the
>> remote host freezes, so I guess that''s not enough. What more
do I
>> have to
>> do?
>
> Is the ""freeze that you are talking about data through the
tunnel or
> is it the initialization it''s self?  If it is the former, check to
> make sure that your firewall is not blocking traffic that would be 
> flowing through the tunnel.  Namely if your filter table FORWARD chain 
> policy is set to DROP and you don''t have an explicit allow for
traffic
> flowing through the tunnel interface you will not be able to get 
> things to work.  I''ll have to play with GRE / IPIP tunnels to see
if I
> can offer any advice.
>
>
>
> Grant. . . .
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

>> Hello
>> I have looked at SSH tunneling, but what I know I think that''s
not the
>> best solution for me. After some research, IPIP or GRE tunnel seems to
>> fit
>> me best. But I don''t find any good documentation, neither the
LARTC
>> howto
>> is brings up my problem.
>>
>> I''d figured out that I will use iptunnel or similar to set up
an
>> IPIP-tunnel, like:
>>
>> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
>>
>> and the same on the other side (just switching local and remote
>> addresses)
>> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
>> a.b.c.d (my public IP at home). But the connection betweeen me and the
>> remote host freezes, so I guess that''s not enough. What more
do I have
>> to
>> do?
>
> Is the ""freeze that you are talking about data through the
tunnel or is
> it the initialization it''s self?  If it is the former, check to
make sure
> that your firewall is not blocking traffic that would be flowing through
> the tunnel.  Namely if your filter table FORWARD chain policy is set to
> DROP and you don''t have an explicit allow for traffic flowing
through the
> tunnel interface you will not be able to get things to work.  I''ll
have to
> play with GRE / IPIP tunnels to see if I can offer any advice.
>
>
>
> Grant. . . .
>
Hello
The "freezing" happens when I add an address to the tunnel interface,
like
''ifconfig tunl1 add a.b.c.d''. I think my problem is here,
because when I
then run ''ifconfig tunl1:0'' on the /25-box ''inet
addr'' is set to a.b.c.d,
and also P-t-P is set to ''a.b.c.d''. ''inet
addr'' should maybe be set to the
address I want to tunnel? On my home gateway ''inet addr''
should be set to
the tunneled address and P-t-P to a.b.c.d? And I''m sure it''s
not firewall
related because I dropped all my rules before I started play. :-)

Hello
If I understand OpenVPN''s "routed" mode correct, I
can''t use the tunnel to
browse the net, use irc or run an e-mail server. I set up a routed tunnel
a few days ago, and all I got was a tunnel between the two computers with
local addresses (10.0.0.0-style).

But I maybe have wrong?
> Hi Jonathan,
>
> I am wondering, why do you exclude OpenVPN from the list of appropriate
> solutions for your needs?
> As far as I know, you do not have to use it in the "bridging
mode" it can
> work also as normal routing via tunnels.
> Furthermore you can also use it without security.
>
> For the tunnels you OpenVPN uses the tun/tap devices ....
> I think you can also use these without OpenVPN ... but here I am not sure,
> see man pages and google ....
>
> And this might also be a good link regarding this topic:
> http://vtun.sourceforge.net/
> They allow you to use also UDP as tunnel protocol, less overhead, and
> suitable for NAT traversal :O)
>
>
> Hopefully this helps you a little bit,
>
> Marc
>
>
>
>> -----Original Message-----
>> From: lartc-bounces@mailman.ds9a.nl
>> [mailto:lartc-bounces@mailman.ds9a.nl]On Behalf Of
>> phonic@antisocial.nu
>> Sent: Wednesday, April 27, 2005 9:38 AM
>> To: Taylor, Grant
>> Cc: lartc@mailman.ds9a.nl
>> Subject: Re: [LARTC] IP Tunneling
>>
>>
>> > phonic@antisocial.nu wrote:
>> >> Hello
>> >> I have /25 addressed on a box (virtual devices on eth0)
>> and I want to
>> >> tunnel some of these addresses to my home network. One
>> address to my
>> >> gateway (a.b.c.d, external IP) and one address to my
>> internal network
>> >> (192.168.0.0/24-style). I will use the tunnels for irc, smtp
and
>> >> surfing.
>> >> What protocol and which technique is easiest and best to use?
>> >>
>> >> One more thing. I don''t want to set up a bridge on
eth0 at
>> the /25-box
>> >> (like the OpenVPN-howto wants me to do). The configuration
>> on that box
>> >> have to be intact if it''s possible, apart from the
addresses I will
>> >> tunnel.
>> >
>> > Have you considered trying to get SSH to tunnel things for
>> you?  I don''t
>> > know if this will meet your needs or not.  If not you are looking
at
>> > something like a GRE tunnel, IP-IP tunnel, PPTP tunnel, or
>> IPSec tunnel.
>> > Save for SSH, all of these options are rather involved and
>> complex to set
>> > up.
>> >
>> >
>> >
>> > Grant. . . .
>> >
>>
>> Hello
>> I have looked at SSH tunneling, but what I know I think that''s
not the
>> best solution for me. After some research, IPIP or GRE tunnel
>> seems to fit
>> me best. But I don''t find any good documentation, neither the
>> LARTC howto
>> is brings up my problem.
>>
>> I''d figured out that I will use iptunnel or similar to set up
an
>> IPIP-tunnel, like:
>>
>> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
>>
>> and the same on the other side (just switching local and
>> remote addresses)
>> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
>> a.b.c.d (my public IP at home). But the connection betweeen me and the
>> remote host freezes, so I guess that''s not enough. What more
>> do I have to
>> do?
>>
>> Regards
>> Jonathan
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>

Hello
Okey, I tried to set up routing table this way :
On the test box (doesn''t use the /25 yet): ''ip route add
217.211.70.0/24
dev tunl1''
On my home box: ''ip route add 192.121.234.208/28 dev tunl1''

But the connection still freezes... Maybe I misunderstood you?
> If I''m going over stuff covered already on this list, please let
me
> know!!  Sorry... this is my first post!!
>
> If you''ve just used the iptunnel command, you''ll also
need to use
> ifconfig with the pointopoint type to set up an interface to route
> traffic through.  The IP address''s on either end of the point to
point
> interface should be the IP''s you want to route traffic between
once
> you''ve reached the subnets at each end of the tunnel.  If you want
to
> route more traffic across the link you use "ip route add 10.0.0.0/24
> dev ipiptunnelname" or similar.
>
> Also, you can view the traffic either encapsulated, by running tcpdump
> on your physical interface, or un-encapsulated by running it on your
> pointopoint interface.
>
> Dan!
>
> On 27 Apr 2005, at 09:22, Taylor, Grant wrote:
>
>>> Hello
>>> I have looked at SSH tunneling, but what I know I think
that''s not the
>>> best solution for me. After some research, IPIP or GRE tunnel seems
>>> to fit
>>> me best. But I don''t find any good documentation, neither
the LARTC
>>> howto
>>> is brings up my problem.
>>> I''d figured out that I will use iptunnel or similar to set
up an
>>> IPIP-tunnel, like:
>>> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
>>> and the same on the other side (just switching local and remote
>>> addresses)
>>> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0
at
>>> a.b.c.d (my public IP at home). But the connection betweeen me and
the
>>> remote host freezes, so I guess that''s not enough. What
more do I
>>> have to
>>> do?
>>
>> Is the ""freeze that you are talking about data through the
tunnel or
>> is it the initialization it''s self?  If it is the former,
check to
>> make sure that your firewall is not blocking traffic that would be
>> flowing through the tunnel.  Namely if your filter table FORWARD chain
>> policy is set to DROP and you don''t have an explicit allow for
traffic
>> flowing through the tunnel interface you will not be able to get
>> things to work.  I''ll have to play with GRE / IPIP tunnels to
see if I
>> can offer any advice.
>>
>>
>>
>> Grant. . . .
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>

> If I understand OpenVPN''s "routed" mode correct, I
can''t use the tunnel to
> browse the net, use irc or run an e-mail server. 
You can! I don''t understand what your problem is with OpenVPN, its the
easiest VPN solution I''ve ever seen.
> I set up a routed tunnel a few days ago, and all I got was a tunnel between
the
> two computers with local addresses (10.0.0.0-style).
Then you need to add routing accross the tunnel, just like you''d do if
it was a physical interface connected with cable.

-- 
damjan | дамјан
This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!

Hello
Well, if I can use a routing tunnel to irc through, my problem is solved.
:-) Have to read more about OpenVPN...

You say that I have to add stuff in the routing table. I tried to add the
default gw for each box on it''s tunnel-device, but the connection is
still
freezed... Why?
>> If I understand OpenVPN''s "routed" mode correct, I
can''t use the tunnel
>> to
>> browse the net, use irc or run an e-mail server.
>
> You can! I don''t understand what your problem is with OpenVPN, its
the
> easiest VPN solution I''ve ever seen.
>
>> I set up a routed tunnel a few days ago, and all I got was a tunnel
>> between the
>> two computers with local addresses (10.0.0.0-style).
>
> Then you need to add routing accross the tunnel, just like you''d
do if
> it was a physical interface connected with cable.
>
> --
> damjan | дамјан
> This is my jabber ID --> damjan@bagra.net.mk <-- not my mail
address!!!
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

phonic@antisocial.nu wrote:
> Hello
> If I understand OpenVPN''s "routed" mode correct, I
can''t use the tunnel to
> browse the net, use irc or run an e-mail server. I set up a routed tunnel
> a few days ago, and all I got was a tunnel between the two computers with
> local addresses (10.0.0.0-style).
You should be able to route through any tunnel as your default assuming a couple
of things:
  1) You have a route for the tunnel traffic to reach the other tunnel endpoint.
  2) You set your default route to be something on the other end of the tunnel.
  3) The other end of the tunnel will allow your traffic to pass through and out
to the internet.  A lot of firewalls will not allow traffic out to the internet
and back if it is from a subnet that is not directly attached to the system the
firewall is running on.  Seeing as how this is a firewall config issue it is
really not that much of one unless you can''t get the other end
reconfiged to suit your needs.



Grant. . . .

> Well, if I can use a routing tunnel to irc through, my problem is solved.
> :-) Have to read more about OpenVPN...
> 
> You say that I have to add stuff in the routing table. I tried to add the
> default gw for each box on it''s tunnel-device, but the connection
is still
> freezed... Why?
Well, you seem to not understand routing :). If you change the default
gateway trought the tunnel, then how will OpenVPN communicate with its
peer???

Anyway, check the --redirect-gateway option in openvpn.

-- 
damjan | дамјан
This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!

> Well, you seem to not understand routing :). If you change the default
> gateway trought the tunnel, then how will OpenVPN communicate with its
> peer???
This is when you set a route to the public IP of the host that the other end
point of the tunnel via your upstream gateway.  This way your router has a route
to get to the endpoint of the tunnel as well as a default route via the tunnel.



Grant. . . .

Hi 
 
It sounds like you''ve got the commands correct, maybe the IP''s
are wrong?  Is there NAT anywhere?
Here''s an example of how I''d configure an ipip tunnel thats
NAT''ed... may help?
 
the network:
 
Router A has many-to-one nat for the internal netowrk on its public interface
Router B has static NAT between 3.3.3.3 and 192.168.0.2
The tunnel is established from A to B initialy to add the NAT entry to
RouterA''s table. (although the tunnel its self is stateless)
 
HostA              RouterA (NAT/PAT)                            RouterB (NAT)   
HostB
[10.0.0.2]----[10.0.0.1/24   2.2.2.2] -----INET-----[3.3.3.3 
192.168.0.1/24]------[192.168.0.2]
 
On HostA:
iptunnel add Tunnel1 mode ipip local 10.0.0.2 remote 3.3.3.3
ifconfig Tunnel1 10.0.0.2 pointopoint 192.168.0.2
ip route add 192.168.0.0/24 dev Tunnel1
 
On HostB:
iptunnel add Tunnel1 mode ipip local 192.168.0.2 remote 2.2.2.2
ifconfig Tunnel1 192.168.0.2 pointopoint 10.0.0.2
ip route add 10.0.0.0/24 dev Tunnel1
 
Here are some packet captures from each host showing the encapsulated ip packet
(eth0 capture) and the un-encapsulated ip packet arriving at the tunnel
interface (Tunnel1) so you can see what outgoing traffic would look like, no
replies though cause I made the IP''s up :-)
====================================================HostA:
[root@testvpn-1 ~]# tcpdump -ni eth0 host 3.3.3.3
18:48:42.473976 IP 10.0.0.2 > 3.3.3.3: IP 10.0.0.2 > 192.168.0.2: icmp 64:
echo request seq 0 (ipip-proto-4)
18:48:43.473592 IP 10.0.0.2 > 3.3.3.3: IP 10.0.0.2 > 192.168.0.2: icmp 64:
echo request seq 1 (ipip-proto-4)

[root@testvpn-1 ~]# tcpdump -ni Tunnel1
18:49:21.309733 IP 10.0.0.2 > 192.168.0.2: icmp 64: echo request seq 0
18:49:22.310005 IP 10.0.0.2 > 192.168.0.2: icmp 64: echo request seq 1

====================================================HostB:
[root@test-1 ~]# tcpdump -ni eth0 host 2.2.2.2
18:34:28.748402 IP 192.168.0.2 > 2.2.2.2: IP 192.168.0.2 > 10.0.0.2: icmp
64: echo request seq 105 (ipip-proto-4)
18:34:29.748198 IP 192.168.0.2 > 2.2.2.2: IP 192.168.0.2 > 10.0.0.2: icmp
64: echo request seq 106 (ipip-proto-4)

[root@testvpn-1 ~]# tcpdump -ni Tunnel1
18:37:33.802281 IP 192.168.0.2 > 10.0.0.2: icmp 64: echo request seq 290
18:37:34.802086 IP 192.168.0.2 > 10.0.0.2: icmp 64: echo request seq 291

Once through the two NAT routers each end''s tunnel definitions match
the packets and everything should work.  ....In theory :-)
 

 
________________________________

From: phonic@antisocial.nu [mailto:phonic@antisocial.nu]
Sent: Wed 27/04/2005 12:13
To: Dan Martin
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] IP Tunneling



Hello
Okey, I tried to set up routing table this way :
On the test box (doesn''t use the /25 yet): ''ip route add
217.211.70.0/24
dev tunl1''
On my home box: ''ip route add 192.121.234.208/28 dev tunl1''

But the connection still freezes... Maybe I misunderstood you?
> If I''m going over stuff covered already on this list, please let
me
> know!!  Sorry... this is my first post!!
>
> If you''ve just used the iptunnel command, you''ll also
need to use
> ifconfig with the pointopoint type to set up an interface to route
> traffic through.  The IP address''s on either end of the point to
point
> interface should be the IP''s you want to route traffic between
once
> you''ve reached the subnets at each end of the tunnel.  If you want
to
> route more traffic across the link you use "ip route add 10.0.0.0/24
> dev ipiptunnelname" or similar.
>
> Also, you can view the traffic either encapsulated, by running tcpdump
> on your physical interface, or un-encapsulated by running it on your
> pointopoint interface.
>
> Dan!
>
> On 27 Apr 2005, at 09:22, Taylor, Grant wrote:
>
>>> Hello
>>> I have looked at SSH tunneling, but what I know I think
that''s not the
>>> best solution for me. After some research, IPIP or GRE tunnel seems
>>> to fit
>>> me best. But I don''t find any good documentation, neither
the LARTC
>>> howto
>>> is brings up my problem.
>>> I''d figured out that I will use iptunnel or similar to set
up an
>>> IPIP-tunnel, like:
>>> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
>>> and the same on the other side (just switching local and remote
>>> addresses)
>>> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0
at
>>> a.b.c.d (my public IP at home). But the connection betweeen me and
the
>>> remote host freezes, so I guess that''s not enough. What
more do I
>>> have to
>>> do?
>>
>> Is the ""freeze that you are talking about data through the
tunnel or
>> is it the initialization it''s self?  If it is the former,
check to
>> make sure that your firewall is not blocking traffic that would be
>> flowing through the tunnel.  Namely if your filter table FORWARD chain
>> policy is set to DROP and you don''t have an explicit allow for
traffic
>> flowing through the tunnel interface you will not be able to get
>> things to work.  I''ll have to play with GRE / IPIP tunnels to
see if I
>> can offer any advice.
>>
>>
>>
>> Grant. . . .
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>





_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc