Hello,
I hope this mailing list is still read even when around 4 years no more
messages have been exchanged.
Or has the mailing list moved to some newer place and this one is now
obsolete?
I have some questions on tunneling with Linux:
I have two servers: A and B.
Server B has multiple interface (e.g. 4 interfaces, name it wwan0,
wwan1, wwan2, wwan3) going to different networks outside the current
network.
Between server A and B there shall be one or more tunnels, so that
server A is able to select which data goes over which interface on server B.
1) I tried GRE. Configured 4 IPv4 IP adresses on server A and 4 IPv4 IP
addresses on server B.
For each pair of IP addresses I installed a GRE tunnel between A and B.
I named the tunnels conn0 to conn3:
#!/bin/bash
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.forwarding=1
ip tunnel del conn0
ip tunnel add conn0 mode gre local 192.168.181.1 remote 192.168.181.2
dev eth0
ip addr add 10.0.0.1/30 dev conn0
ip link set conn0 up
ip tunnel del conn1
ip tunnel add conn1 mode gre local 192.168.181.3 remote 192.168.181.4
dev eth0
ip addr add 10.0.0.3/30 dev conn1
ip link set conn1 up
ip tunnel del conn2
ip tunnel add conn2 mode gre local 192.168.181.5 remote 192.168.181.6
dev eth0
ip addr add 10.0.0.5/30 dev conn2
ip link set conn2 up
ip tunnel del conn3
ip tunnel add conn3 mode gre local 192.168.181.7 remote 192.168.181.8
dev eth0
ip addr add 10.0.0.7/30 dev conn3
ip link set conn3 up
$
On server B I added forwarding rules like this (4 interfaces shown)
sudo iptables-F
sudo iptables-P INPUT ACCEPT
sudo iptables-P FORWARD ACCEPT
sudo iptables-P OUTPUT ACCEPT
sudoiptables-t nat-A POSTROUTING -o wwan0 -j MASQUERADE
sudoiptables-A FORWARD -i conn0 -o wwan0 -j ACCEPT
sudoiptables-A FORWARD -i wwan0 -o conn0 -m
state--stateESTABLISHED,RELATED-j ACCEPT
sudoiptables-t nat-A POSTROUTING -o wwan1 -j MASQUERADE
sudoiptables-A FORWARD -i conn1 -o wwan1 -j ACCEPT
sudoiptables-A FORWARD -i wwan1 -o conn1 -m
state--stateESTABLISHED,RELATED-j ACCEPT
sudoiptables-t nat-A POSTROUTING -o wwan2 -j MASQUERADE
sudoiptables-A FORWARD -i conn2 -o wwan2 -j ACCEPT
sudoiptables-A FORWARD -i wwan2 -o conn2 -m
state--stateESTABLISHED,RELATED-j ACCEPT
sudoiptables-t nat-A POSTROUTING -o wwan3 -j MASQUERADE
sudoiptables-A FORWARD -i conn3 -o wwan3 -j ACCEPT
sudoiptables-A FORWARD -i wwan3 -o conn3 -m
state--stateESTABLISHED,RELATED-j ACCEPT
Could this work? Or I am missing something?
Do I really need 4 IP addresses on server A and server B for the 4
tunnels? Or can I do it with just 1 real IPv4 address on each side?
"Inside" addresses relevant, or can i just use the same for each tunnel
(e.g. 10.0.0.1 and 10.0.0.2)
I see with wireshark that sometimes packets are not exchanged over the
right tunnel. But I have not yet analyzed what is the problem.
2) A suggestion was to use a stream id with IP-in-IP.
Can it really used for such a use case? Is the stream id used for
tunneling purposes at all? Is it supported by Linux,
to fill in one sending tunneling endpoint and using it on receiving
tunneling endpoint?
3) Assuming in next step I also need encryption on tunnels: Better to
switch over to some different approach like VPN?
Or is there some "secure GRE" or "secure IP-in-IP"? Or possible to use
stunnel, or stunnel together with GRE or IP-in-IP? Or not preferred way?
Are there other variants instead of VPN which I shall look at?
4) A question which came up was "MTU". The above tunnels eats some bytes
from MTU.
What happens if e.g. MTU gets reduced by GRE or IP-in-IP by 24 or 20 bytes
and a packet is sent which exceeds the reduced MTU.
Is it fragmented automatically? Do I need to take care that sent packets
are now really smaller than 1476 or 1480 bytes?
Is there perhaps some documentation, webpages or books which can help me
with info on such topics?
Many thanks in advance!
Best regards,
Martin