Questions on tunneling multiple connections between two servers with Linux

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I hope this mailing list is still read even when around 4 years no more messages have been exchanged.

Or has the mailing list moved to some newer place and this one is now obsolete?

I have some questions on tunneling with Linux:

I have two servers: A and B.

Server B has multiple interface (e.g. 4 interfaces, name it wwan0, wwan1, wwan2, wwan3) going to different networks outside the current network.

Between server A and B there shall be one or more tunnels, so that server A is able to select which data goes over which interface on server B.

1) I tried GRE. Configured 4 IPv4 IP adresses on server A and 4 IPv4 IP addresses on server B.

For each pair of IP addresses I installed a GRE tunnel between A and B.

I named the tunnels conn0 to conn3:

#!/bin/bash
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.forwarding=1
ip tunnel del conn0
ip tunnel add conn0 mode gre local 192.168.181.1 remote 192.168.181.2 dev eth0
ip addr add 10.0.0.1/30 dev conn0
ip link set conn0 up
ip tunnel del conn1
ip tunnel add conn1 mode gre local 192.168.181.3 remote 192.168.181.4 dev eth0
ip addr add 10.0.0.3/30 dev conn1
ip link set conn1 up
ip tunnel del conn2
ip tunnel add conn2 mode gre local 192.168.181.5 remote 192.168.181.6 dev eth0
ip addr add 10.0.0.5/30 dev conn2
ip link set conn2 up
ip tunnel del conn3
ip tunnel add conn3 mode gre local 192.168.181.7 remote 192.168.181.8 dev eth0
ip addr add 10.0.0.7/30 dev conn3
ip link set conn3 up
$

On server B I added forwarding rules like this (4 interfaces shown)

sudo iptables-F
sudo iptables-P INPUT ACCEPT
sudo iptables-P FORWARD ACCEPT
sudo iptables-P OUTPUT ACCEPT

sudoiptables-t nat-A POSTROUTING -o wwan0 -j MASQUERADE

sudoiptables-A FORWARD -i conn0 -o wwan0 -j ACCEPT

sudoiptables-A FORWARD -i wwan0 -o conn0 -m state--stateESTABLISHED,RELATED-j ACCEPT


sudoiptables-t nat-A POSTROUTING -o wwan1 -j MASQUERADE

sudoiptables-A FORWARD -i conn1 -o wwan1 -j ACCEPT

sudoiptables-A FORWARD -i wwan1 -o conn1 -m state--stateESTABLISHED,RELATED-j ACCEPT


sudoiptables-t nat-A POSTROUTING -o wwan2 -j MASQUERADE

sudoiptables-A FORWARD -i conn2 -o wwan2 -j ACCEPT

sudoiptables-A FORWARD -i wwan2 -o conn2 -m state--stateESTABLISHED,RELATED-j ACCEPT


sudoiptables-t nat-A POSTROUTING -o wwan3 -j MASQUERADE

sudoiptables-A FORWARD -i conn3 -o wwan3 -j ACCEPT

sudoiptables-A FORWARD -i wwan3 -o conn3 -m state--stateESTABLISHED,RELATED-j ACCEPT



Could this work? Or I am missing something?

Do I really need 4 IP addresses on server A and server B for the 4 tunnels? Or can I do it with just 1 real IPv4 address on each side?

"Inside" addresses relevant, or can i just use the same for each tunnel (e.g. 10.0.0.1 and 10.0.0.2)


I see with wireshark that sometimes packets are not exchanged over the right tunnel. But I have not yet analyzed what is the problem.


2) A suggestion was to use a stream id with IP-in-IP.
Can it really used for such a use case? Is the stream id used for tunneling purposes at all? Is it supported by Linux,

to fill in one sending tunneling endpoint and using it on receiving tunneling endpoint?


3) Assuming in next step I also need encryption on tunnels: Better to switch over to some different approach like VPN?

Or is there some "secure GRE" or "secure IP-in-IP"? Or possible to use stunnel, or stunnel together with GRE or IP-in-IP? Or not preferred way?

Are there other variants instead of VPN which I shall look at?


4) A question which came up was "MTU". The above tunnels eats some bytes from MTU.

What happens if e.g. MTU gets reduced by GRE or IP-in-IP by 24 or 20 bytes

and a packet is sent which exceeds the reduced MTU.

Is it fragmented automatically? Do I need to take care that sent packets are now really smaller than 1476 or 1480 bytes?


Is there perhaps some documentation, webpages or books which can help me with info on such topics?


Many thanks in advance!


Best regards,

Martin







[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux