Wednesday, January 18, 2012

Linux multipoint GRE tunneling

Here's another interesting little known feature of Linux kernel GRE support.



Following assumes you have working multicast routing in Intranet. Well Internet would work too, but multicast support over Internet is like IPv6 - hardware and software supports it but yet no users outside few academic institutions.

Host A:
ip tunnel add tun0 mode gre local 172.31.0.1 remote 224.66.66.66 ttl 255
ip addr add 10.10.10.1/24 dev tun0
ip link set tun0 up

Host B:
ip tunnel add tun0 mode gre local 172.31.0.2 remote 224.66.66.66 ttl 255
ip addr add 10.10.10.2/24 dev tun0
ip link set tun0 up

Host C:
ip tunnel add tun0 mode gre local 172.31.0.3 remote 224.66.66.66 ttl 255
ip addr add 10.10.10.3/24 dev tun0
ip link set tun0 up

If you can't use multicasts you could hardcode remote peers. Downside is that resulting tunnel requires manual configuration.
echo 0 > /proc/sys/net/ipv4/neigh/tun0/mcast_solicit
ip neigh add 10.10.10.4 lladdr 172.31.0.4 dev tun0 nud permanent

4 comments:

  1. Have been looking around for gpve docs etc. came across this. nice information.
    Am wondering, since you seem to be in the know. If i wanted to create private user network(s) over the internet, secure as reasonable, normal internet access from your default route. this would simply set up a network like 10.0.0.x so that you can see the other clients like a local network, preferably with things like multicast etc.
    also would such a system have to rely on normal client server model, or can be done in a more distributed / fail over fashion, server goes down, network carries on kinda thing.
    This would be so that each user would see other machines like a local lan.

    ReplyDelete
  2. Hi Anthony.

    I believe what you're asking is sort of holy grail for VPN users. Not that requirements would be unreasonable, just that it's difficult to find one product that would fulfill them all nor even multiple products that would work well enough together to implement it. I see you already managed to find GVPE which seems to be one of least known opensource VPN solutions. In case you've missed it check out also N2N (http://www.ntop.org/products/n2n/). N2N is probably closest thing to what you want that's currently available.

    There appears to be some interest in developing virtualized ethernet switch with similar goals by cloud computing providers. Cloud providers would like to provide their customers option to seamlessly connect all servers used by one customer together and also to customer permises. Using traditional IPSEC L2L doesn't really work here or at least causes number of unnecessary hops in traffic for example when L2L tunnel is terminated in cloud provider DC1 but customer servers are actually provisioned from DC1, DC2 and DC3.

    ReplyDelete
  3. Hey Asiantuntijakaveri,

    Thanks so much for taking the time to reply. This n2n stuff looks just the ticket, debian packages already available, i will crack on with testing it and let you know how i get on.

    The virtual switch sounds interesting, rather like the B.A.T.M.A.N project, but after asking in the channel it's for wireless lan community links, but i'm sure it could be used for internet/vpn connections like this too. http://www.open-mesh.org/ . There are some help requests to get it working with gvpe etc and similar, hence why i found it.

    Many Thanks
    Anthony

    ReplyDelete
  4. do you know if it's possible to set up a linux gre tunnel for listing to multipoint request. I don't know with which device you tested your GRE tunnels. But it should be interesting to know what kind of device you use on the other side. I would like to setup a server (multpoint listining) and clients that can connect to it via GRE and which is a L2 tunnel. Do you know if this is possbile?

    ReplyDelete

Got something to say?!