From: "Mick" <michaelkintz...@gmail.com>
To: gentoo-user@lists.gentoo.org
Sent: Wednesday, March 21, 2012 5:37:51 AM
Subject: Re: [gentoo-user] PPP Tunnel using iproute2/tun interface
On Wednesday 21 Mar 2012 02:05:03 Michael J. Hill wrote:
> Hello,
>
> In testing, I have gotten this setup to work by manually completing the
> necessary steps; however, I am now looking to have everything completed
> automatically so as to ensure my setup persists over a reboot.
>
> Firstly, an outline of what I am doing:
> * I have a Gentoo VM running at home, functioning as my firewall/router,
> which works perfectly fine. * Said VM has established an IPSEC tunnel to a
> dedicated server using OpenSWAN. This also works perfectly fine. * A tun0
> interface is created on both devices, setting up an IPIP PPP tunnel that
> sits on top of the IPSEC tunnel. * Firewall and Routing rules are in place
> to perform policy-based routing over this tun0 interface. This again,
> works perfectly fine.
>
> For the rest, the following configuration is worth noting:
> * The dedicated server is running CentOS 6, not that this is of necessary
> import for this configuration. * 172.18.0.1 resides on the dedicated
> server.
> * 10.0.0.1 is the management IP of my Gentoo VM, and serves as its identity
> as well. * 172.18.1.0/24 is the network utilized for the tunnel, with
> 172.18.1.1 on the dedicated server, and 172.18.1.2 on the Gentoo VM.
>
> In effect, the first thing I need to do, is automate the IPIP PPP tunnel
> setup so that the device can persist over a reboot. I can create it
> manually right now, no problem, with the following command strings: # ip
> tunnel add tun0 mode ipip remote 172.18.0.1 local 10.0.0.1
> # ip addr add 172.18.1.2/24 dev tun0
> # ip link set tun0 mtu 1500
> # i p link set tun0 up
>
> This all works perfectly fine, and tun0 is created after running the first
> command. Now I need this to persist a reboot. I wanted to handle this
> through OpenRC, since I can then do dependency resolution, and make sure
> the tunnel comes up only if the IPSEC tunnel is up and running. That being
> said, I added the following to /etc/conf.d/net:
Shouldn't you create the ipip tunnel here first?
Something like:
iptunnel_tun0="mode ipip remote 172.18.0.1 ttl 255" #not sure if local is
required, you can try with & without.
> link_tun0="ipsec0" #Not sure this is correct, shouldn't it be an iface?
> config_tun0="172.18.1.2 netmask 255.255.255.0 brd 172.18.1.255"
> dns_servers_tun0="10.0.1.2"
> routes_tun0=(
> "64.20.39.38/32 via 172.18.1.1"
> "default via 172.18.1.1 table ipsec"
> )
> mtu_tun0="1500"
> iptunnel_tun0_remote="172.18.0.1"
> iptunnel_tun0_local="10.0.0.1"
> iptunnel_tun0_mode="ipip remote ${iptunnel_tun0_remote} local
> ${iptunnel_tun0_local} dev ${link_tun0}" rc_net_tun0_need="ipsec"
> preup() {
> # If the link does not exist, return now, it's a tunnel!
> ip link show dev ${IFACE} 2>/dev/null || return 0
> }
>
> Now, the configuration does reflect an additional item not in my original
> setup, which links tun0 to the ipsec0 interface. I've tested with and
> without this, and it doesn't work. Attempting to bring up the interface
> using rc-service results in the following error: Cannot find device "tun0"
> * ERROR: interface tun0 does not exist
> * Ensure that you have loaded the correct kernel module for your hardware
> * ERROR: net.tun0 failed to start
>
> I could easily script all this out, and probably call it through rc.local,
> but I'd rather be able to utilize the dependency resolution to make sure
> all the necessary components are up.
>
> Any insights on getting it to behave?
>
> Michael Hill
--
Regards,
Mick
----- Original Message -----
Thanks for the help. It did give me some insight on where to look next, and now
it works perfectly. The problem was in part the ordering I was using, and more
specific, iptunnel_tun0_mode should have been iptunnel_tun0="mode xxxxxx". That
would've resulted in the creation of the interface. I've included my final
config for anybody else who may be interested in such a setup:
link_tun0="ipsec0"
iptunnel_tun0_remote="172.18.0.1"
iptunnel_tun0_local="10.0.0.1"
iptunnel_tun0="mode ipip remote ${iptunnel_tun0_remote} local
${iptunnel_tun0_local} dev ${link_tun0}"
mtu_tun0="1500"
config_tun0="172.18.1.2 netmask 255.255.255.0 brd 172.18.1.255"
dns_servers_tun0="10.0.1.2"
routes_tun0="64.20.39.38/32 via 172.18.1.1
default via 172.18.1.1 table 1 "
rules_tun0="fwmark 1 table 1"
rc_net_tun0_need="ipsec"
preup() {
ip link show dev ${IFACE} 2>/dev/null || return 0
}
