From: "Mick" <michaelkintz...@gmail.com> To: gentoo-user@lists.gentoo.org Sent: Wednesday, March 21, 2012 5:37:51 AM Subject: Re: [gentoo-user] PPP Tunnel using iproute2/tun interface
On Wednesday 21 Mar 2012 02:05:03 Michael J. Hill wrote: > Hello, > > In testing, I have gotten this setup to work by manually completing the > necessary steps; however, I am now looking to have everything completed > automatically so as to ensure my setup persists over a reboot. > > Firstly, an outline of what I am doing: > * I have a Gentoo VM running at home, functioning as my firewall/router, > which works perfectly fine. * Said VM has established an IPSEC tunnel to a > dedicated server using OpenSWAN. This also works perfectly fine. * A tun0 > interface is created on both devices, setting up an IPIP PPP tunnel that > sits on top of the IPSEC tunnel. * Firewall and Routing rules are in place > to perform policy-based routing over this tun0 interface. This again, > works perfectly fine. > > For the rest, the following configuration is worth noting: > * The dedicated server is running CentOS 6, not that this is of necessary > import for this configuration. * 172.18.0.1 resides on the dedicated > server. > * 10.0.0.1 is the management IP of my Gentoo VM, and serves as its identity > as well. * 172.18.1.0/24 is the network utilized for the tunnel, with > 172.18.1.1 on the dedicated server, and 172.18.1.2 on the Gentoo VM. > > In effect, the first thing I need to do, is automate the IPIP PPP tunnel > setup so that the device can persist over a reboot. I can create it > manually right now, no problem, with the following command strings: # ip > tunnel add tun0 mode ipip remote 172.18.0.1 local 10.0.0.1 > # ip addr add 172.18.1.2/24 dev tun0 > # ip link set tun0 mtu 1500 > # i p link set tun0 up > > This all works perfectly fine, and tun0 is created after running the first > command. Now I need this to persist a reboot. I wanted to handle this > through OpenRC, since I can then do dependency resolution, and make sure > the tunnel comes up only if the IPSEC tunnel is up and running. That being > said, I added the following to /etc/conf.d/net: Shouldn't you create the ipip tunnel here first? Something like: iptunnel_tun0="mode ipip remote 172.18.0.1 ttl 255" #not sure if local is required, you can try with & without. > link_tun0="ipsec0" #Not sure this is correct, shouldn't it be an iface? > config_tun0="172.18.1.2 netmask 255.255.255.0 brd 172.18.1.255" > dns_servers_tun0="10.0.1.2" > routes_tun0=( > "64.20.39.38/32 via 172.18.1.1" > "default via 172.18.1.1 table ipsec" > ) > mtu_tun0="1500" > iptunnel_tun0_remote="172.18.0.1" > iptunnel_tun0_local="10.0.0.1" > iptunnel_tun0_mode="ipip remote ${iptunnel_tun0_remote} local > ${iptunnel_tun0_local} dev ${link_tun0}" rc_net_tun0_need="ipsec" > preup() { > # If the link does not exist, return now, it's a tunnel! > ip link show dev ${IFACE} 2>/dev/null || return 0 > } > > Now, the configuration does reflect an additional item not in my original > setup, which links tun0 to the ipsec0 interface. I've tested with and > without this, and it doesn't work. Attempting to bring up the interface > using rc-service results in the following error: Cannot find device "tun0" > * ERROR: interface tun0 does not exist > * Ensure that you have loaded the correct kernel module for your hardware > * ERROR: net.tun0 failed to start > > I could easily script all this out, and probably call it through rc.local, > but I'd rather be able to utilize the dependency resolution to make sure > all the necessary components are up. > > Any insights on getting it to behave? > > Michael Hill -- Regards, Mick ----- Original Message ----- Thanks for the help. It did give me some insight on where to look next, and now it works perfectly. The problem was in part the ordering I was using, and more specific, iptunnel_tun0_mode should have been iptunnel_tun0="mode xxxxxx". That would've resulted in the creation of the interface. I've included my final config for anybody else who may be interested in such a setup: link_tun0="ipsec0" iptunnel_tun0_remote="172.18.0.1" iptunnel_tun0_local="10.0.0.1" iptunnel_tun0="mode ipip remote ${iptunnel_tun0_remote} local ${iptunnel_tun0_local} dev ${link_tun0}" mtu_tun0="1500" config_tun0="172.18.1.2 netmask 255.255.255.0 brd 172.18.1.255" dns_servers_tun0="10.0.1.2" routes_tun0="64.20.39.38/32 via 172.18.1.1 default via 172.18.1.1 table 1 " rules_tun0="fwmark 1 table 1" rc_net_tun0_need="ipsec" preup() { ip link show dev ${IFACE} 2>/dev/null || return 0 }