A simple Ethernet tunnel on Linux in four to six teams
Brief cheat sheet:
Four commands on the tunnel and two on the firewall (not needed if traffic between their servers is already allowed)
This is all that is needed, further a long explanation with details.
When you need to combine several computers into a pseudo-local network via the Internet, this is often solved by configuring OpenVPN.
')
The solution works well, but not without flaws:
1. You need to install additional software and configure it. And from the first time it is not very easy to set up - you need to sit and pick it.
2. Traffic encryption occurs in user mode and introduces additional delays, this is not always important, but it can be noticeable for IP-telephony.
3. Encryption is not always necessary. For example, in my case, all connections are already secure (ssh), I just need a convenient flat addressing between several computers as if they are connected to a local network.
In Linux, GRE tunnels are configured to obscenely simple (if no encryption is needed), from Linux requirements and on public IP to each.
On the Internet, information on this topic is somehow vanishingly small - basically IP (and not ethernet) tunnels are explained and immediately along with traffic encryption (which is not always necessary). man ip is also very extensive and information on
Suppose we have two hosts:
HOST1 with external address 1.2.3.4
HOST2 with external address 2.3.4.5
I want to make an ethernet network between them, well, for example, you can configure IP addresses 192.168.0.1 192.168.0.2 on top of it, but you can also use any other IPv6 or anything else - you get a normal network through a switch.
All commands are executed from ROOT, after a reboot they are lost. In order not to get lost, you need to register commands in startup scripts or in configs (each distribution has its own).
1. Add a virtual network gateway card to HOST1:
On HOST1, it will look like a regular network card - you can assign IP addresses, start a DHCP server, enable it in Bridge, etc.
2. Include added map
2. If IP tables are running - enable GRE traffic
3. Symmetric configuration on the second host:
At this point, the ethernet network is already running. To verify this, you can configure private IP-addresses on each side of the tunnel and let pings.
you can ping.
For pings, you may also have to add rules in iptables (or turn it off altogether for the duration of the experiments).
The tunnel is quietly configured between different versions of linux, while writing this post one end was on ubuntu, the second on centos, there is absolutely no difference in the settings.
I repeat - this tunnel does not provide any protection against listening / embedding traffic.
HOST1: ip link add grelan type gretap local <IP1> remote <IP2> HOST1: ip link set grelan up HOST1: iptables -I INPUT -p gre -s <IP2> -j ACCEPT HOST2: ip link add grelan type gretap local <IP2> remote <IP1> HOST2: ip link set grelan up HOST2: iptables -I INPUT -p gre -s <IP1> -j ACCEPT Four commands on the tunnel and two on the firewall (not needed if traffic between their servers is already allowed)
This is all that is needed, further a long explanation with details.
When you need to combine several computers into a pseudo-local network via the Internet, this is often solved by configuring OpenVPN.
')
The solution works well, but not without flaws:
1. You need to install additional software and configure it. And from the first time it is not very easy to set up - you need to sit and pick it.
2. Traffic encryption occurs in user mode and introduces additional delays, this is not always important, but it can be noticeable for IP-telephony.
3. Encryption is not always necessary. For example, in my case, all connections are already secure (ssh), I just need a convenient flat addressing between several computers as if they are connected to a local network.
In Linux, GRE tunnels are configured to obscenely simple (if no encryption is needed), from Linux requirements and on public IP to each.
On the Internet, information on this topic is somehow vanishingly small - basically IP (and not ethernet) tunnels are explained and immediately along with traffic encryption (which is not always necessary). man ip is also very extensive and information on
Suppose we have two hosts:
HOST1 with external address 1.2.3.4
HOST2 with external address 2.3.4.5
I want to make an ethernet network between them, well, for example, you can configure IP addresses 192.168.0.1 192.168.0.2 on top of it, but you can also use any other IPv6 or anything else - you get a normal network through a switch.
All commands are executed from ROOT, after a reboot they are lost. In order not to get lost, you need to register commands in startup scripts or in configs (each distribution has its own).
1. Add a virtual network gateway card to HOST1:
HOST1: ip link add grelan type gretap local 1.2.3.4 remote 2.3.4.5 On HOST1, it will look like a regular network card - you can assign IP addresses, start a DHCP server, enable it in Bridge, etc.
2. Include added map
ip link set grelan up 2. If IP tables are running - enable GRE traffic
HOST1: iptables -I INPUT -p gre -s 2.3.4.5 -j ACCEPT 3. Symmetric configuration on the second host:
HOST2: ip link add grelan type gretap local 2.3.4.5 remote 1.2.3.4 HOST2: ip link set grelan up HOST2: iptables -I INPUT -p gre -s 1.2.3.4 -j ACCEPT At this point, the ethernet network is already running. To verify this, you can configure private IP-addresses on each side of the tunnel and let pings.
HOST1: ip addr add 192.168.0.1/24 HOST2: ip addr add 192.168.0.2/24 you can ping.
root@ubuntu:~# ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. 64 bytes from 192.168.0.1: icmp_req=1 ttl=64 time=2.45 ms 64 bytes from 192.168.0.1: icmp_req=2 ttl=64 time=1.19 ms 64 bytes from 192.168.0.1: icmp_req=3 ttl=64 time=2.45 ms For pings, you may also have to add rules in iptables (or turn it off altogether for the duration of the experiments).
The tunnel is quietly configured between different versions of linux, while writing this post one end was on ubuntu, the second on centos, there is absolutely no difference in the settings.
I repeat - this tunnel does not provide any protection against listening / embedding traffic.
Source: https://habr.com/ru/post/227859/
All Articles