IP tunnel
Note: IP tunnels (includes GRE, GRETAP, SIT and VXLAN) are unencrypted.
Generic Routing Encapsulation (GRE)
GRE tunnels on layer 3 of the ISO/OSI model.
Configuring with ip
To create a tunnel, you can use the following command:
ip link add <interface> type gre remote <remote> local <local> ttl 255
ip link set dev <interface> up
Replace <interface> with the desired interface name, <remote> with the IPv4 of the peer and <local> with your own IPv4.
If you want to establish the tunnel over IPv6 instead, you can replace the mode gre with mode ip6gre.
To delete a tunnel, you can use the following command:
ip link del <interface>
To assign an IP address to the interface, you can use the following command:
ip addr add dev <interface> <ll>/64
Replace <ll> with your own link-local address.
Automatic start with ifupdown
If you want to start the GRE tunnel automatically, you can use an ifupdown template which is placed under /etc/network/interfaces.d:
auto <interface>
iface <interface> inet6 manual
pre-up ip link add <interface> type gre remote <remote> local <local> ttl 255
up ip addr add dev <interface> <ll>/64
post-down ip link del <interface>
The interface can then be stopped and started accordingly:
ifup <interface>
ifdown <interface>
GRETAP
GRETAP tunnels on layer 2 of the ISO/OSI model. To use a GRETAP tunnel, you only have to change the mode: For IPv4 gretap and for IPv6 ip6gretap.
Simple Internet Transition (SIT)
SIT tunnels can be created in the same way as GRE tunnels. The difference is that you write type sit instead of type gre. SIT tunnels are designed to encapsulate IPv6 packets, so a SIT tunnel must be established over IPv4.
SIT tunnels on layer 3 of the ISO/OSI model.
VXLAN
VXLAN tunnels on layer 2 of the ISO/OSI model.
For VXLAN the type is changed to vxlan. Furthermore there are two additional parameters:
ip link add <interface> type vxlan id <vni> remote <remote> local <local> dstport <dstport>
<vni> (Virtual Extensible LAN ID) is the ID of the VLAN. This can range from 1 to 16777216 (2^24). It must be the same for both peers and must not already be used.
<dstport> is the port which is used for the VXLAN connection. It must be open on UDP. The port must be the same for both peers. Officially VXLAN has port 4789, but for historical reasons Linux uses the port 8472. If you specify 0 as port, the default port 8472 is used. If you don’t specify a port, you get a warning.
IP tunnel over UDP
Tunnels at Layer 3 (IP level) can be problematic. For example, NATs or firewalls can drop the packets. To work around this, it is possible to encapsulate the encapsulated packets again into a UDP packet. For this you can use either FOU or GUE. With FOU you have to specify the protocol to be encapsulated manually, but FOU does not need an extra header. With GUE you don’t have to specify the protocol, GUE uses its own header.
Keep in mind that the more tunnel mechanisms are used, the more headers are generally used. This leads to a reduction in MTU. This means that less data can be transmitted per packet. A high MTU is therefore desirable.
The currently used ports can be displayed with the following command:
ip fou show
If you want to stop using a port for FOU, you can use the following command:
ip fou del port <lport>
If the error message RTNETLINK answers: Invalid argument appears when stop using a port, this may be because you have not specified exactly which port should not be longer used. If you want to not using a port anymore, you must specify the same parameters as you did when you created it:
$ ip fou show
port 5001 gue local 192.168.179.2 peer 192.168.179.3 peer_port 6002
$ ip fou del port 5001
RTNETLINK answers: Invalid argument
$ ip fou del port 5001 gue local 192.168.179.2 peer 192.168.179.3 peer_port 6002
If you get the following error message, you can try to load the FOU kernel module:
RTNETLINK answers: No such file or directory
Error talking to the kernel
modprobe fou
Foo-over-UDP (FOU)
Use the following command to enable FOU for a port:
ip fou add port <lport> ipproto <proto>
Replace <lport> with your local port. You have to open this port on UDP in your firewall. Replace <proto> with the protocol you want to encapsulate (e.g. gre or sit).
Add the following command to the actual tunnel command:
encap fou encap-dport <rport>
For example:
ip link add <interface> type gre remote <remote> local <local> ttl 255 encap fou encap-dport <rport>
Replace <rport> with the remote port of your peer.
Generic UDP Encapsulation (GUE)
Use the following command to enable FOU for a port:
ip fou add port <lport> gue
Replace <lport> with your local port. You have to open this port on UDP in your firewall.
Add the following command to the actual tunnel command:
encap gue encap-dport <rport>
Set souce port and IP addresses manually
To set the souce port and IP addresses of both peers, there are three additional parameters for fou and one for tunnel:
ip fou add port <lport> [gue|ipproto <proto>] peer_port <rport> local <local> peer <remote>
ip link add [...] encap [...] encap-sport <lport>
Here <lport> is the own port and <rport> is the port of the peer. <local> is its own IP address and <remote> is the IP address of the peer.
Specifying the source IP address can prevent an attacker with a wrong source IP address from sending an encapsulated tunnel packet (e. g. GRE or SIT) that has the correct source address in the UDP tunnel. However, this procedure does not protect against IP spoofing.