Questions on tunneling multiple connections between two servers with Linux

lartc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Martin Maurer <martin.maurer@mmeacs.de>
To: lartc@vger.kernel.org
Subject: Questions on tunneling multiple connections between two servers with Linux
Date: Fri, 15 Dec 2023 13:05:34 +0100	[thread overview]
Message-ID: <e69b7721-5df2-476a-b05e-975dd5636517@mmeacs.de> (raw)

Hello,

I hope this mailing list is still read even when around 4 years no more 
messages have been exchanged.

Or has the mailing list moved to some newer place and this one is now 
obsolete?

I have some questions on tunneling with Linux:

I have two servers: A and B.

Server B has multiple interface (e.g. 4 interfaces, name it wwan0, 
wwan1, wwan2, wwan3) going to different networks outside the current 
network.

Between server A and B there shall be one or more tunnels, so that 
server A is able to select which data goes over which interface on server B.

1) I tried GRE. Configured 4 IPv4 IP adresses on server A and 4 IPv4 IP 
addresses on server B.

For each pair of IP addresses I installed a GRE tunnel between A and B.

I named the tunnels conn0 to conn3:

#!/bin/bash
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.forwarding=1
ip tunnel del conn0
ip tunnel add conn0 mode gre local 192.168.181.1 remote 192.168.181.2 
dev eth0
ip addr add 10.0.0.1/30 dev conn0
ip link set conn0 up
ip tunnel del conn1
ip tunnel add conn1 mode gre local 192.168.181.3 remote 192.168.181.4 
dev eth0
ip addr add 10.0.0.3/30 dev conn1
ip link set conn1 up
ip tunnel del conn2
ip tunnel add conn2 mode gre local 192.168.181.5 remote 192.168.181.6 
dev eth0
ip addr add 10.0.0.5/30 dev conn2
ip link set conn2 up
ip tunnel del conn3
ip tunnel add conn3 mode gre local 192.168.181.7 remote 192.168.181.8 
dev eth0
ip addr add 10.0.0.7/30 dev conn3
ip link set conn3 up
$

On server B I added forwarding rules like this (4 interfaces shown)

sudo iptables-F
sudo iptables-P INPUT ACCEPT
sudo iptables-P FORWARD ACCEPT
sudo iptables-P OUTPUT ACCEPT

sudoiptables-t nat-A POSTROUTING -o wwan0 -j MASQUERADE

sudoiptables-A FORWARD -i conn0 -o wwan0 -j ACCEPT

sudoiptables-A FORWARD -i wwan0 -o conn0 -m 
state--stateESTABLISHED,RELATED-j ACCEPT

sudoiptables-t nat-A POSTROUTING -o wwan1 -j MASQUERADE

sudoiptables-A FORWARD -i conn1 -o wwan1 -j ACCEPT

sudoiptables-A FORWARD -i wwan1 -o conn1 -m 
state--stateESTABLISHED,RELATED-j ACCEPT

sudoiptables-t nat-A POSTROUTING -o wwan2 -j MASQUERADE

sudoiptables-A FORWARD -i conn2 -o wwan2 -j ACCEPT

sudoiptables-A FORWARD -i wwan2 -o conn2 -m 
state--stateESTABLISHED,RELATED-j ACCEPT

sudoiptables-t nat-A POSTROUTING -o wwan3 -j MASQUERADE

sudoiptables-A FORWARD -i conn3 -o wwan3 -j ACCEPT

sudoiptables-A FORWARD -i wwan3 -o conn3 -m 
state--stateESTABLISHED,RELATED-j ACCEPT

Could this work? Or I am missing something?

Do I really need 4 IP addresses on server A and server B for the 4 
tunnels? Or can I do it with just 1 real IPv4 address on each side?

"Inside" addresses relevant, or can i just use the same for each tunnel 
(e.g. 10.0.0.1 and 10.0.0.2)

I see with wireshark that sometimes packets are not exchanged over the 
right tunnel. But I have not yet analyzed what is the problem.

2) A suggestion was to use a stream id with IP-in-IP.
Can it really used for such a use case? Is the stream id used for 
tunneling purposes at all? Is it supported by Linux,

to fill in one sending tunneling endpoint and using it on receiving 
tunneling endpoint?

3) Assuming in next step I also need encryption on tunnels: Better to 
switch over to some different approach like VPN?

Or is there some "secure GRE" or "secure IP-in-IP"? Or possible to use 
stunnel, or stunnel together with GRE or IP-in-IP? Or not preferred way?

Are there other variants instead of VPN which I shall look at?

4) A question which came up was "MTU". The above tunnels eats some bytes 
from MTU.

What happens if e.g. MTU gets reduced by GRE or IP-in-IP by 24 or 20 bytes

and a packet is sent which exceeds the reduced MTU.

Is it fragmented automatically? Do I need to take care that sent packets 
are now really smaller than 1476 or 1480 bytes?

Is there perhaps some documentation, webpages or books which can help me 
with info on such topics?

Many thanks in advance!

Best regards,

Martin

next             reply	other threads:[~2023-12-15 12:16 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-15 12:05 Martin Maurer [this message]
2023-12-16 19:07 ` Questions on tunneling multiple connections between two servers with Linux Grant Taylor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e69b7721-5df2-476a-b05e-975dd5636517@mmeacs.de \
    --to=martin.maurer@mmeacs.de \
    --cc=lartc@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).