|
Broadband-Hamnet™ Forum :: General |
|
|
|
|
|
Subject :Virtual Tunnels..
2014-09-29- 08:05:46
|
|
|
k5dlq |
|
Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
I have a few questions regarding the use of vtund: Is this article still valid for BBHN 1.1.2? http://www.broadband-hamnet.org/documentation/120-creating-a-tunnel-network.html Is the 172.31.x.x network only for the vtun interface, or, should that now be a 10.x.x.x network? Are there plans to build a config page to allow the configuration of vtund server and clients on the backlog? If not, I was considering creating a /cgi-bin/vpn page to allow for installation and configuration of it. Is anyone interested in this?
73, K5DLQ - Darryl Houston/The Woodlands/Magnolia/Conroe TX
|
IP Logged
|
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-09-29- 08:22:49
|
|
|
KG6JEI |
|
Member |
|
Joined: 2013-12-02- 19:52:05
Posts: 516
Location: |
|
|
|
I do not belive it's been updated to reflect version 1.1.x and higher only 1.0.x Node tunnels should not be in the 10.x.x.x range as this would conflict with everything else. Keep it in the 172.31.x.x space and we can easily know where these are at and you will have my less chance that a future upgrade will cause you issues or that you will cause issues on other networks with conflicts. |
IP Logged
|
Note: Most posts submitted from iPhone |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-09-29- 08:23:59
|
|
|
k5dlq |
|
Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
Thx for the quick reply.
73 |
IP Logged
|
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-09-29- 08:27:30
|
|
|
k5dlq |
|
Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
As a followup, does anyone have a working/available vtund server that I can connect to for testing? Thinking of doing the client side UI first. |
IP Logged
|
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-09-30- 09:39:45
|
|
|
k5dlq |
|
Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
anyone using vtun? |
IP Logged
|
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-01- 06:00:21
|
|
|
AE5CA |
|
Member |
|
Joined: 2012-05-19- 21:52:33
Posts: 81
Location: |
|
|
|
I have been working on getting a tunnel server running for months. I have a set oflinksys 1.0.1 WRT54GS boxes which work as a tunnel sever/client. I have yet to get a Ubiquiti box to work. I did get close with version 1.0.1. The nodes would connect but the OLSR would not join the networks. I am trying again to get it going this time under 3.0.0. I submitted ticket 65 to ask for some help to get the changes to get 3.0.0 to work with tunnels documented. See ubnt.hsmm-mesh.org for more info. Clint
|
IP Logged
|
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-01- 07:55:47
|
|
|
k5dlq |
|
Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
thanks Clint. I read your ticket and we in Montgomery County are in a similar situation. Would like to get some infrastructure in place via vtun until we can fly a node up to 700' on a tower. I have a WRT54GS (1.1.2) with vtun installed. Would you like to coordinate and see if we can get them working first? I also have a Ubi Bullet M2 to test with. I have not loaded 3.0.0preview on anything just yet. if you would like to try, email at k5dlq@arrl.net I can open a port in my firewall and configure for you to connect. I am upgrading to V3 beta (-20-v3) to test a few things now.
Darryl
|
IP Logged
|
Last Edited On: 2014-10-01- 08:57:43 By k5dlq for the Reason |
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-01- 10:09:23
|
|
|
k5dlq |
|
Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
question regarding the instructions:
1) Are these lines needed for the forwarding rules (since they are commented in the docs):
iptables -A FORWARD -i $LAN -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o $LAN -j ACCEPT
iptables -A FORWARD -i $WIFI -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o $WIFI -j ACCEPT
2) if they are needed, can they be inserted into /etc/firewall.user instead of /etc/init.d/firewall?
73, K5DLQ |
IP Logged
|
Last Edited On: 2014-10-01- 10:10:27 By k5dlq for the Reason fixed formatting |
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-01- 12:38:01
|
|
|
k5dlq |
|
Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
BTW, on the Bullet M2, wouldn't you need a managed switch to have a "wan" side connection to the "internet" in order to properly setup vtun? By default, the RJ45 is on the LAN. |
IP Logged
|
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-01- 17:22:05
|
|
|
AE5CA |
|
Member |
|
Joined: 2012-05-19- 21:52:33
Posts: 81
Location: |
|
|
|
Yes a "managed" switch is required for the UBNT devices. In reality, the switch needs to support 802.1Q.
The main node at my house is a Rocket M2. It is connected to a Netgear GS108E switch. I personally believe everyone using the UBNT gear needs a managed switch or two. In my QTH setup, I have my RocketM2 and a NanoStation Loco M900 connected using dtd-linking. This lets me combine the 2.4 GHz mesh with my 900 MHz mesh. I wanted to get a tunnel client using Ubiquiti gear as well. That way someone connecting to be can also have the superior performance of the UBNT gear for their local mesh. It is also much easier to find a UBNT node and a switch such as the GS105E than a WRT54GS. I am using a NanoStation M5 for my client setup. This gave me the ability to not have my nodes connecting via wifi. Clint, AE5CA
|
IP Logged
|
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-01- 17:50:40
|
|
|
AE6XE |
|
Member |
|
Joined: 2013-11-05- 00:09:51
Posts: 116
Location: |
|
|
|
Ironically, I had setup last week a (somewhat :) ) working tunnel using openvpn between a rocket M5 and a bullet M2 under 3.0.0 across my home network. I could ssh across the tunnel, but still needed to debug why olsrd thought the virtual interface was down.
I'd be interested in testing out and periodically connecting the mesh here in Orange County, CA with others. I'll try to revert my Bullet to the tunnel server config from this thread this weekend or next week.
Joe AE6XE |
IP Logged
|
|
|
|
|
|
|
Subject :Re:Re:Virtual Tunnels..
2014-10-02- 02:09:10
|
|
|
SM7I |
|
Member |
|
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo |
|
|
|
Hi, Yes, they can be inserted into /etc/firewall.user as well. I´m happy to announce that we, in Sweden, has done som extensive testing with a spanish node, as can be seen in the topology by following the link, and have full connectivity not only to BBHN/HSMM mesh network, but also to AMPRnet through the tunneling. We are also able to route AMPRnet subnets down to a single node if needed. http://44.140.236.17:8080 Please also note that documentation is being updated with the latest information about NAT issue that might occur in tunneling depending on central solution. Anybody wanting the documentation addendum is free to contact me.
We are also happy to help you connecting to us in Sweden if you like. 73sss SM7I
[k5dlq 2014-10-01- 10:09:23]: question regarding the instructions:
1) Are these lines needed for the forwarding rules (since they are commented in the docs):
iptables -A FORWARD -i $LAN -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o $LAN -j ACCEPT
iptables -A FORWARD -i $WIFI -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o $WIFI -j ACCEPT
2) if they are needed, can they be inserted into /etc/firewall.user instead of /etc/init.d/firewall?
73, K5DLQ |
IP Logged
|
Last Edited On: 2014-10-02- 02:13:28 By SM7I for the Reason |
IT infrastructure and security professional |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-03- 07:11:59
|
|
|
k5dlq |
|
Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
Joe, let me know if you want to try and connect to my server, or, vice versa.
email me at k5dlq@arrl.net
SM7I, I would like to review your docs once available. Are you using GRE or VTUN? |
IP Logged
|
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-05- 04:35:38
|
|
|
AE6XE |
|
Member |
|
Joined: 2013-11-05- 00:09:51
Posts: 116
Location: |
|
|
|
I was able to setup a functional VTUN tunnel across my home network between a bullet and a rocket. The mesh and olsr status pages show the lone device across the tunnel as if it was a DTDlink in all respects. I will need to enhance slightly for the vtun server/host node to enable multiple clients (tun*) simultaneously such that the firewall rules continue to work. I'll post these config files, hopefully later this evening. |
IP Logged
|
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-05- 05:22:52
|
|
|
k5dlq |
|
Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
Trying to get my client connected to a server. I'm getting a "vtund[2242]: Connection denied by...." error.
Here is a tcpdump of the conversation: (I've replaced the actual target IP with 4.5.6.7 and my actual client name with "myclientname")
Any ideas???
73, K5DLQ - Darryl
|
IP Logged
|
Last Edited On: 2014-10-05- 05:30:51 By k5dlq for the Reason |
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-05- 15:39:01
|
|
|
AE6XE |
|
Member |
|
Joined: 2013-11-05- 00:09:51
Posts: 116
Location: |
|
|
|
Here's my setup of vtun with instructions to install on both server and client. untar and check out the README files. Anyone that would like to connect to the mesh in Southern CA, send me email to exchange a password. My internet IP is already in the config files here... ae6xe@cox.net Note, I've not tested my instructions with a fully clean test run. let me know if I may need corrections. (but not with basic linux command line, etc.) Download tar file here: https://dl.dropboxusercontent.com/u/58390217/vtun_install.tar |
IP Logged
|
Last Edited On: 2014-10-05- 15:45:28 By AE6XE for the Reason |
|
|
|
|
|
|
Subject :Re:Re:Virtual Tunnels..
2014-10-05- 19:40:27
|
|
|
SM7I |
|
Member |
|
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo |
|
|
|
Hi,
Well, we are using GRE tunneling as we wanted to keep the footprint of implementation to such minimum that it could successfully be run on even the GL models.
I will be releasing the latest docs soon, but please feel free to look at the documentation found at http://www.ssra.se/upload/hsmm%20scripts.pdf
[k5dlq 2014-10-03- 07:11:59]: Joe, let me know if you want to try and connect to my server, or, vice versa.
email me at k5dlq@arrl.net
SM7I, I would like to review your docs once available. Are you using GRE or VTUN? |
IP Logged
|
IT infrastructure and security professional |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-07- 19:24:35
|
|
|
kd5aeq |
|
Member |
|
Joined: 2014-08-16- 22:03:25
Posts: 6
Location: Las Cruces, NM, USA |
|
|
|
For the sake of discussion, what are the advantages/disadvantages in vtun vs gre tunneling? I've setup gre tunneling before have not had the opportunity to play with vtun.
Corby kd5aeq |
IP Logged
|
Network Systems Engineer by day, BBHN by night |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-08- 07:21:01
|
|
|
AE6XE |
|
Member |
|
Joined: 2013-11-05- 00:09:51
Posts: 116
Location: |
|
|
|
GRE - by itself no encryption, light weight kernel mode tunnel, performance edge. Add on top ipSec for encryption also in kernel mode (or other designed encryption techniques/strengths over this tunnel). Googled internet posts claim it is more complicated to do encryption over GRE and depending on technique may limit the protocols.
vtund - on top of vtun kernal driver with everything else in user space. Packaged with basic level of 128 bit encryption->easier to setup. Doesn't limit protocols in use. I'd call this the middle ground solution.
What is best for our community? Depends... If we have no need to encrypt data carried over the internet, basic GRE with no encryption is lighter weight and straight forward. If we need to do encryption (let's say a city EOC has requirements to encrypt their data if going over the open internet), then vtund. If 'strong' encryption is required, then we'd want to look at something like openVPN (over vtun driver) and 1024 bit keys.
All, What do we as a community think are our requirements? What level of security (for the purpose of tunneling traffic over the internet to connect MESHes) should be packaged in a future release of bbhn? This need is likely the significant factor (while still considering options that are easy, supportable, and work). Any opinions? |
IP Logged
|
Last Edited On: 2014-10-08- 07:22:41 By AE6XE for the Reason corrected formatting |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-08- 10:17:17
|
|
|
k5dlq |
|
Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
great post AE6XE. How "lightweight" is GRE? Would it possibly fit/run in a WRT54G (non-S) with limited ram and storage? |
IP Logged
|
Darryl - K5DLQ
www.aredn.org |
|
|
|
|