Score:2

What does ip addr add dev tun1 local 192.168.69.0 remote 192.168.69.1 mean?

jp flag

I found the following set of commands to open a tun device on linux that relays things to the internet. However, packets are not relayed back to the tun device

ip tuntap add dev tun1 mode tun user `id -un`
ip link set dev tun1 up
ip addr add dev tun1 local 192.168.69.0 remote 192.168.69.1
iptables -t filter -I FORWARD -i tun1 -o eth0 -j ACCEPT
iptables -t filter -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

what does ip addr add dev tun1 local 192.168.69.0 remote 192.168.69.1 mean? What is local and remote? What could possibly be missing?

My client sends a SYN, the server responds with SYN+ACK, but this SYN+ACK is not relayed back to the tun device.

us flag
What is the actual thing you are trying to do? What is your network topology?
Nikita Kipriyanov avatar
za flag
Tun device is not a "network tunnel". It is the *virtual interface* of the OSI level 3, so you can attach some program to it and all packets you put into the tun will be fed to that program, and also the program can fed packets to the system so they will appear as coming out of tun interface. Again this has nothing to do with tunnelling per se. It's just the virtual NIC. Yes, you could build a tunneling solution based on this, but it'll be inefficient in comparison with, say, ipip or gre tunnel.
Nikita Kipriyanov avatar
za flag
@A.B. `tinc` also is using that. But when you are using either one you never need to run commands like that we see in this question.
jp flag
@NikitaKipriyanov it's just for testing purposes. What is wrong in my commands? I'd like to build a simple tunnel so I can test with a userspace tcp/ip stack (smoltcp). Send packets to the world and receive them in the tun as if it were a VPN, just like OpenVPN does
Nikita Kipriyanov avatar
za flag
@A.B. again, use of `tun` does not mean there will be OpenVPN. Actually this guy clearly stated he doesn't intend to use OpenVPN but smoltcp, which is a Rust library, a software network stack. I'd not call this monster "a tunnel".
A.B avatar
cl flag
A.B
@NikitaKipriyanov Oh I didn't read there was smoltcp. My bad
Nikita Kipriyanov avatar
za flag
@GuerlandoOCs there is nothing wrong with your commands; I am used to see people who try to program network stuff already know networking basics, so I wanted to be sure you know what you are doing.
Score:2
za flag

In simple terms, you can distingush between two types of links (this is simplification, but enough for this question):

  • peer-to-peer links, where each side of a link is a single peer. Each peer knows that there is just one other peer behind the link and everybody else is routed. Example is a serial link (via the PSTN modem)
  • multiple access links, where there may be more than one other peer behind the link. There are multitude of examples, like Ethernet, WiFi, and some obsolete ones

When you configure address to an interface in the (usual) form of "address and netmask" via ip address add x.y.z.t/n dev eth, you essentially do the following things:

  • tell kernel it should recognize an x.y.z.t as its own address, so it adds a scope local route into local routing table
  • tell kernel that addresses like x.y.z.00...0÷x.y.z.11...1 are directly accessible behind the link, so it adds a scope link route via this interface into the main routing table (/n specifies actually how many bits of address are common for all host on that network)
  • tell kernel x.y.z.11...1 is the "broadcast" address of the link, so it adds a broadcast route into the local table (and will consider packets destined to that address, in addition to the "node personal" address x.y.z.t)

But there is no "network" behind the peer-to-peer link, there is nobody to broadcast to, there may be only one other peer. When you add address to the link in the form ip address add local x.y.z.t remote b.c.d.e dev tun, you essentially do the following:

  • tell the kernel it should recognize an x.y.z.t as its own address, so it adds a scope local route into local routing table
  • tell the kernel the address b.c.d.e is directly accessible through that link, so it adds a route to that address via this interface to the main routing table.

E.g. the command ip address add local 10.0.1.0 remote 10.0.1.1 dev tun0 simply creates the following routes:

  • local 10.0.1.0 dev tun0 proto kernel scope host src 10.0.1.0 (in the local table)
  • 10.0.1.1 dev tun0 proto kernel scope link src 10.0.1.0 (in the main table)

Check routing tables before and after issuing "ip address add" commands in both cases.

Notice you may add peer-to-peer style config to the multiple access inteface and vice versa; you even can add a single "/32" address and then add routing "via the interface" by hand, and that will work exactly as if you set a meaningful netmask or remote address in the command. You can even add several types of configuration to the single interface and all of them could work simultaneously! So don't take all of these parameters too serously, think of them as the way to automatically add necessary routes when you configure an address.

jp flag
so if I understood correctly, `ip addr add dev tun1 local 192.168.69.0 remote 192.168.69.1` makes my address `192.168.69.0`, so every packet with this address as destination will reach `tun1`, and also makes `192.168.69.1` accessible via `tun1`. So if I want to access any website, I must make `ip addr add dev tun1 local 192.168.69.0 remote 0.0.0.0`?
Nikita Kipriyanov avatar
za flag
No, you've got the idea compelety wrong. It seems you don't even understand what are you asking in your own question, because I answered exactly to it. Remind me, why did you need `tun` interface? How does that correspond to this comment? If you want to ask additional unrelated questions, please ask them as questions on their own. Also, ServerFault is not the correct place to ask questions like this. SuperUser maybe. If you develop software, StackOverflow. If your question Linux-specific, go unix.stackechange.com. Here we solve business problems.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.