Network Tunnels with Linux

Creating network tunnels in Linux is easy and provides a great solution to what might otherwise be difficult to solve networking problems. Most people are familiar with tunnels as they are used to create virtual private networks (VPN) to connect remote sites, or remote hosts, to a central site securely, allowing the remote network to be accessed as if it is local.  A tunnel creates a logical network between two hosts that might be on completely different networks such as in two different data centres with two completely different network ranges.


Using Linux's IPRoute2 Utilities to create tunnels

In Linux we make use of the IPRoute2 utilities to create tunnels and to manage them. Although you can use ifconfig to managed tunnels this is an aging, and no longer adequate utility for todays networking requirements. The ip utility can create gre or ipip (ip in ip) tunnels for both IPv4 and IPv6 networks. These tunnels are not natively encrypted so any encryption would need to be done at the layer 7 level to avoid eave-dropping. Of course you can also create secure tunnels easily using SSH as a SOCK proxy but this requires application level support to use the tunnel so not all traffic will go over the SOCK tunnel.

Creating tunnels involves three steps which must be performed on the two hosts that are participating in the tunnel:

  1. Create a logical tunnel device,
  2. Assign an IP address to the device
  3. Set up routing rules to route traffic over the tunnel

Each host is the mirror of the other when it comes to creating rules. E.G. The remote ip for host A is the local ip for host  B and visa-versa.

1. Create the logical tunnel interface. The type of tunnel will depend on your needs either ipip, gre.sit etc.

"ip tunnel add tun0 mode ipip local [host's A  public ip] remote [remote host's B public ip]"
eg: "ip tunnel add tun0 mode ipip local remote"

2. Assign an ip to the tunnel interface

"ip address add [private ip address] dev tun0"
"ip address add dev tun0"

This private ip address is usually separate from the network address of the local network. It is a network that is for the tunnel only. The remote tunnel should be assigned an different address in the same network as its counterpart. So in the above the ip on host A is and host B will be something like

3. Add routing rules to the route traffic over the tunnel:

"ip route add [remote network]/24 via [remote tunnels IP address]"
"ip route add via"

The above assumes that the remote host (host B) is on a network with a network address of 10.0.10/24. The local network (host A) could for example be 172.16.16/24 for example. The remote host will need to add a route for this network through the tunnel.

Uses for unencrypted tunnels

These days it generally not good practice to send anything out unencrypted. but you still might find a use for ipip or gre tunnels. They are a great way to bond ADSL connections or to create a seamless virtual network between hosts in different data centres and an absolute necessity to connect IPv6 networks swimming the sea of IPv4 networks.

Need Linux support and consulting or Linux training?  Why not contact us.