Line 213: |
Line 213: |
| == GRE Tunnel == | | == GRE Tunnel == |
| {{go to top}} | | {{go to top}} |
| + | GRE Tunnels |
| + | |
| + | ===Public/Private VM tunnel=== |
| + | GRE tunnels are useful for connecting a VM in a private/home network to the internet via a public server/VM. The following information will connect Server A (public server) to Server B (private server), and allow requests to Server B to be passed to Server A's resources for use on the Internet. |
| + | |
| + | ====Configuration==== |
| + | '''IP addresses''' |
| + | * Server A will have a public IP of 30.30.30.30/24 and the GRE interface will be assigned 192.168.168.1/30 |
| + | * Server B will have a private IP of 10.0.0.50/24, a public IP of 40.40.40.40/24 and the GRE interface will be assigned 192.168.168.2/30 |
| + | '''Ports''' |
| + | * Ports 22, 80 and 443 will be forwarded over the GRE tunnel |
| + | |
| + | =====Server A (Public)===== |
| + | Copy the following to /etc/gre.sh |
| + | <syntaxhighlight lang="bash"> |
| + | #!/bin/sh |
| + | ip tunnel add gre1 mode gre local 10.0.0.50 remote 40.40.40.40 ttl 255 |
| + | ip add add 192.168.168.1/30 dev gre1 |
| + | ip link set gre1 up |
| + | |
| + | iptables -t nat -A POSTROUTING -s 192.168.168.0/30 ! -o gre+ -j SNAT --to-source 30.30.30.30 |
| + | iptables -A FORWARD -d 192.168.168.2 -m state --state NEW.ESTABLISHED,RELATED -j ACCEPT |
| + | iptables -A FORWARD -d 192.168.168.2 -m state --state NEW.ESTABLISHED,RELATED -j ACCEPT |
| + | |
| + | iptables -t nat -A PREROUTING -d 30.30.30.30 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.168.2 |
| + | iptables -t nat -A PREROUTING -d 30.30.30.30 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.168.2 |
| + | iptables -t nat -A PREROUTING -d 30.30.30.30 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.168.2 |
| + | </syntaxhighlight> |
| + | |
| + | =====Server B (Private)===== |
| + | * Add the following to /etc/iproute2/rt_tables<syntaxhighlight lang="text"> |
| + | 100 GRE</syntaxhighlight> |
| + | * Copy the following to /etc/gre.sh |
| + | <syntaxhighlight lang="bash"> |
| + | #!/bin/sh |
| + | iptunnel add gre1 mode gre local 10.0.0.50 remote 30.30.30.30 ttl 255 |
| + | ip addr add 192.168.168.2/30 dev gre1 |
| + | ip link set gre1 up |
| + | |
| + | ip rule add from 192.168.168.0/30 table GRE |
| + | ip route add default via 192.168.168.1 table GRE |
| + | </syntaxhighlight> |
| | | |
| ==L2TP Ethernet Pseudowires== | | ==L2TP Ethernet Pseudowires== |
Line 998: |
Line 1,040: |
| | | |
| Calling tinc with -k or --kill option will cause it to automatically unregister itself. | | Calling tinc with -k or --kill option will cause it to automatically unregister itself. |
| + | |
| + | == SOCAT == |
| + | SOCAT can be used to create a simple virtual network between two hosts using UDP and TUN devices. |
| + | |
| + | '''Note: It is possible to use TCP for this as well, but without the nodelay option it might cause problems. You can also replace UDP with DTLS to add security to the connection.''' |
| + | |
| + | *IP addresses used in this example: |
| + | {| class="wikitable" style="text-align: center; width: 35%" |
| + | ! Host |
| + | ! Address |
| + | ! Mask |
| + | |- |
| + | | Physical server address |
| + | | 1.2.3.4 |
| + | | N/A |
| + | |- |
| + | | Physical client address |
| + | | N/A |
| + | | N/A |
| + | |- |
| + | | TUN device on server |
| + | | 192.168.255.1 |
| + | | 255.255.255.0 |
| + | |- |
| + | | TUN device on client |
| + | | 192.168.255.2 |
| + | | 255.255.255.0 |
| + | |} |
| + | |
| + | Note: UDP connections will use PORT 11443. |
| + | |
| + | === Create TUN devices === |
| + | *TUN Server<syntaxhighlight lang="text"> |
| + | socat -d -d UDP-LISTEN:11443,reuseaddr TUN:192.168.255.1/24,up</syntaxhighlight> |
| + | |
| + | *TUN Client<syntaxhighlight lang="text"> |
| + | socat UDP:1.2.3.4:11443 TUN:192.168.255.2/24,up</syntaxhighlight> |
| + | |
| + | Executing these two commands will result in a connection being established from the client to the server via TUN devices. |
| + | |
| + | === Troubleshooting === |
| + | The following are common errors that you may encounter when using SOCAT to create a VPN. |
| + | *Missing TUN/TAP Support<syntaxhighlight lang="text"> |
| + | ... E unknown device/address "tun"</syntaxhighlight> |
| + | |
| + | The SOCAT binary probably does not provide TUN/TAP support. Reasons include not using Linux and using an older version of SOCAT. |
| + | |
| + | *Missing Kernel Support<syntaxhighlight lang="text"> |
| + | ,,, E open("/dev/net/tun", 02, 0666): No such file or directory</syntaxhighlight> |
| + | |
| + | This incidates that your kernel does not have TUN/TAP support compiled in. |
| + | |
| + | *TUN Cloning Device Permissions<syntaxhighlight lang="text"> |
| + | ... E open("/dev/net/tun", 02, 0666): Permission denied</syntaxhighlight> |
| + | |
| + | This indicates that you do not have sufficient permission to read or write to the TUN cloning device. Check the device's permssions and ownership. |
| | | |
| == SoftEther == | | == SoftEther == |
Line 1,246: |
Line 1,344: |
| From: https://forum.mikrotik.com/viewtopic.php?t=174417#<ref>Mikrotik Forums - MikroTik Wireguard server with Road Warrior clients [https://forum.mikrotik.com/viewtopic.php?t=174417#]</ref> | | From: https://forum.mikrotik.com/viewtopic.php?t=174417#<ref>Mikrotik Forums - MikroTik Wireguard server with Road Warrior clients [https://forum.mikrotik.com/viewtopic.php?t=174417#]</ref> |
| | | |
− | The following information will show you how to setup a Mikrotik Wiregurad server with Road Warrior clients. | + | The following information will show you how to setup a Mikrotik Wireguard server with Road Warrior clients. |
| | | |
| ==== Network topology ==== | | ==== Network topology ==== |