tun command (tunnels building)
Description
Tunnels are used to merge two remote and physically not connected networks into one logical structure. Tunnels are widely used to create corporate networks or the so-called virtual private networks (VPN): several remote offices, connected to the network through the same or different providers, are connected to the company headquarters or to each other by tunnels, thus forming one corporate structure. Common IP address space and registration/accounting policy can be used throughout the whole VPN-based corporate network, independently of network provider(s) used. Tunnels also solve the problem of using common transport media in a public network so that different clients could be provided with services by several providers. It means that a client can be connected by a tunnel to a specific provider, to be serviced by that provider, irrespective of the client's connection point to a common transport network.
Syntax:
Four parameters are necessary to configure a tunnel:
The internal IP-address of the local end of the P2P link
The internal IP-address of the remote end of the P2P link
Real source IP-address to be specified in the outgoing packets
Real destination IP-address to be specified in the outgoing packets.
Parameters
N mode
Allows to select type of encapsulation for tunnel "N".
"ipip" – IP into IP encapsulation (described in RFC 2003).
"gre" – generic routing encapsulation.
N src ADDR dst ADDR
Assigns the source (src) and destination (dst) real IP-addresses to a tunnel specified by its logical number "N" which has been created by an "ifconfig" command.
[mtu N]
Allows to set the Maximum Transfer Unit size for packets going through the tunnel. Default value is 1480 bytes.
[clear]
Disabling the tunnel number "N".
Examples
Use the "ifconfig" command to define internal IP-addresses for both ends of a tunnel "0" as addresses for an interface denoted as "tun0".
Outgoing packets are encapsulated into IP datagrams and sent to the "194.34.34.34" address.
NOTE
The "194.34.34.34" address shall also be attainable through an interface of the router different from that used to access the tunnel. This can be done, for example, by using explicit static routing (the route add command), or by prohibiting importation of some of the RIP protocol route descriptors arriving to that interface. If this condition is not satisfied, a looping may happen, when already encapsulated packets come back to the tunnel entrance, and so on, causing system overload. The system watches over such situations, and when discovering a loop, drops erroneous packets and writes a message into the system log.
tunX: looping...
The "195.23.23.23" address is inserted into the datagram as source address.
The "195.23.23.23" address must be a real IP-address for one of the router's interfaces; for the same reason, it shall be attainable from the router at the tunnel's remote end through the existing network (and not only through this tunnel).
At the opposite side of the tunnel this would look as follows.
If you use a Cisco Systems router at the remote end, you may configure it as follows.
Disabling the tunnel number 0.
Last updated