How to enable GRE tunneling between HSMM nodes
Transcription
How to enable GRE tunneling between HSMM nodes
How to enable GRE tunneling between HSMM nodes You need access to the console, ie SSH access and you need Internet connection in order to install the needed parts using the ipkg package manager. I run 0.4.3 version on all the nodes, and so does my counterparts around Sweden. I am the central point just to make life easier. First of all you need to update the package list by issuing: ipkg update You can of course also use the webUI for this. Then you need to install the following packages on the nodes that will be running GRE tunneling: kmod-gre kmod-tun ez-ipupdate All of below files should reside in the /etc/rc.d folder and be chmod 755 These scripts has been validated on both HSMM v.0.4.3 as well as BBHN v.1.0.0 Still the changes in /etc/config.mesh and the file olsrd.conf need to be modified in order to use GRE tunneling. S51tun S51tun is the script that establishes the GRE tunnel(s) and is run at bootup of the node. it consists of several sections that are commented inside the script. Of course you can define as many tun# interfaces as you need to establish GRE tunneling with, but pay attention to the IP addressing of the tunnel interfaces. In below example we are using the 1.1.1.0 / 255.255.255.252 network which gives us the following IP addresses to work with: 1.1.1.0 Network address 1.1.1.1 Mynode 1.1.1.2 Remotenode 1.1.1.3 Broadcast address So if we are to establish another GRE tunnel names tun2 we need to use following IP addresses: 1.1.1.4 Network address 1.1.1.5 Mynode2 1.1.1.6 Remotenode2 1.1.1.7 Broadcast address #!/bin/sh /etc/rc.common START=51 start() { # Firewall section is needed for applying rules to and from the tunnel interface and LAN as well as WLAN iptables -D FORWARD 11 iptables -I FORWARD -i tun1 -o eth0.0 -j ACCEPT iptables -I FORWARD -i eth0.0 -o tun1 -j ACCEPT iptables -I FORWARD -i tun1 -o wl0 -j ACCEPT iptables -I FORWARD -i wl0 -o tun1 -j ACCEPT # Nodes connected behind NAT router or has dynamically assigned IP address from its ISP, needs to check its external IP in order to be able to update DynDNS account. This can be omitted if the node has a static public IP on WAN interface. ip=`wget --quiet -O - http://www.millhill.org/myip.php/ | awk '{print $4}' | cut -d"<" -f1` sleep 5 ez-ipupdate -a $ip -u username:password -h mynode.ham-radio-op.net -S dyndns # This section resolves the IP address of remote node that will be used to establish the GRE tunnel ip0="$(ifconfig | grep -A 1 'eth0.1' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)" ip1="$(ping -q -c 1 remotenode.ham-radio-op.net | grep PING | sed -e 's/.*(//' | sed -e 's/).*//')" insmod ip_gre # Tunnel to remotenode.ham-radio-op.net iptunnel add tun1 mode gre local $ip0 remote $ip1 ttl 225 ifconfig tun1 1.1.1.1 netmask 255.255.255.252 broadcast 1.1.1.3 ifconfig tun1 up ifconfig tun1 multicast ifconfig tun1 pointopoint 1.1.1.2 } stop() { iptunnel del tun1 } S52update This script runs every minute (check crontab further down this document) and checks if remotenode has changed its IP address. Please note that if you are running with static IP addresses from your ISP this script can be omitted. If the IP address has been changed, the tunnel will be reloaded with the new IP. #!/bin/sh ip0="$(iptunnel | grep -A 0 'tun1' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 5)" ip="$(ifconfig | grep -A 1 'eth0.1' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)" ip1="$(ping -q -c 1 remotenode.ham-radio-op.net | grep PING | sed -e 's/.*(//' | sed -e 's/).*//')" if [ $ip1 = $ip0 ]; then echo "IP is equal. Returning..." return else echo "IP is not equal. Reconfiguring GRE..." # Tunnel to remotenode.ham-radio-op.net iptunnel del tun1 iptunnel add tun1 mode gre local $ip remote $ip1 ttl 225 ifconfig tun1 1.1.1.1 netmask 255.255.255.252 broadcast 1.1.1.3 ifconfig tun1 up ifconfig tun1 multicast ifconfig tun1 pointopoint 1.1.1.2 fi ipupd This script runs every 5 minutes in order to update the external IP address and keep DynDNS account updated. #!/bin/sh # Nodes connected behind NAT router or has dynamically assigned IP address from its ISP, needs to check its external IP in order to be able to update DynDNS account. This can be omitted if the node has a static public IP on WAN interface. ip=`wget --quiet -O - http://www.millhill.org/myip.php/ | awk '{print $4}' | cut -d"<" -f1` sleep 5 ez-ipupdate -a $ip -u username:password -h mynode-shack.ham-radio-op.net -S dyndns crontab Crontab is the engine that runs S52update and ipupd scripts as certain intervals to keep the nodes IP address updated with its hostname in DynDNS account and also checks the tunnel status and reloads the GRE tunnel if needed. */5 * * * * /usr/local/bin/fccid * * * * * /etc/rc.d/S52update */5 * * * * /etc/rc.d/ipupd OLSR After this we must modify the olsrd.conf file in /etc/config and /etc/config.mesh Look for the OLSRD default interface configuration and remove the hash # sign before IP4Broadcast in order to make OLSR use the tun interfaces created by S51tun script. Then you need to add the tun interfaces (in my case tun1 and tun2) to the Interfaces row below OLSRd Interfaces configuration part of the file. It should look like below in the olsrd.conf file under /etc/config.mesh ### OLSRD default interface configuration ### ############################################# # the default interface section can have the same values as the following # interface configuration. It will allow you so set common options for all # interfaces. InterfaceDefaults { Ip4Broadcast } 255.255.255.255 ###################################### ### OLSRd Interfaces configuration ### ###################################### # multiple interfaces can be specified for a single configuration block # multiple configuration blocks can be specified # WARNING, don't forget to insert your interface names here ! Interface "tun1" "tun2" <olsrd_bridge> { And the olsrd.conf file in /etc/config should look like: ############################################# ### OLSRD default interface configuration ### ############################################# # the default interface section can have the same values as the following # interface configuration. It will allow you so set common options for all # interfaces. InterfaceDefaults { Ip4Broadcast } 255.255.255.255 ###################################### ### OLSRd Interfaces configuration ### ###################################### # multiple interfaces can be specified for a single configuration block # multiple configuration blocks can be specified # WARNING, don't forget to insert your interface names here ! Interface "tun1" "tun2" "wl0" { A quick word about GRE tunneling The iptunnel command sets up the tunneling parameters and these need to be correct in order to establish a GRE tunnel. Look at the command below: iptunnel add tun1 mode gre local $ip remote $ip1 ttl 225 Let´s focus on the local and remote IPs. In above command they are substituted by using variables which is the output from earlier commands. There are some things to remember here in order for this to function properly. The remote IP is ofc ourse always the external IP of the remote node which we will establish a tunnel with. If the remote node has dynamically assigned IP then we need to lock the remote node using name resolving, hence the need for DynDNS or other DDNS solution. The local IP, can however take several shapes depending on the setup at your local node. If you have the node directly connected to the Internet and has a static public IP address then you´re in the clear and can just load the variable with your IP before the iptunnel command is invoked, but if you have a dynamically assigned public IP, we need to find out which IP is active at every given moment. This can be done by either checking eth0.1 (WAN interface) or checking externally, like below: ip=`wget --quiet -O - http://www.millhill.org/myip.php/ | awk '{print $4}' | cut -d"<" -f1` or ip="$(ifconfig | grep -A 1 'eth0.1' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)" It might be that you have connected your node behind a NAT device / firewall in which case the NAT device / firewall has the external IP either static or dynamic. In this case your HSMM node will have been given an IP from the NAT device that is not accessible from the Internet. Either way, when invoking the iptunnel command, the local IP of the command must always be the IP that is set on eth0.1 or the tunnel will fail. So, the main thing is: 1. You can connect to the remote node using public IP on the Internet, and 2. You´re using the IP assigned to eth0.1 as your local IP. Of course this also applies the other way around, ie. When remote node is configuring it´s GRE tunnel for your node. DynDNS So far we´ve been using ez-ipupdate with DynDNS, but what if you have noip.com ? Well, ez-ipupdate does not support noip.com, but I have the solution. First you have to install the wget-nossl 1.10.2-2 on the node Using below command will update your noip.com account and hostname with correct public IP address. wget --post-data '?username=$1&password=$2&hostname=$3' http://dynupdate.no-ip.com/dns This will update your noip.com account and hostname with the exciter IP address, ie the IP address the request came from. As before, substitute the variables with your specific information. Firewall rules / portforwarding on NAT device Since GRE tunneling uses protocol 47 (GRE) and TCP 1723 this needs to be opened / forwarded in any firewall or NAT device, used in between the Internet and the HSMM node, towards the HSMM GRE node. Decide which node will be the responding device and open / forward protocol 47 and TCP 1723 to that node. This is normally called PPTP and often available as a preconfigured service in most routers / firewalls. The other nodes can be seen as initiators and will thus be “calling” in to the node that you decided to be the “hub” Now simply reboot the nodes and watch the magic :) 73sss SM7I Johan Engdahl 2013