How to enable GRE tunneling between HSMM nodes

Transcription

How to enable GRE tunneling between HSMM nodes
How to enable GRE tunneling between HSMM nodes
You need access to the console, ie SSH access and you need Internet connection in order to install the
needed parts using the ipkg package manager.
I run 0.4.3 version on all the nodes, and so does my counterparts around Sweden. I am the central point
just to make life easier.
First of all you need to update the package list by issuing: ipkg update
You can of course also use the webUI for this.
Then you need to install the following packages on the nodes that will be running GRE tunneling:
kmod-gre
kmod-tun
ez-ipupdate
All of below files should reside in the /etc/rc.d folder and be chmod 755
These scripts has been validated on both HSMM v.0.4.3 as well as BBHN v.1.0.0
Still the changes in /etc/config.mesh and the file olsrd.conf need to be modified in order to use GRE
tunneling.
S51tun
S51tun is the script that establishes the GRE tunnel(s) and is run at bootup of the node. it consists of
several sections that are commented inside the script.
Of course you can define as many tun# interfaces as you need to establish GRE tunneling with, but pay
attention to the IP addressing of the tunnel interfaces.
In below example we are using the 1.1.1.0 / 255.255.255.252 network which gives us the following IP
addresses to work with:
1.1.1.0 Network address
1.1.1.1 Mynode
1.1.1.2 Remotenode
1.1.1.3 Broadcast address
So if we are to establish another GRE tunnel names tun2 we need to use following IP addresses:
1.1.1.4 Network address
1.1.1.5 Mynode2
1.1.1.6 Remotenode2
1.1.1.7 Broadcast address
#!/bin/sh /etc/rc.common
START=51
start() {
# Firewall section is needed for applying rules to and from the tunnel interface and LAN as well as WLAN
iptables -D FORWARD 11
iptables -I FORWARD -i tun1 -o eth0.0 -j ACCEPT
iptables -I FORWARD -i eth0.0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o wl0 -j ACCEPT
iptables -I FORWARD -i wl0 -o tun1 -j ACCEPT
# Nodes connected behind NAT router or has dynamically assigned IP address from its ISP, needs to
check its external IP in order to be able to update DynDNS account. This can be omitted if the node has a
static public IP on WAN interface.
ip=`wget --quiet -O - http://www.millhill.org/myip.php/
| awk '{print $4}' | cut -d"<" -f1`
sleep 5
ez-ipupdate -a $ip -u username:password -h mynode.ham-radio-op.net -S dyndns
# This section resolves the IP address of remote node that will be used to establish the GRE tunnel
ip0="$(ifconfig | grep -A 1 'eth0.1' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)"
ip1="$(ping -q -c 1 remotenode.ham-radio-op.net | grep PING | sed -e 's/.*(//' | sed -e 's/).*//')"
insmod ip_gre
# Tunnel to remotenode.ham-radio-op.net
iptunnel add tun1 mode gre local $ip0 remote $ip1 ttl 225
ifconfig tun1 1.1.1.1 netmask 255.255.255.252 broadcast 1.1.1.3
ifconfig tun1 up
ifconfig tun1 multicast
ifconfig tun1 pointopoint 1.1.1.2
}
stop() {
iptunnel del tun1
}
S52update
This script runs every minute (check crontab further down this document) and checks if remotenode has
changed its IP address. Please note that if you are running with static IP addresses from your ISP this
script can be omitted.
If the IP address has been changed, the tunnel will be reloaded with the new IP.
#!/bin/sh
ip0="$(iptunnel | grep -A 0 'tun1' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 5)"
ip="$(ifconfig | grep -A 1 'eth0.1' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)"
ip1="$(ping -q -c 1 remotenode.ham-radio-op.net | grep PING | sed -e 's/.*(//' | sed -e 's/).*//')"
if [ $ip1 = $ip0 ]; then
echo "IP is equal. Returning..."
return
else
echo "IP is not equal. Reconfiguring GRE..."
# Tunnel to remotenode.ham-radio-op.net
iptunnel del tun1
iptunnel add tun1 mode gre local $ip remote $ip1 ttl 225
ifconfig tun1 1.1.1.1 netmask 255.255.255.252 broadcast 1.1.1.3
ifconfig tun1 up
ifconfig tun1 multicast
ifconfig tun1 pointopoint 1.1.1.2
fi
ipupd
This script runs every 5 minutes in order to update the external IP address and keep DynDNS account
updated.
#!/bin/sh
# Nodes connected behind NAT router or has dynamically assigned IP address from its ISP, needs to
check its external IP in order to be able to update DynDNS account. This can be omitted if the node has a
static public IP on WAN interface.
ip=`wget --quiet -O - http://www.millhill.org/myip.php/
| awk '{print $4}' | cut -d"<" -f1`
sleep 5
ez-ipupdate -a $ip -u username:password -h mynode-shack.ham-radio-op.net -S dyndns
crontab
Crontab is the engine that runs S52update and ipupd scripts as certain intervals to keep the nodes IP
address updated with its hostname in DynDNS account and also checks the tunnel status and reloads the
GRE tunnel if needed.
*/5 * * * * /usr/local/bin/fccid
* * * * * /etc/rc.d/S52update
*/5 * * * * /etc/rc.d/ipupd
OLSR
After this we must modify the olsrd.conf file in /etc/config and /etc/config.mesh
Look for the OLSRD default interface configuration and remove the hash # sign before IP4Broadcast in
order to make OLSR use the tun interfaces created by S51tun script.
Then you need to add the tun interfaces (in my case tun1 and tun2) to the Interfaces row below OLSRd
Interfaces configuration part of the file.
It should look like below in the olsrd.conf file under /etc/config.mesh
### OLSRD default interface configuration ###
#############################################
# the default interface section can have the same values as the following
# interface configuration. It will allow you so set common options for all
# interfaces.
InterfaceDefaults {
Ip4Broadcast
}
255.255.255.255
######################################
### OLSRd Interfaces configuration ###
######################################
# multiple interfaces can be specified for a single configuration block
# multiple configuration blocks can be specified
# WARNING, don't forget to insert your interface names here !
Interface "tun1" "tun2" <olsrd_bridge>
{
And the olsrd.conf file in /etc/config should look like:
#############################################
### OLSRD default interface configuration ###
#############################################
# the default interface section can have the same values as the following
# interface configuration. It will allow you so set common options for all
# interfaces.
InterfaceDefaults {
Ip4Broadcast
}
255.255.255.255
######################################
### OLSRd Interfaces configuration ###
######################################
# multiple interfaces can be specified for a single configuration block
# multiple configuration blocks can be specified
# WARNING, don't forget to insert your interface names here !
Interface "tun1" "tun2" "wl0"
{
A quick word about GRE tunneling
The iptunnel command sets up the tunneling parameters and these need to be correct in order to
establish a GRE tunnel. Look at the command below:
iptunnel add tun1 mode gre local $ip remote $ip1 ttl 225
Let´s focus on the local and remote IPs. In above command they are substituted by using variables which
is the output from earlier commands.
There are some things to remember here in order for this to function properly.
The remote IP is ofc ourse always the external IP of the remote node which we will establish a tunnel
with. If the remote node has dynamically assigned IP then we need to lock the remote node using name
resolving, hence the need for DynDNS or other DDNS solution.
The local IP, can however take several shapes depending on the setup at your local node.
If you have the node directly connected to the Internet and has a static public IP address then you´re in
the clear and can just load the variable with your IP before the iptunnel command is invoked, but if you
have a dynamically assigned public IP, we need to find out which IP is active at every given moment. This
can be done by either checking eth0.1 (WAN interface) or checking externally, like below:
ip=`wget --quiet -O - http://www.millhill.org/myip.php/
| awk '{print $4}' | cut -d"<" -f1`
or
ip="$(ifconfig | grep -A 1 'eth0.1' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)"
It might be that you have connected your node behind a NAT device / firewall in which case the NAT
device / firewall has the external IP either static or dynamic. In this case your HSMM node will have been
given an IP from the NAT device that is not accessible from the Internet.
Either way, when invoking the iptunnel command, the local IP of the command must always be the IP
that is set on eth0.1 or the tunnel will fail.
So, the main thing is: 1. You can connect to the remote node using public IP on the Internet, and 2.
You´re using the IP assigned to eth0.1 as your local IP.
Of course this also applies the other way around, ie. When remote node is configuring it´s GRE tunnel for
your node.
DynDNS
So far we´ve been using ez-ipupdate with DynDNS, but what if you have noip.com ? Well, ez-ipupdate
does not support noip.com, but I have the solution.
First you have to install the wget-nossl 1.10.2-2 on the node
Using below command will update your noip.com account and hostname with correct public IP address.
wget --post-data '?username=$1&password=$2&hostname=$3' http://dynupdate.no-ip.com/dns
This will update your noip.com account and hostname with the exciter IP address, ie the IP address the
request came from.
As before, substitute the variables with your specific information.
Firewall rules / portforwarding on NAT device
Since GRE tunneling uses protocol 47 (GRE) and TCP 1723 this needs to be opened / forwarded in any
firewall or NAT device, used in between the Internet and the HSMM node, towards the HSMM GRE
node. Decide which node will be the responding device and open / forward protocol 47 and TCP 1723 to
that node. This is normally called PPTP and often available as a preconfigured service in most routers /
firewalls.
The other nodes can be seen as initiators and will thus be “calling” in to the node that you decided to be
the “hub”
Now simply reboot the nodes and watch the magic :)
73sss SM7I Johan Engdahl 2013