Re: IP TUNNEL / was Re: doesn't anybody use tunnelling / vpn?

[Damon Muller]

Hi folks,

I'm certainly no expert in this field, but until some BOFH put up a
firewall between college and my ISP, the following worked for me
(should be all on one line...):

ssh -C -P -f -L 8181:localhost:8080 remotehost.com sleep 365d  
/dev/null 21

This will create an encrypted tunnel between port 8181 on your machine
and port 8080 on remotehost.com (you must have RSA authentication
working for SSH so it doesn't ask you for a password).

Put that in a little script file, and run it when you need the tunnel.
It should stay up indefinately, but if it doesn't, run your script
again. Too easy.

Of course, if you want to tunnel lots of different services (the above
is only good for a web proxy, but adapt the ports for whatever you
need), it's going to get prohibitively complicated.

BTW, I don't believe that sleep needs to be as long as I have done it -
that was just what I ended up with to be on the safe side.

HTH,

damon

Quoth Krzys Majewski, 
 On Wed, 27 Sep 2000, will trillich wrote:
 
  hi. i have no clue about all this fancy stuff. sounds
  delightfully cool. if you get it straightened out,
  PLEASE post a 'SOLVED' message so that the rest of us
  dunces (speaking for what i hope is a large group and
  not just me) can learn from your experience...
  
  by the way -- HOW did you set up those tunnels?
  
  what package, what command, what script?
  
 
 OK I'm a  bit hesitant about posting my solution since I
 figure  there's probably  a  simpler  and better  way,  but here  goes.
 Please note that I'm only doing this because it's the only way
 I know for e.g. reading news on my school's news server, given that my
 ISP is LargeFacelessCorporation.com and not my school's modem pool. 
 I'm not doing it just because it's a neat trick or whatever. Peace.
 
 First, I put the following two lines in the iface eth0 section of my
 /etc/network/interfaces.  (I talk  to  the world  through an  ethernet
 card, if this  is not the way  you do things you'll have  to find some
 other way, like your /etc/ppp/ip-up script or whatever):
 
  up /etc/init.d/tcp-pipes start 
  down /etc/init.d/tcp-pipes stop
 
 The tcp-pipes script is attached. The way I do it, this 
 script runs a command  on the remote machine. The command does
 nothing: it just  hangs. I've jimmied things on the  other end so that
 only one  instance of  this command (there's  actually three  of them,
 they're called imapl, newsl, and  maill if I remember right) can run
 at a time. Otherwise, I'd eventually have a million of these things running on
 the remote  machine and  the sysadmins at  school would hate  me. I've
 done this with a C program (attached) which reads a PID from a file, nukes the
 process, writes its PID to the same file, and hangs forever. You can maybe
 do the same thing with a shell script. 
 
 Uh, I think that's all. Then I just tell my mail and news clients to 
 talk to,  say, port 6143 on the  localhost instead of port  143 on the
 remote host. Hope this helps. -chris
 


-- 
Damon Muller  | Did a large procession wave their torches
Criminologist/Linux Geek  | As my head fell in the basket,
http://killfilter.com | And was everybody dancing on the casket...
PGP (GnuPG): A136E829 |  - TBMG, Dead


pgpaozALDIIer.pgp
Description: PGP signature

Re: IP TUNNEL / was Re: doesn't anybody use tunnelling / vpn?

[Krzys Majewski]

 ssh -C -P -f -L 8181:localhost:8080 remotehost.com sleep 365d  
 /dev/null 21

OK this is basically  the same thing I do. The only  problem I can see
with the  above is, if you have  to run this thing  several times, you
might  get several  orphaned  sleep 365d  processes  on your  remote
machine. So instead of sleep, I  use a command that kills any previous
instance of itself before running. -chris

IP TUNNEL / was Re: doesn't anybody use tunnelling / vpn?

[will trillich]

On Tue, Sep 26, 2000 at 07:51:10PM +1100, Damon Muller wrote:
 I don't know if it's sophisticated enough for what you want to do, but
 setting up port forwarding using ssh is very easy. If all you want to do
 is something like secure mail transfer, then it'll take you mere seconds
 to set up, and require no additional software or kernel compilation.
 
 If you want to do something more sophisticated, them I'm afraid that I
 can't help you.

sounds quite intriguing! care to share a few shell command snippets?

i've also tried the ssh connect then pppd overlay with dismal results.

but i finally have succeeded (to some level, maybe not what i need,
but it's a start) with this:

# create new device

ip tunnel add $DEV \
local $OUTSIDE_HERE \
remote $OUTSIDE_THERE \
mode gre

# talk between these two points (with network on far end)

ifconfig $DEV $INSIDE_HERE pointopoint $INSIDE_THERE \
netmask 255.255.255.0

# now re-establish our firewall rules to include the new gadget

ipmasq

any caveats to watch for, there?

--

still can't figure out what's wrong here, tho--

# ip link list
Cannot send dump request: Connection refused
# ip address show
Cannot send dump request: Connection refused
# ip route show
Cannot send dump request: Connection refused
# ip neigh show
Cannot send dump request: Connection refused

Re: IP TUNNEL / was Re: doesn't anybody use tunnelling / vpn?

[Krzys Majewski]

Missed  the start  of this  thread. I  need to  do some  tunnelling as
well.   Here's   the  setup.   I   use   my  school's   smtp/imap/news
servers.  The servers can  only be accessed from  cs.ubc.ca (at  least, I
haven't  had  any luck  using  them from  elsewhere).  My  isp is  not
cs.ubc.ca. I'm currently getting around this problem via a messy ssh -L
hack; namely, setting up port forwarding between my home machine and a
server at school, then running a noninteractive hanging program on 
the other end to keep the tunnel open.  In this way I have set up three 
pipes/tunnels,
localhost:6025-remotehost:25,
localhost:6119-remotehost:119, and 
localhost:6143-remotehost:6143. 
It  works but  the tunnels  break sometimes  (like when  I  suspend my
machine) and I have to restart them occasionally. 
Anyone have a better way? -chris

Re: doesn't anybody use tunnelling / vpn?

[will trillich]

Amaury Darsch wrote:
 
 Ok,
 
 Looks like you are really suffering with this one - I'll try to do my best
 to help you. We will go step by step ...

thanks! you have no idea...!

 a) I assume you work with the kernel 2.2.17

# uname -a
Linux server 2.2.17 #1 Sun Jun 25 09:24:41 EST 2000 i586 unknown

 b) Check the kernel network config - the ip command is very picky about this
Note that in the example below - the IP tunneling and GRE are modules
I'll give you my config here.
 
 x * Packet socket
   x x [*] Kernel/User netlink socket
   x x [*] Routing messages
   x x   Netlink device emulation
   x x [*] Network firewalls
   x x [*] Socket Filtering
   x x * Unix domain sockets
   x x [*] TCP/IP networking
   x x [*] IP: multicasting
   x x [*] IP: advanced router
   [*] IP: policy routing
   x x [ ] IP: equal cost multipath
   x x [ ] IP: use TOS value as routing key
   x x [*] IP: verbose route monitoring
   x x [ ] IP: large routing tables
   x x [ ] IP: fast network address translation
   x x [ ] IP: kernel level autoconfiguration
   x x [*] IP: firewalling
   x x [ ] IP: firewall packet netlink device
   x x [*] IP: use FWMARK value as routing key
   [*] IP: transparent proxy support
   x x [ ] IP: masquerading
   x x [ ] IP: optimize as router not host
   x x M IP: tunneling
   x x M IP: GRE tunnels over IP
   x x [*] IP: broadcast GRE over IP
   x x [ ] IP: multicast routing
   x x [*] IP: aliasing support
   x x [ ] IP: ARP daemon support (EXPERIMENTAL)

well, um, newbiei'm not sure where to go to compare what i've
got, with that. /newbieis it a source-code-tree thing? maybe a
probe-command output? or modules from modconf? something from 
the bowels of /proc/net? dselect?

my ipmasq works fine to connect my other two computers
(2 mac, 1 windon't) to the 'net. so tcp/inetd.conf services
are all hunky/dory.

# lsmod
Module  Size  Used by
ip_gre  6168   1 
slip7388   0  (autoclean)
ppp20684   0  (autoclean)
slhc4436   1  (autoclean) [slip ppp]
nls_koi8-r  3400   0  (unused)
tap12284   0  (unused)
netlink_dev 1552   0  (unused)
tap02284   0  (unused)
af_packet   6040   0  (autoclean)
serial 19564   1  (autoclean)
3c509   6548   2 
ipv6   92464  -1 
ipip5156   0 
ip_masq_ftp 2456   0 
unix   10212  15  (autoclean)

so i've got ipip and ip_gre installed, PLUS the
tap and netlink things mentioned for TUNNELV, which i
also couldn't get going.

 c) install the gre module - without it - nothing will work
modpobe ip_gre (or insmod ip_gre)
 
Check that it is installed with the lsmod command.
 
 d) now the magic test - install the tunnel
 
ip tunnel add tunl0 mode gre local 192.168.0.1 remote 192.168.0.2
 
If you have any error here (I saw some ioctl error) then do not bother to
continue - you have a kernel problem.
 
check that the tunnel is installed
 
ip link show

BOOM.

# ip link show
Cannot send dump request: Connection refused
# ip addr show
Cannot send dump request: Connection refused
# ip route show
Cannot send dump request: Connection refused
# ip neigh show
Cannot send dump request: Connection refused
# ip tunnel show
tunl0: ip/ip  remote any  local any  ttl inherit  nopmtudisc
sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc
gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
dave: gre/ip  remote 208.7.139.219  local 208.33.90.85  ttl inherit 

why d'you suppose that tunnels are the only things it lets
me show? what am i missing?


You should see the following (more or less)
 
4: [EMAIL PROTECTED]: NOARP mtu 1476 qdisc noop
 link/gre 0.0.0.0 brd 0.0.0.0
5: [EMAIL PROTECTED]: POINTOPOINT,NOARP mtu 1476 qdisc noop
 link/gre 192.168.0.1 peer 192.168.0.2

it should, but does't. show goes bang, for me. except on tunnels.


 e) turn the link up
 
ip link set dev tunl0 up
 
check again that the link is up with ip link show
 
4: [EMAIL PROTECTED]: NOARP mtu 1476 qdisc noop
 link/gre 0.0.0.0 brd 0.0.0.0
5: [EMAIL PROTECTED]: POINTOPOINT,NOARP,UP mtu 1476 qdisc noqueue
 link/gre 192.168.0.1 peer 192.168.0.2

i use ifconfig to get it running. should i not?


 At this stage, the tunnel is set - you need to do the same with the peer. You
 will have also to set your routing table - If you have a gateway turn on the
 forwarding. My config has the firewall enabled - If you do the same make sure
 you install the right ACCEPT rule. But as far as I can see, the source of your
 problems seems located around a kernel config.
 
 Hope this will help ...

thanks for your pointers! i wish i'd had them two weeks ago,
but i didn't know what to ask for...

here's what i've got that seems to work:

#!/bin/sh

# create new device

ip tunnel add $DEV \
local 

Re: IP TUNNEL / was Re: doesn't anybody use tunnelling / vpn?

[will trillich]

Krzys Majewski wrote:
 
 Missed  the start  of this  thread. I  need to  do some  tunnelling as
 well.   Here's   the  setup.   I   use   my  school's   smtp/imap/news
 servers.  The servers can  only be accessed from  cs.ubc.ca (at  least, I
 haven't  had  any luck  using  them from  elsewhere).  My  isp is  not
 cs.ubc.ca. I'm currently getting around this problem via a messy ssh -L
 hack; namely, setting up port forwarding between my home machine and a
 server at school, then running a noninteractive hanging program on
 the other end to keep the tunnel open.  In this way I have set up three
 pipes/tunnels,
 localhost:6025-remotehost:25,
 localhost:6119-remotehost:119, and
 localhost:6143-remotehost:6143.
 It  works but  the tunnels  break sometimes  (like when  I  suspend my
 machine) and I have to restart them occasionally.
 Anyone have a better way? -chris

hi. i have no clue about all this fancy stuff. sounds
delightfully cool. if you get it straightened out,
PLEASE post a 'SOLVED' message so that the rest of us
dunces (speaking for what i hope is a large group and
not just me) can learn from your experience...

by the way -- HOW did you set up those tunnels?

what package, what command, what script?

-- 
mailto:[EMAIL PROTECTED]
http://www.dontUthink.com/

Re: IP TUNNEL / was Re: doesn't anybody use tunnelling / vpn?

[Krzys Majewski]

On Wed, 27 Sep 2000, will trillich wrote:

 hi. i have no clue about all this fancy stuff. sounds
 delightfully cool. if you get it straightened out,
 PLEASE post a 'SOLVED' message so that the rest of us
 dunces (speaking for what i hope is a large group and
 not just me) can learn from your experience...
 
 by the way -- HOW did you set up those tunnels?
 
 what package, what command, what script?
 

OK I'm a  bit hesitant about posting my solution since I
figure  there's probably  a  simpler  and better  way,  but here  goes.
Please note that I'm only doing this because it's the only way
I know for e.g. reading news on my school's news server, given that my
ISP is LargeFacelessCorporation.com and not my school's modem pool. 
I'm not doing it just because it's a neat trick or whatever. Peace.

First, I put the following two lines in the iface eth0 section of my
/etc/network/interfaces.  (I talk  to  the world  through an  ethernet
card, if this  is not the way  you do things you'll have  to find some
other way, like your /etc/ppp/ip-up script or whatever):

 up /etc/init.d/tcp-pipes start 
 down /etc/init.d/tcp-pipes stop

The tcp-pipes script is attached. The way I do it, this 
script runs a command  on the remote machine. The command does
nothing: it just  hangs. I've jimmied things on the  other end so that
only one  instance of  this command (there's  actually three  of them,
they're called imapl, newsl, and  maill if I remember right) can run
at a time. Otherwise, I'd eventually have a million of these things running on
the remote  machine and  the sysadmins at  school would hate  me. I've
done this with a C program (attached) which reads a PID from a file, nukes the
process, writes its PID to the same file, and hangs forever. You can maybe
do the same thing with a shell script. 

Uh, I think that's all. Then I just tell my mail and news clients to 
talk to,  say, port 6143 on the  localhost instead of port  143 on the
remote host. Hope this helps. -chris

#! /bin/sh
#
# Port forwarding to servers which would otherwise refuse connections from us
#

echo $*
NAME=`basename $0`
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
SSH=/usr/bin/ssh2 # careful! there might be an ssh in the current dir
SSHBASENAME=`basename ${SSH}`
SSHFLAGS=-f -x
HOST=cascade.cs.ubc.ca
USER=majewski
PRG=loop

start()
{
LOCALPORT=$1
DEST=$2
REMOTEPORT=$3
PIPE=$4
SSHARGS=${SSHFLAGS} -l ${USER} -L ${LOCALPORT}:${DEST}:${REMOTEPORT} 
${HOST} ${PIPE}l
PIDFILE=/var/run/${PIPE}-pipe.pid
#echo -n Starting ${PIPE}: 
if [ -e ${PIDFILE} ]; then
rm ${PIDFILE}
fi
start-stop-daemon --start --verbose  --background --make-pidfile --pidfile 
${PIDFILE} --exec ${SSH} -- ${SSHARGS}
if [ $? -eq 0 ]; then
fixpid ${PIPE} ${PIDFILE}
fi
#echo ${PIPE}.
}

# Wait for the PIDFILE to get the initial PID of the ssh process
# Wait for the ssh process to exec() to a different PID
# Put the new PID in the PIDFILE
fixpid()
{
PIPE=$1
PIDFILE=$2
PID=
NEWPID=
COUNT=1
MAXCOUNT=10
GOTCHA=false
while [ ${PID} =  ]; do
if [ ${COUNT} -gt ${MAXCOUNT} ]; then
logger ${NAME}: initial PID not found for ${PIPE}
logger ${NAME}: continuing anyway...
break
fi
if [ -e ${PIDFILE} ]; then
PID=`cat ${PIDFILE}`
fi
COUNT=`expr ${COUNT} + 1`
sleep 1
done
# sleep until the process with the old PID goes away
# can't use 'wait' because the ssh process is not our child
COUNT=1
while ps h -o pid -p ${PID}  /dev/null; do
if [ ${COUNT} -gt ${MAXCOUNT} ]; then
logger ${NAME}: new PID not found for ${PIPE}
logger ${NAME}: continuing anyway...
break
fi
COUNT=`expr ${COUNT} + 1`
GOTCHA=true
sleep 1
done
NEWPID=`ps h -C ${SSHBASENAME} | grep ${PIPE} | awk '{print $1}'`
if [ ${NEWPID} =  ]; then
logger ${NAME}: Empty PID, you may have to stop ${PIPE} manually later 
on
else
echo ${NEWPID}  ${PIDFILE}
fi
}

stop()
{
PIPE=$1
PID=
#echo -n Stopping ${PIPE}: 
PIDFILE=/var/run/${PIPE}-pipe.pid
start-stop-daemon --stop --verbose --pidfile ${PIDFILE}
if [ $? -ne 0 ]; then
PID=`ps h -C ${SSHBASENAME} | grep ${PIPE} | awk '{print $1}'`
if [ ${PID} !=  ]; then
echo Killing ${PIPE} pipe by brute force
logger ${NAME}: Killing ${PIPE} pipe by brute force
# ask process to die honorably
kill -TERM ${PID}
# coup de grace if necessary
PID=`ps h -C ${SSHBASENAME} | grep ${PIPE} | awk '{print $1}'`
if [ ${PID} !=  ]; then
kill -KILL ${PID}
fi
else
logger ${NAME}: Couldn't find PID for ${PIPE}, not killing
fi
fi
rm -f ${PIDFILE}
#echo ${PIPE}.
}

startImap()

doesn't anybody use tunnelling / vpn?

[will trillich]

AAUGH! NOBODY seems to be tunneling anywhere. i must be alone...
my inquiries about vpn and tunnelling have met with deafening silence.

am i the only person trying to get these going? it seems like such
a no-brainer tool that i'd expect LOTS of us to be using vpn
(or trying to get it running).

or is there a club meeting somewhere that gathers to laugh at all
my ignorant posts on the issue? (on the other hand, maybe y'all
are waiting for me to finally munch my bloodied head through the
other end so you can ask me how i did it? expect a looong wait.)

i'm going NUTS here... help! pointers would be handy, but i've
found many documents hither and yon on the 'net and NONE have been
turnkey... there's always some obscure obstacle or error message
that i have no clue as to the meaning behind it.

is there a debianized tunnel module i can get running?
not tunnelv
tried iptunnel
got pptpd
moving on to something that makes sense to me (and works)

--

i've tried tunnelv, ipip, ipsec, several others. shotgun/machine-gun
approach: apt-get install, try, be baffled by errors or no results, try
another. no hits. dead ends everywhere, without understanding
anything of the messages behind them.

even with
http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO-5.html
i'm not having ANY success.

# iptunnel add TEST mode gre remote 208.33.90.85 local 208.7.139.219 ttl 255
# ip addr add 192.168.0.1 dev TEST
Cannot send dump request: Connection refused

what's that mean?

# lsmod
Module  Size  Used by
nbd13104   0  (unused)
lockd  31120   1  (autoclean)
sunrpc 52432   1  (autoclean) [lockd]
serial 19568   0  (autoclean)
netlink_dev 1552   0  (unused)
ethertap2336   0  (unused)
rtl813911520   1 
ipv6   92464  -1 
ipip5168   0 
ip_masq_user2544   0  (unused)
ip_masq_raudio  2944   0  (unused)
ip_gre  6176   1 
ip_masq_cuseeme 1120   0  (unused)
ip_masq_autofw  2448   0  (unused)
ip_masq_irc 1600   0  (unused)
ip_masq_portfw  2528   0  (unused)
ip_masq_mfw 3152   0  (unused)
ip_masq_ftp 2464   0  (unused)
ne2k-pci4080   1 
83906048   0  [ne2k-pci]
unix   10224  21  (autoclean)

some dox i've seen mention needing the new_tunnel.o module.
where do i get that? i haven't found it in modconf...

help? help. help!

Re: doesn't anybody use tunnelling / vpn?

[George Bonser]

Well, most will require that you build them from source with your current
kernel source tree someplace ( or at least access to the kernel-headers
package for the kernel you are running ). Debian has a CIPE package in
non-us (or did) but I think it is a source package, you need to build it.

Woody has a vtun package ... vtun is cool but you are going to have to
know what you are doing ... just like the rest of the packages.

VTUN is probably best since it will work from behind a firewall (has a TCP
mode and a SOCKS mode) while CIPE is UDP and you are probably not going to
get return packets back through the firewall without admin intervention.


On Mon, 25 Sep 2000, will trillich wrote:

 AAUGH! NOBODY seems to be tunneling anywhere. i must be alone...
 my inquiries about vpn and tunnelling have met with deafening silence.
 
 am i the only person trying to get these going? it seems like such
 a no-brainer tool that i'd expect LOTS of us to be using vpn
 (or trying to get it running).
 
 or is there a club meeting somewhere that gathers to laugh at all
 my ignorant posts on the issue? (on the other hand, maybe y'all
 are waiting for me to finally munch my bloodied head through the
 other end so you can ask me how i did it? expect a looong wait.)
 
 i'm going NUTS here... help! pointers would be handy, but i've
 found many documents hither and yon on the 'net and NONE have been
 turnkey... there's always some obscure obstacle or error message
 that i have no clue as to the meaning behind it.
 
 is there a debianized tunnel module i can get running?
   not tunnelv
   tried iptunnel
   got pptpd
   moving on to something that makes sense to me (and works)
 
 --
 
 i've tried tunnelv, ipip, ipsec, several others. shotgun/machine-gun
 approach: apt-get install, try, be baffled by errors or no results, try
 another. no hits. dead ends everywhere, without understanding
 anything of the messages behind them.
 
 even with
 http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO-5.html
 i'm not having ANY success.
 
 # iptunnel add TEST mode gre remote 208.33.90.85 local 208.7.139.219 ttl 255
 # ip addr add 192.168.0.1 dev TEST
 Cannot send dump request: Connection refused
 
 what's that mean?
 
 # lsmod
 Module  Size  Used by
 nbd13104   0  (unused)
 lockd  31120   1  (autoclean)
 sunrpc 52432   1  (autoclean) [lockd]
 serial 19568   0  (autoclean)
 netlink_dev 1552   0  (unused)
 ethertap2336   0  (unused)
 rtl813911520   1 
 ipv6   92464  -1 
 ipip5168   0 
 ip_masq_user2544   0  (unused)
 ip_masq_raudio  2944   0  (unused)
 ip_gre  6176   1 
 ip_masq_cuseeme 1120   0  (unused)
 ip_masq_autofw  2448   0  (unused)
 ip_masq_irc 1600   0  (unused)
 ip_masq_portfw  2528   0  (unused)
 ip_masq_mfw 3152   0  (unused)
 ip_masq_ftp 2464   0  (unused)
 ne2k-pci4080   1 
 83906048   0  [ne2k-pci]
 unix   10224  21  (autoclean)
 
 some dox i've seen mention needing the new_tunnel.o module.
 where do i get that? i haven't found it in modconf...
 
 help? help. help!
 
 
 -- 
 Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED]  /dev/null
 
 

Re: doesn't anybody use tunnelling / vpn?

[will trillich]

On Mon, Sep 25, 2000 at 09:33:46PM -0700, George Bonser wrote:
 
 
 Well, most will require that you build them from source with your current
 kernel source tree someplace ( or at least access to the kernel-headers
 package for the kernel you are running ). Debian has a CIPE package in
 non-us (or did) but I think it is a source package, you need to build it.
 
 Woody has a vtun package ... vtun is cool but you are going to have to
 know what you are doing ... just like the rest of the packages.
 
 VTUN is probably best since it will work from behind a firewall (has a TCP
 mode and a SOCKS mode) while CIPE is UDP and you are probably not going to
 get return packets back through the firewall without admin intervention.

tried cipe for five days. no grok. many tears. much hair loss.

tried vtun. same level of success: negative.

tried tunnelv. same.

before i worry about the fancy encryption and all, isn't there a
way to configure a tunl0 or ethertap or netlink device to do quick
and dirty publicly-visible tunnelling?

there's gotta be a primary missing component that i've not got set up.

according to the iproute2 ip-tunnels.ps dox much is possible via
simple ip and routing calls:

# ip tunnel add tunl0 mode gre remote 208.7.139.219 local 208.33.90.85
ioctl: No buffer space available
# ipmasq
# ip tunnel add DIODE mode gre remote 208.7.139.219 local 208.33.90.85
# ifconfig DIODE 192.168.0.1
# ip route add 192.168.0.0/24 via 208.7.139.219 dev DIODE onlink
Cannot send dump request: Connection refused
# ip link list
Cannot send dump request: Connection refused
# ip address show
Cannot send dump request: Connection refused
# ip route show
Cannot send dump request: Connection refused
# ip neigh show
Cannot send dump request: Connection refused

regardless of which package i try, i get some constipation like this
that's entirely obscure to me.

# cat /proc/net/dev
Inter-|   Receive|  Transmit
 face |bytespackets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo:25554026  210930000 0  0 0 25554026  
210930000 0   0  0
 tunl0:   0   0000 0  0 00  
 0000 0   0  0
  sit0:   0   0000 0  0 00  
 0000 0   0  0
  eth0:82258414  735457303 3  0 0 211845383  
519312000   158   1  0
  eth1:227361827  394335607 6  0 0 128792826  
421015000   572   0  0
  tap0:   0   0000 0  0 00  
 0000 0   0  0
  tap1:   0   0000 0  0 00  
 0000 0   0  0
  ppp0:  57   0100 1  0 0  460  
10000 0   0  0
   sl0:   0   0000 0  0 0  924  
11000 0   0  0
  gre0:   0   0000 0  0 00  
 0000 0   0  0
 DIODE:   0   0000 0  0 00  
 0000 0   0  0

what's missing? where do i look?

Re: doesn't anybody use tunnelling / vpn?

[Mark Brown]

On Mon, Sep 25, 2000 at 11:25:26PM -0500, will trillich wrote:

 am i the only person trying to get these going? it seems like such
 a no-brainer tool that i'd expect LOTS of us to be using vpn
 (or trying to get it running).

Most of the people using VPNs are probably companies, and probably most
of those that need it have paid sysadmins.  They tend not to be the sort
of people asking questions here.

 i'm going NUTS here... help! pointers would be handy, but i've
 found many documents hither and yon on the 'net and NONE have been
 turnkey... there's always some obscure obstacle or error message
 that i have no clue as to the meaning behind it.

 is there a debianized tunnel module i can get running?

We use FreeSWAN, which isn't packaged yet.

-- 
Mark Brown  mailto:[EMAIL PROTECTED]   (Trying to avoid grumpiness)
http://www.tardis.ed.ac.uk/~broonie/
EUFShttp://www.eusa.ed.ac.uk/societies/filmsoc/


pgpMernpGopGU.pgp
Description: PGP signature

Re: doesn't anybody use tunnelling / vpn?

[Damon Muller]

Hi will,

I don't know if it's sophisticated enough for what you want to do, but
setting up port forwarding using ssh is very easy. If all you want to do
is something like secure mail transfer, then it'll take you mere seconds
to set up, and require no additional software or kernel compilation.

If you want to do something more sophisticated, them I'm afraid that I
can't help you.

cheers,

damon

Quoth will trillich, 
 AAUGH! NOBODY seems to be tunneling anywhere. i must be alone...
 my inquiries about vpn and tunnelling have met with deafening silence.
 
 am i the only person trying to get these going? it seems like such
 a no-brainer tool that i'd expect LOTS of us to be using vpn
 (or trying to get it running).
 
 or is there a club meeting somewhere that gathers to laugh at all
 my ignorant posts on the issue? (on the other hand, maybe y'all
 are waiting for me to finally munch my bloodied head through the
 other end so you can ask me how i did it? expect a looong wait.)
 
 i'm going NUTS here... help! pointers would be handy, but i've
 found many documents hither and yon on the 'net and NONE have been
 turnkey... there's always some obscure obstacle or error message
 that i have no clue as to the meaning behind it.
 
 is there a debianized tunnel module i can get running?
   not tunnelv
   tried iptunnel
   got pptpd
   moving on to something that makes sense to me (and works)
 
 --
 
 i've tried tunnelv, ipip, ipsec, several others. shotgun/machine-gun
 approach: apt-get install, try, be baffled by errors or no results, try
 another. no hits. dead ends everywhere, without understanding
 anything of the messages behind them.
 
 even with
 http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO-5.html
 i'm not having ANY success.
 

-- 
Damon Muller  | Did a large procession wave their torches
Criminologist/Linux Geek  | As my head fell in the basket,
http://killfilter.com | And was everybody dancing on the casket...
PGP (GnuPG): A136E829 |  - TBMG, Dead


pgpMLwleKEkOz.pgp
Description: PGP signature