Broadband-Hamnet™ Forum :: Sweden/Finland
Welcome Guest   [Register]  [Login]
 Subject :VPN / GRE tunneling.. 2013-10-28- 05:18:40 
SM7I
Member
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo
 

For up2date documentation and instructions on how to setup GRE tunneling between nodes that do not have RF path, just drop me an email.

I will be publishing this on a website in the long run, but has just not got the time yet.

sm7i.ham@gmail.com

IP Logged
IT infrastructure and security professional
 Subject :Re:VPN / GRE tunneling.. 2013-10-28- 11:20:56 
SM7I
Member
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo
 

The HowTo for GRE tunneling can now be downloaded from the link below. This will be updated when needed so be sure to check in from time to another.


http://www.ssra.se/upload/hsmm%20scripts.pdf

IP Logged
Last Edited On: 2013-10-28- 11:21:48 By SM7I for the Reason
IT infrastructure and security professional
 Subject :Re:VPN / GRE tunneling.. 2013-11-16- 13:44:52 
EB5JEQ
Member
Joined: 2013-09-21- 14:11:41
Posts: 8
Location: Elche Alicante Spain
 

Very interesting post, I will try configure like you explain.

For test it, I want know if you are available for link with you my node.

Thanks



IP Logged
 Subject :Re:VPN / GRE tunneling.. 2013-11-16- 15:06:47 
SM7I
Member
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo
 

No problem. Of course you can test peering with me.


Just drop me an email when you feel ready.

IP Logged
Last Edited On: 2013-11-16- 15:17:25 By SM7I for the Reason
IT infrastructure and security professional
 Subject :Re:VPN / GRE tunneling.. 2013-11-25- 02:10:17 
SM7I
Member
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo
 

Just wanted to share a snapshot of the mesh as of now. Look at the attached jpg file.





Attachments
 mesh.jpg [91 KB]
IP Logged
IT infrastructure and security professional
 Subject :Re:VPN / GRE tunneling.. 2013-11-27- 15:27:31 
VE3RTJ
Member
Joined: 2013-08-19- 07:21:12
Posts: 49
Location: Hamilton, Canada FN03

Novice alert--

GRE Tunneling is the next trick I'm going to be trying with my nodes, and I have a question about the basic principles behind GRE.

In my implementation, I want to tunnel from a BBHN node at my house, through a D-Link router to a Sierra Wireless aircard (wireless internet via Telus, a cellular carrier) connected to a remote BBHN node.

In setting up the router in the home setting, I'll need to port forward protocol 47 and TCP port 1723 to the D-Link port which is connected to the BBHN node's WAN port.

Does this port forwarding support multiple tunnels? Does the GRE software sort out source/destination information for, say, two tunnels originating from my home location to two other remote nodes? It seems to me that if I need seperate ports for each tunnel, then I'm going to have a problem with steering my D-Link using port forwarding.

I see in the examples documented here that the nodes are being set up for 2 tunnels, and it would seem that only one port forwarding rule is described for the example, but would appreciate a clarification on this point.

Thanks.

IP Logged
73 de Ron P. email: (callsign) *at* gmail.com
 Subject :Re:VPN / GRE tunneling.. 2013-11-28- 02:47:53 
SM7I
Member
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo
 

You can have several tunnels configured on one node.


Look at the howto and also look at my picture in the above post showing, at that moment, three tunnels.


As long as you can configure your router/firewall to let the PPTP protocol suite pass through to you node WAN side you´ll be fine.

IP Logged
Last Edited On: 2013-11-28- 02:48:23 By SM7I for the Reason
IT infrastructure and security professional
 Subject :Re:VPN / GRE tunneling.. 2013-12-11- 00:01:31 
sp2ong
Member
Joined: 2013-10-30- 10:57:25
Posts: 72
Location

Hi Johan

I have read you PDF about GRE tunnel I I would like try connect with your node to My WR54 SP2ONG-home Mesh Node. I will be try setup my wrt54 with GRE in this weekend and it will be interesting do this test between our nodes. But I have one question about IP address

1.1.1.0 Network address

1.1.1.1 Mynode

1.1.1.2 Remotenode

1.1.1.3 Broadcast addres

We must use the same range address and I must know now which you have free IP 1.1.1x and I must use in my Node ? If we try connect many local networks Mesh Nodes we must create many TUNx interfaces on WRT54 ? What is different between GRE and use IPIP tunnel (Protocol number 4 IP) where we use in AmprNet gateway. In IPIP tunnel we have create one interface tun0 which we use to tunnel 44/8 network with routes table where is range 44 network an IP internet address gateway. Maybe we can create similar like amprnet gateway tunnel creat central information about HSMM Mesh gateways ? or use amprnet Gateways to connect local Mesh Node and use 44.xxx address instead 1.1.1.x ???


73 Waldek sp2ong

IP Logged
Last Edited On: 2013-12-11- 00:05:31 By sp2ong for the Reason
 Subject :Re:VPN / GRE tunneling.. 2013-12-12- 01:15:54 
SM7I
Member
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo
 

Hi Waldek,


AMPRnet gateway uses the RIP routing protocol for handling which node has what IP network and so on.


HSMM and BBHN uses OLSR routing daemon and it works very well for meshed networks and fortunately we can use this also for tunneling.


The main idea behind tunneling, from my point of view, was primarily to establish communications between large mesh segments that has no RF path, ie. one city to another.


It was not my intention that single nodes should use the tunneling with another single node thus generating a large number of tunX interfaces. Presently we see a practical limit of five tunX interfaces on the WRT54GL models.


GRE tunneling turned out to be the simpliest way to achieve this and also makes the least footprint.


Regarding the AMPRnet IP address series I see no problem of using them for LAN side assignments, however there needs to be a centralized control over who uses what IP network, otherwise it will fail.


I know that in Sweden we have a group of people administrating the SM part of the AMPRnet addresses and as regarding to myself I have a subnet in the SM range of addresses. I do not use them for HSMM / BBHN though. I use it for TCP/IP over ax25 only.

IP Logged
Last Edited On: 2013-12-12- 07:03:42 By SM7I for the Reason
IT infrastructure and security professional
 Subject :Re:VPN / GRE tunneling.. 2013-12-13- 02:07:48 
sp2ong
Member
Joined: 2013-10-30- 10:57:25
Posts: 72
Location

Hi,

Ok , I know that main amprnet server send via RIP broadcast about current table with amprnet gateway but we don't need use RIP. We can use idea ENCAP via IPIP to tunnel connect main gateways MESH node. It is not connenct single MEsh Node but similar like you do via GRE connect local Mesh Nodes. In your solution we must create separate interface TUNx to connect different local network Mesh Nodes. I am not sure that will be work but we can check. 

We can setup on one WRT54 in every local network Mesh which will be have access to internet and will be gateway to other local network Mesh node. For example

In my city I will be define one WRT54 with follow:

ip addr add 44.165.32.254/32 dev tunl0
ip tunnel change ttl 64 mode ipip tunl0
ip link set dev tunl0 up

#load route table
# gateway no1 for example SM7I
ip route add 44.145.34.254/32 via 134.23.34.1 dev tunl0 proto static onlink
# next gateway VE1ABC
ip route add 44.123.4.254/32 via 125.35.4.10 dev tunl0 proto static onlink

......

in /etc/config.mesh/ olsrd.conf we are bridge this only one interface

interface "tunl0"

in /etc/config/ olsrd.conf

interface "tunl0" "wl0"

broadcast in olsd.conf will be 255.255.255.255

If you setup similar on your main Mesh gateway Node with

ip addr add 44.145.34..254/32 dev tunl0
ip tunnel change ttl 64 mode ipip tunl0
ip link set dev tunl0 up

#load route table
# gateway no1 to SP2ONG-Mesh gateway
ip route add 44.165.32.254/32 via 95.24.128.1 dev tunl0 proto static onlink

It maybe working this solution

If will be work it will be easy connect different local Mesh network to one bigger. In this solution we define one interface "tunl0 but define route table.

What do you thing Johan about this?

According to Amprnet. We have 44/8 network which is dedicate to use TCP/IP and in HamNEt network main protocol is TCP/IP. Yes I know use 44/8 TCP/IP over AX.25 but it was 10 or more years wehen we use Packet Radio which is now practical not useful. If you still like and want to use AX.25 you can use oposit to 10 year ago. We can use AX.25 via AXIP where main protocol is TCP/IP but you can see in europe ax.25 and ax25 network is going down. Ham radio users want to use network like use every day internet not terminal programs to use ax.25.

You know europe Hamnet map http://hamnetdb.net/mapwindow.cgi?as=64695&site=

I have attached picture example local Network gateway where we can connect WRT54 via WAN to router and we can define firewall to blocal use Internet via HSMM-Mesh but alllow connect to 44/8 network and Mesh users can see on own computer connected in local Mesh network for example

http://sp2ong.ampr.org

I have running Hamnet server on raspberry PI which have for local users:

- WWW server on NGINX with Get Simple CMS

- local forum on MyBB

- SMTP/POP3/IMAP sevrer with webmail GUI use CITADEL

- Video streaming server on ICECAST

- Voice server running on MUMBLE

- Jabber server on "ejabberd" for use  IM like PIDGIN

- DXcluster on DXSpider with Web access

it is all working on small Raspberry PI v2 where is installed HAMServerPI distribution by DL3DCW

If you have access to Amprnet you can try to see my server http://sp2ong.ampr.org


73 Waldek sp2ong




IP Logged
Last Edited On: 2013-12-21- 11:38:40 By sp2ong for the Reason
 Subject :Re:VPN / GRE tunneling.. 2013-12-13- 02:33:14 
SM7I
Member
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo
 

Hi,


Your idea is great with using only one tun interface, but imagine the size of the manual routingtable here. How are we supposed to know each and every network behind every existing and new nodes without the use of a vector routing protocol ?


That would be impossible to maintain in a manual way.

IP Logged
Last Edited On: 2013-12-13- 02:33:46 By SM7I for the Reason
IT infrastructure and security professional
 Subject :Re:VPN / GRE tunneling.. 2013-12-13- 02:42:51 
KF7LJH
Member
Joined: 2012-01-26- 14:21:48
Posts: 6
Location: Portland, OR
SM7I, I've been looking forward to this for a while. I'm going to set this up over the holiday for sure and mesh up a bunch of HSMM buddies here in NW Oregon. THANK YOU for taking the time to document your scripts and the setup! Adam KF7LJH
IP Logged
 Subject :Re:Re:VPN / GRE tunneling.. 2013-12-13- 03:03:03 
sp2ong
Member
Joined: 2013-10-30- 10:57:25
Posts: 72
Location

Hi Johan,

Maybe you don't know how we update amprnet gateways. One way is use listen RIP broadcast from main amprnet server and after receive RIP information routing table is update. Second way is use in crontab script which get via wget or other tolls current encap.txt file and update routing amprnet gateway. The file encap.txt is generate on main portal.ampr.org whre sysops register local amprnet gateways. We can do this same way for example on broadbad-hamnet.pl will be form where who want connect local Mesh network with others will register own local Mesh gateway put follow

IP adress 44.xx.xx.xx/32 of Mesh gateway

IP address Internet gateway xx.xx.xx.xx or hostname if use Dynamic addres

and this information will be store in mesh-gw.txt on broadband-hamnet.org server and we can get via wget tools to load in our local mesh gateway. We need add tools to solve dynamic hostname to current IP address similar like you have in GRE.

We can use DNS ampr.org with register host like:

sm7i-meh.ampr.org for gateway Mesh server. This register you can do by local AMprNET IP corrdinator or register own local AMprNet gate and you can on http://portal.ampr.org add in DNS Amprnet entry about sm7i.ampr.or. You canseen for emaple

nslookup sp2ong.ampr.org



73 Waldek




[SM7I 2013-12-12- 20:33:14]:

Hi,


Your idea is great with using only one tun interface, but imagine the size of the manual routingtable here. How are we supposed to know each and every network behind every existing and new nodes without the use of a vector routing protocol ?


That would be impossible to maintain in a manual way.


IP Logged
Last Edited On: 2013-12-13- 03:04:11 By sp2ong for the Reason
 Subject :Re:VPN / GRE tunneling.. 2013-12-16- 03:19:45 
SM7I
Member
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo
 

Hi,


Yes, that would be a possible solution, however I would like to see several gateways, at least one in each continent, that can share the hostsdatabase on a daily basis.


Also we would need to make sure we can squeeze the RIP function into the WRTs which is easier said than done.


I´m not really sure that this is within the scope of the original developers of HSMM/BBHN as they foresaw an independent network solution (this has somewhat been put aside when we started tunneling traffic), but it is an interesting approach nevertheless.


To make a long history as short as possible, the GRE development for HSMM was initiated by me and a fellow HAM in a neighboring city since we did not have any RF path between us.


So this GRE development was really only going to be a temporarily solution until we could make sure we had enough density of nodes to be able to reach eachother with RF.


Since then some other needs arose and now it seems like this is a very neat solution for bringing really remote locations together, such as city to city mesh networks.

IP Logged
Last Edited On: 2013-12-16- 03:20:29 By SM7I for the Reason
IT infrastructure and security professional
 Subject :Re:VPN / GRE tunneling.. 2013-12-21- 10:52:31 
EB5JEQ
Member
Joined: 2013-09-21- 14:11:41
Posts: 8
Location: Elche Alicante Spain
 

Waldek, excelent HSMM installation .

Johan: I make the basic mods in my router for establish the vpn links. I send to you and email for answer for the parameters of the link config. I wait your answer.

I have other doubt : 

For config my dsl router ( ports 47&1723 ), my problem is that this home router, don't permit two ips in diferent subnets.


My local lan is in the segment 192.168.0.x , and the lan ip of the mesh node is 172.27.0.1.


I can change the ip of the mesh node to the 192.168.0.x segment ?

73's



IP Logged
 Subject :Re:VPN / GRE tunneling.. 2013-12-21- 11:10:24 
SM7I
Member
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo
 

I´ve got your email and I´ll answer it later tonight.


Why do you want two IPs in your DSL router ? Your node only aquires one IP for its WAN address.


The GRE IPs are used within tunneling hence encapsulated through your WAN interface, never to be seen from that point of view.


You can have any LAN IP you wish (since 0.4.3 does NAT from the LAN to WiFi), but do not change the IP of the WiFi !!

IP Logged
Last Edited On: 2013-12-21- 11:11:45 By SM7I for the Reason
IT infrastructure and security professional
 Subject :Re:VPN / GRE tunneling.. 2013-12-21- 11:35:05 
K5KTF
Admin
Joined: 2010-01-18- 23:04:04
Posts: 266
Location: 5' from this webserver
  

2 things:

First off, Johann, your email is bouncing:

Delivery to the following recipient failed permanently:
johan.engdahl@{domain name removed for privacy}
Technical details of permanent failure:
A delivery loop was detected which causes this email to be undeliverable.

Second, to use a node directly on your LAN, set it to NAT mode, DISABLE WAN and a Gateway box will appear under LAN settings, to let it talk to your home router/modem appropriately. Then set the node LAN IP into your home LAN's IP range

ex: IP:192.168.0.XXX/mask:255.255.255.0/gateway:192.168.0.1

BUT, once you do this, that same node CANNOT be an internet gateway for your mesh (disabling the WAN port).

I have 2 nodes, where the LAN gateway node is setup like this (let any device on my home LAN talk to the mesh), and then another node that the WAN is on my home LAN, and does the internet gateway functions. The second one is also my tunnel host (since it CAN talk to the internet).

Johan, I may try your tunnel again here, as I found more deep-down settings in my home router that may let it work behind it now. But for now we are using our old style tunnel for the developers (what we used before the 1.0.0 upgrade). I dug deeper and found more detailed static routing functions.

KTF


IP Logged
B-) Jim K5KTF EM10bm Cedar Park, TX :star:
 Subject :Re:VPN / GRE tunneling.. 2013-12-21- 12:09:34 
SM7I
Member
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo
 

Hi Jim,


Dunno what email you are using, but make sure to email me at: sm7i.ham@gmail.com I have published that address here before :)


Regarding the NAT, please read the whole thread :)

IP Logged
Last Edited On: 2013-12-21- 12:10:13 By SM7I for the Reason
IT infrastructure and security professional
Page # 


Powered by ccBoard


SPONSORED AD: