Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

nexmon – Blame information for rev 1

Rev	Author	Line No.	Line
1	office	1	<!-- source: doc/socat-tun.html -->
		2	<html><head>
		3	<title>Building TUN based virtual networks with socat</title>
		4	<link rel="stylesheet" type="text/css" href="dest-unreach.css">
		5	</head>
		6
		7	<body>
		8
		9	<h1>Building TUN based virtual networks with socat</h1>
		10
		11	<h2>Introduction</h2>
		12	<p>
		13	Some operating systems allow the generation of virtual network interfaces that
		14	do not connect to a wire but to a process that simulates the network. Often
		15	these devices are called TUN or TAP.
		16	</p>
		17	<p>
		18	socat provides an address type that creates a TUN device on Linux; the other
		19	socat address can be any type; it transfers the "wire" data as desired.
		20	</p>
		21	<p>
		22	This document shows how a simple virtual network can be created between
		23	two hosts that may be far (many network hops) apart. On both hosts a socat
		24	instance is started that connects to the other host using TCP and creates a TUN
		25	device. See <a href="socat-openssltunnel.html">socat-openssltunnel.html</a> for
		26	a guide on securing the connection using SSL.
		27	</p>
		28	<p>
		29	The following IP addresses are used in the example; replace them in the
		30	following commands with the requirements of your situation:</p>
		31	<table border="1">
		32	<tr><th>host</th><th>address</th><th>mask</th></tr>
		33	<tr><td>physical "server" address</td><td>1.2.3.4</td><td>n/a</td></tr>
		34	<tr><td>physical "client" address</td><td>n/a</td><td>n/a</td></tr>
		35	<tr><td>TUN on "server"</td><td>192.168.255.1</td><td>255.255.255.0</td></tr>
		36	<tr><td>TUN on "client"</td><td>192.168.255.2</td><td>255.255.255.0</td></tr>
		37	</table>
		38	<p>The TCP connection uses port 11443.</p>
		39
		40	<p>On "default" Linux installations, creating TUN/TAP devices might require
		41	root privilege.</p>
		42
		43	<!-- discussion -->
		44	<h2>Generate TUN devices with socat</h2>
		45	<p>In this section two instances of socat are used to generate TUN devices on
		46	different hosts and connect the "wire" sides, providing a simple virtual
		47	network.
		48	</p>
		49	<p>
		50	We distinguish server and client only with respect to the connection between
		51	the two socat instances; the TUN interfaces both have the same quality.
		52	</p>
		53
		54	<h3>TUN Server</h3>
		55
		56	<span class="frame"><span class="shell">socat -d -d TCP-LISTEN:11443,reuseaddr TUN:192.168.255.1/24,up</span></span>
		57	<p>After starting this command, socat will wait for a connection and then
		58	create a TUN pseudo network device with address 192.168.255.1; the bit number
		59	specifies the mask of the network that is pretended to be connected on this
		60	interface.</p>
		61
		62	<h3>TUN Client</h3>
		63	<span class="frame"><span class="shell">socat TCP:1.2.3.4:11443 TUN:192.168.255.2/24,up</span></span>
		64	<p>This command should establish a connection to the server and create the TUN
		65	device on the client.</p>
		66
		67	<h3>Seeing it work</h3>
		68
		69	<p>
		70	After successful connection both TUN interfaces should be active and transfer
		71	date between each other using the TCP connection. Try this by pinging
		72	192.168.255.1 from the client and 192.168.255.2 from the server.
		73	</p>
		74
		75	<h3>TCP/IP version 6</h3>
		76
		77	<p>IPv6 as transport should work just like any TCP/IPv6 connection.</p>
		78
		79	<p>Creation of an IPv6 virtual interface is not directly possible, but you can
		80	generate an IPv4 interface as described above, and add IPv6 addresses using
		81	the <tt>ifconfig</tt> command.
		82
		83	<h2>Troubleshooting</h2>
		84
		85	<h3>Test TUN integration</h3>
		86	<p>
		87	If you get error messages like this:</p>
		88	<table border="1" bgcolor="#e08080"><tr><td><tt>... E unknown device/address "tun"</tt></td></tr></table>
		89	<p>your socat executable probably does not provide TUN/TAP support. Potential
		90	reasons: you are not on Linux or are using an older version of socat.
		91	</p>
		92
		93	<h3>Missing kernel support</h3>
		94	<p>An error message like:</p>
		95	<table border="1" bgcolor="#e08080"><tr><td><tt>... E open("/dev/net/tun", 02, 0666): No such file or directory</tt></td></tr></table>
		96	<p>indicates that your kernel does not have TUN/TAP support compiled
		97	in. Rebuild your kernel with the appropriate configuration (probably under
		98	<b>Device driver / Network device support / Network device / Universal TUN/TAP</b>).
		99	</p>
		100
		101	<h3>TUN cloning device permissions</h3>
		102	<p>An error message like:</p>
		103	<table border="1" bgcolor="#e08080"><tr><td><tt>... E open("/dev/net/tun", 02, 0666): Permission denied</tt></td></tr></table>
		104	<p>indicates that you do not have permission to read or write the TUN cloning
		105	device. Check its permission and ownership.</p>
		106
		107	<h3>Interface down</h3>
		108	<p>If no error occurs but the pings do not work check if the network devices
		109	have been created:</p>
		110	<span class="frame"><span class="shell">ifconfig tun0</span></span>
		111	<p>The output should look like:</p>
		112	<pre>
		113	tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
		114	inet addr:192.168.255.1 P-t-P:192.168.255.1 Mask:255.255.255.0
		115	UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
		116	RX packets:0 errors:0 dropped:0 overruns:0 frame:0
		117	TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
		118	collisions:0 txqueuelen:500
		119	RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
		120	</pre>
		121	<p>Check the "UP" keyword; you forget the "up" option in the socat command if
		122	it is missing.<p>
		123	<p>Check if the correct IP address and network mask are displayed.</p>
		124
		125	<h3>Routing</h3>
		126	<p></p>
		127	<span class="frame"><span class="shell">netstat -an |fgrep 192.168.255</span></span>
		128	<p>The output should look like:</p>
		129	<pre>
		130	192.168.255.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
		131	</pre>
		132
		133	<h3>Other problems</h3>
		134	<p>Another reason for failure might be iptables.</p>
		135	<p>Run socat with options <tt>-d -d -d</tt>, this will show every data transfer
		136	between the two processes. Each ping probe should cause a forth and a back
		137	transfer.<p>
		138
		139	<h2>History</h2>
		140	<p>
		141	Linux TUN/TAP support was added to socat in version 1.6.0.</p>
		142
		143	<p>This document was last modified in April 2009.</p>
		144
		145	<h2>More info about socat TUN/TAP support</h2>
		146
		147	<h3>Links regarding this tutorial</h3>
		148	<a href="socat.html#ADDRESS_TUN">socat address tun</a><br>
		149
		150	<h3>socat options for TUN/TAP addresses</h3>
		151	<a href="socat.html#GROUP_TUN">TUN/TAP options</a><br>
		152
		153	<h2>References</h2>
		154	<a href="http://www.dest-unreach.org/socat">socat home page</a><br>
		155	<a href="socat.html">socat man page</a><br>
		156	<a href="http://openvpn.net/">OpenVPN home page</a><br>
		157	<a href="http://en.wikipedia.org/wiki/TUN/TAP">TUN/TAP on Wikipedia</a><br>
		158
		159	<p>
		160	<small>Copyright: Gerhard Rieger 2007-2009</small><br>
		161	<small>License: <a href="http://www.fsf.org/licensing/licenses/fdl.html">GNU Free Documentation License (FDL)</a></small>
		162	</p>
		163
		164	</body>
		165	</html>

Powered by WebSVN 2.7.0 and Apache Subversion 1.14.5     ✓ XHTML & CSS