How to utilize TUN/TAP tunnel from user program

networkingtunneling

I recently discovered the existence of Linux TUN/TAP interfaces and am still trying to understand them. I think I get the basic concept – pseudo devices are created which emulate a network interface and instead of passing data to hardware it is passed to a userspace program.

How would you direct an unrelated program to utilize this tunnel?

For example, before the tunnel is created my system only contains eth0 and lo, the normal ethernet interface (wired to my local network) and the loopback interface. After a program creates and configures a tunnel, I have a new interface gr0 which I gave an IP address that is on my local network, but not in use (so we are all on the same subnet). How would I make an unrelated program utilize this 'tunnel'? Say I had a simple Python message passing client/server app which utilizes a TCP connection, how could I configure it to use the tunnel?

I apologize if I am missing something basic, but as usual I have managed to confuse myself in the scheme of things. Again, all I want is to have a simple TCP program utilize this tunnel.

Thanks!

Best Answer

It's not always "tunnel". TUN/TAP is just specific NIC drivers. From point of view of network stack they acts as any other network interfaces: they can have IP addresses, can be point-to-point or broadcast interfaces. Routing rules also applies to them. But all traffic that gets written to one of that network interfaces goes to some userspace program for processing, and all data written by userspace program directly to /dev/tunX looks like incoming packets for network stack.

In usual tunneling setup server and client have TUN devices with assigned addresses. Routing tables configured on both of them directs needed traffic to this TUN devices. When packet get routed to tun0, kernel sends it to userspace program (client) that sends this packet to other program on remote machine (server) via, for example, TCP connection. On remote machine other program (server) recieves packet from client and writes it to it's own /dev/tunX device, "injecting" that packet into network stack. And tunneled packet gets processed as any other.

Related Solutions

Linux – Why are incoming packets on a TAP interface seen with tcpdump but not with iptables

Here is further guesswork. Hope this is helpful, but it may as well be embarassingly wrong.

tap0 has two ends, the kernel network stack end and the program interface. It seems to me if you supply 'nicserver' with tap0, it won't attach to it the way it is intended with tap devices, using the program interface. Instead, nicserver will simply write to it from the network stack end, and with no application reading from the program interface end, you will end up overflowing the device queue. This explains the dropped packets. Also, no packets will be delivered, which might explain the iptables result.

I guess if you let tcpdump capture on tap0 it actually attaches to the program interface end of tap0 and, voila, you see the packets. I searched the internet but found no source to confirm such behaviour. To falsify this theory, capture tap0 and see how it affects packet drops and the iptables log.

Finally, an advice that addresses your original problem: what about using the loopback device, instead? Like so:

nicserver -p 7801 -a lo

Linux – Command to run a child process “offline” (no external network) on Linux

The traditional answer is to run the program as another user and use iptables -m owner. That way, the network configuration is shared. However, with the advent of namespaces, there is an easier way.

With namespaces, you unshare the network, then create a virtual network link if you need limited network access.

To share unix domain sockets, all you need is to have a recent enough kernel, after this 2010 patch, so 2.6.36 or above (which is the case on all current distributions at the time of writing except RHEL/CentOS).

Run the program in its own IP namespace. Before starting the program, establish a virtual ethernet interface. There doesn't seem to be much documentation; I found the right incantation in a few blogs:

Linux Namespaces at Arista
Some notes on veth interfaces by waldner
Introducing Linux Network Namespaces by Scott Lowe

In the snippet below, I use the ns_exec is the this wrapper around setns listed in the man page to bring up the host side of the network link from the process running in the restricted namespace. You don't actually need this: you can set up the host side of the link from outside the restricted namespace. Doing it from inside merely facilitate the flow control, otherwise you need some synchronization to set up the link after it's been established but before starting your program.

unshare -n -- sh -c '
  # Create a virtual ethernet interface called "confined",
  # with the other end called "global" in the namespace of PID 1
  ip link add confined type veth peer name global netns 1

  # Bring up the confined end of the network link
  ip addr add 172.16.0.2/30 dev confined
  ip link set confined up

  # Bring up the global end of the network link
  ns_exec /proc/1/ns/net ifconfig global 172.16.0.1 netmask 255.255.255.252 up

  # Execute the test program
  exec sudo -E -u "$TARGET_USER" "$0" "$@"
' /path/to/program --argument

You need to do all of this as root. The introduction of user namespaces in kernel 3.8 may make this doable with no special permissions, except setting up the global end of the network link.

I don't know how to share localhost between the two namespaces. Virtual ethernet interfaces create a point-to-point bridge. You can use iptables forwarding rules to redirect traffic from/to lo if desired.

Best Answer

Related Solutions

Linux – Why are incoming packets on a TAP interface seen with tcpdump but not with iptables

Linux – Command to run a child process “offline” (no external network) on Linux

Related Question