• Home
  • Getting Started
  • Registry Authentication
  • Address Space
  • BGP communities
  • FAQ

• How-To

  • Wireguard
  • Openvpn
  • IPsec With Public Keys
  • Tinc
  • GRE on FreeBSD
  • GRE on OpenBSD
  • IPv6 Multicast (PIM-SM)
  • Bird / Bird2
  • Quagga
  • OpenBGPD
  • Mikrotik RouterOS
  • EdgeRouter
  • Static routes on Windows
  • Universal Network Requirements
  • VyOS
  • NixOS

• Services

  • IRC
  • Whois registry
  • DNS
  • Public DNS
  • Looking Glasses
  • Automatic Peering
  • Repository Mirrors
  • Distributed Wiki
  • Certificate Authority
  • Route Collector

• Internal

  • Internal services
  • Interconnections
  • APIs
  • Show and Tell
    
  • Historical services

• External Tools

  • Paste Board
  • Git Repositories

---

Point-to-Point Layer 3 GRE tunnel interface

This guide describes how to establish an unencrypted and unauthenticated IPv6-over-IPv6 tunnel on OpenBSD, see gre(4) EXAMPLES for similar setups.

Configuration

Let A be the local OpenBSD host and D the remote peer, assume public DNS names and IPv6 reachability.

Let fd42:: and fd42::1 be the IPs of A and D respectively where both are allocated as /127 subnet from one of the peer's DN42 prefix.

pseudo interface

Populate /etc/hostname.gre0 with:

tunnel A.example.com D.example.net
inet6 fd42::/127

This will resolve FQDNs at parse time, set A's and D's IPs as source and destination tunnel address and set A's assigned IP as point-to-point address on the interface.

Replace hostnames in the tunnel line with literal IPs if DNS is not available (at system boot).

Reboot or run sh /etc/netstart gre0 to bring up the tunnel.

miscellaneous

Populate /etc/sysctl.conf with:

net.inet.gre.allow=1

Reboot or run sysctl net.inet.gre.allow=1 to allow GRE packet processing.

At this point, gre0 will be administratively UP:

$ ifconfig gre0
gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476
        index 22 priority 0 llprio 6
        encap: vnetid none txprio payload rxprio packet
        groups: gre
        tunnel: inet6 2001:db8::a --> 2001:db9::d ttl 64 nodf ecn
        inet6 fe80::221:28ff:fef9:c1d8%gre0 -->  prefixlen 64 scopeid 0x16
        inet6 fd42:: -->  prefixlen 127

All traffic destined to fd42::1/127 will be encapsulated and routed to D:

$ route show
[...]
Internet6:
Destination                        Gateway                        Flags   Refs      Use   Mtu  Prio Iface
fd42::/127                         fd42::                         UCn        1        0     -     4 gre0
fd42::                             fd42::                         UHl        0        0     -     1 gre0
fd42::1                            link#0                         UHc        0     3180     -     3 gre0
fe80::%gre0/64                     fe80::221:28ff:fef9:c1d8%gre0  Un         0        0     -     4 gre0
fe80::221:28ff:fef9:c1d8%gre0      fe80::221:28ff:fef9:c1d8%gre0  UHl        0        0     -     1 gre0
ff01::%gre0/32                     fe80::221:28ff:fef9:c1d8%gre0  Um         0        1     -     4 gre0
ff02::%gre0/32                     fe80::221:28ff:fef9:c1d8%gre0  Um         0        1     -     4 gre0
[...]

$ route -n get fd42::1
   route to: fd42::1
destination: fd42::1
       mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  interface: gre0
 if address: fd42::
   priority: 3 ()
      flags: <UP,HOST,DONE,CLONED>
     use       mtu    expire
    3181         0         0 

Security

GRE may be protected with IPsec to encrypt and authenticate traffic, OpenIKED can be used to establish an IKEv2 session between A and D.

Hosted by: xuu, nurtic-vibe, toBee, burble | Accessible via: dn42, dn42.eu, dn42.dev