howto/GRE on OpenBSD

  • Search
  • Home
  • All
  • Files
  • History
  • Latest Changes
  • Home
    • Getting Started
    • Registry Authentication
    • Address Space
    • BGP communities
    • FAQ
  • How-To

    • Wireguard
    • Openvpn
    • IPsec With Public Keys
    • Tinc
    • GRE on FreeBSD
    • GRE on OpenBSD
    • IPv6 Multicast (PIM-SM)
    • Bird / Bird2
    • Quagga
    • OpenBGPD
    • Mikrotik RouterOS
    • EdgeRouter
    • Static routes on Windows
    • Universal Network Requirements
    • VyOS / VyOS 1.4.x
    • NixOS
  • Services

    • IRC
    • Whois registry
    • DNS
    • Public DNS
    • Looking Glasses
    • Automatic Peering
    • Repository Mirrors
    • Distributed Wiki
    • Certificate Authority
    • Route Collector
  • Internal

    • Internal services
    • Interconnections
    • APIs
    • Show and Tell
    • Historical services
  • External Tools

    • Paste Board
    • Git Repositories

dn42

Point-to-Point Layer 3 GRE tunnel interface

This guide describes how to establish an unencrypted and unauthenticated IPv6-over-IPv6 tunnel on OpenBSD, see gre(4) EXAMPLES for similar setups.

Configuration

Let A be the local OpenBSD host and D the remote peer, assume public DNS names and IPv6 reachability.

Let fd42:: and fd42::1 be the IPs of A and D respectively where both are allocated as /127 subnet from one of the peer's DN42 prefix.

pseudo interface

Populate /etc/hostname.gre0 with:

tunnel A.example.com D.example.net
inet6 fd42::/127
This will resolve FQDNs at parse time, set A's and D's IPs as source and destination tunnel address and set A's assigned IP as point-to-point address on the interface.

Replace hostnames in the tunnel line with literal IPs if DNS is not available (at system boot).

Reboot or run sh /etc/netstart gre0 to bring up the tunnel.

miscellaneous

Populate /etc/sysctl.conf with:

net.inet.gre.allow=1
Reboot or run sysctl net.inet.gre.allow=1 to allow GRE packet processing.

At this point, gre0 will be administratively UP:

$ ifconfig gre0
gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476
        index 22 priority 0 llprio 6
        encap: vnetid none txprio payload rxprio packet
        groups: gre
        tunnel: inet6 2001:db8::a --> 2001:db9::d ttl 64 nodf ecn
        inet6 fe80::221:28ff:fef9:c1d8%gre0 -->  prefixlen 64 scopeid 0x16
        inet6 fd42:: -->  prefixlen 127

All traffic destined to fd42::1/127 will be encapsulated and routed to D:

$ route show
[...]
Internet6:
Destination                        Gateway                        Flags   Refs      Use   Mtu  Prio Iface
fd42::/127                         fd42::                         UCn        1        0     -     4 gre0
fd42::                             fd42::                         UHl        0        0     -     1 gre0
fd42::1                            link#0                         UHc        0     3180     -     3 gre0
fe80::%gre0/64                     fe80::221:28ff:fef9:c1d8%gre0  Un         0        0     -     4 gre0
fe80::221:28ff:fef9:c1d8%gre0      fe80::221:28ff:fef9:c1d8%gre0  UHl        0        0     -     1 gre0
ff01::%gre0/32                     fe80::221:28ff:fef9:c1d8%gre0  Um         0        1     -     4 gre0
ff02::%gre0/32                     fe80::221:28ff:fef9:c1d8%gre0  Um         0        1     -     4 gre0
[...]
$ route -n get fd42::1
   route to: fd42::1
destination: fd42::1
       mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  interface: gre0
 if address: fd42::
   priority: 3 ()
      flags: <UP,HOST,DONE,CLONED>
     use       mtu    expire
    3181         0         0 

Security

GRE may be protected with IPsec to encrypt and authenticate traffic, OpenIKED can be used to establish an IKEv2 session between A and D.

Hosted by: xuu, nurtic-vibe, toBee, burble | Accessible via: dn42, dn42.eu, dn42.dev

Last edited by KIOUBIT-MNT, 2021-05-31 21:48:53