45e21c5c660168bbe5be56a4dbedddcec41b25b6
howto/GRE-on-OpenBSD.md
| ... | ... | @@ -0,0 +1,31 @@ |
| 1 | +# Point-to-Point Layer 3 GRE tunnel interface |
|
| 2 | +This guide describes how to establish an unencrypted and unauthenticated IPv6-over-IPv6 tunnel on [OpenBSD](https://openbsd.org), see [gre(4) EXAMPLES](http://man.openbsd.org/gre.4#Point-to-Point_Layer_3_GRE_tunnel_interfaces_(gre)_example) for similar setups. |
|
| 3 | + |
|
| 4 | + |
|
| 5 | +# Configuration |
|
| 6 | +Let *A* be the local OpenBSD host and *D* the remote peer, assume public DNS names and IPv6 reachability. |
|
| 7 | + |
|
| 8 | +Let `fd42::` and `fd42::1` be the IPs of *A* and *D* respectively where both are allocated as `/127` subnet from one of the peer's DN42 prefix. |
|
| 9 | + |
|
| 10 | +## pseudo interface |
|
| 11 | +Populate [`/etc/hostname.gre0`](https://man.openbsd.org/hostname.if.5) with: |
|
| 12 | +``` |
|
| 13 | +tunnel A.example.com D.example.net |
|
| 14 | +inet6 fd42::/127 |
|
| 15 | +``` |
|
| 16 | +This will resolve FQDNs at parse time, set *A*'s and *D*'s IPs as source and destination tunnel address and set *A*'s assigned IP as point-to-point address on the interface. |
|
| 17 | + |
|
| 18 | +Replace hostnames in the `tunnel` line with literal IPs if DNS is not available (at system boot). |
|
| 19 | + |
|
| 20 | +Reboot or run [`sh /etc/netstart gre0`](https://man.openbsd.org/netstart.8) to bring up the tunnel. |
|
| 21 | + |
|
| 22 | +## miscellaneous |
|
| 23 | +Populate `/etc/sysctl.conf` with: |
|
| 24 | +``` |
|
| 25 | +net.inet.gre.allow=1 |
|
| 26 | +``` |
|
| 27 | +Reboot or run `sysctl net.inet.gre.allow=1` to allow GRE packet processing. |
|
| 28 | + |
|
| 29 | + |
|
| 30 | +# Security |
|
| 31 | +GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *B*. |
|
| ... | ... | \ No newline at end of file |