Tun/Tap interface tutorial « \1. Foreword: please note that the code available here is only for demonstration purposes. If you want to be serious, you'll have to make it more robust and integrate it with other code. Also, the description is by no means a definitive reference on the subject, but rather the result of my experimentation. Please report any bug or error you find in the code or otherwise in this article. Thanks. Link to the source tarball described in the article: simpletun. Update 1. 8/0. 7/2. ![]() Thanks to this post, I've learned that recent versions of iproute. Thus, installing tunctl (UML utilities) or Open.
![]() VPN just to be able to create tun devices is no longer needed. The following is with iproute. Usage: ip tuntap . This document attempts to explain how tun/tap interfaces work under Linux, with some sample code to demonstrate their usage. How it works. Tun/tap interfaces are software- only interfaces, meaning that they exist only in the kernel and, unlike regular network interfaces, they have no physical hardware component (and so there's no physical . In the field of packaging technology, the takeover of Schaefer Förderanlagen- und Maschinenbau GmbH, Unterföhring, provides meaningful capability enhancement. Tun/tap interfaces are a feature offered by Linux (and probably by other UNIX-like operating systems) that can do userspace networking, that is, allow userspace. Write a Review The Epiphone Prophecy Les Paul Custom Plus EX/GX Electric Guitar offers you a choice between 2 slightly different guitars, the EX and the GX. You can think of a tun/tap interface as a regular network interface that, when the kernel decides that the moment has come to send data . When the program attaches to the tun/tap interface, it gets a special file descriptor, reading from which gives it the data that the interface is sending out. In a similar fashion, the program can write to this special descriptor, and the data (which must be properly formatted, as we'll see) will appear as input to the tun/tap interface. To the kernel, it would look like the tun/tap interface is receiving data . Whether an interface functions like a tun interface or like a tap interface is specified with a flag when the interface is created. The interface can be transient, meaning that it's created, used and destroyed by the same program; when the program terminates, even if it doesn't explicitly destroy the interface, the interfaces ceases to exist. Another option (the one I prefer) is to make the interface persistent; in this case, it is created using a dedicated utility (like tunctl or openvpn - -mktun), and then normal programs can attach to it; when they do so, they must connect using the same type (tun or tap) used to originally create the interface, otherwise they will not be able to attach. We'll see how that is done in the code. Once a tun/tap interface is in place, it can be used just like any other interface, meaning that IP addresses can be assigned, its traffic can be analyzed, firewall rules can be created, routes pointing to it can be established, etc. With this knowledge, let's try to see how we can use a tun/tap interface and what can be done with it. Creating the interface. The code to create a brand new interface and to (re)attach to a persistent interface is essentially the same; the difference is that the former must be run by root (well, more precisely, by a user with the CAP. Let's start with the creation of a new interface. First, whatever you do, the device /dev/net/tun must be opened read/write. That device is also called the clone device, because it's used as a starting point for the creation of any tun/tap virtual interface. The operation (as with any open() call) returns a file descriptor. But that's not enough to start using it to communicate with the interface. The next step in creating the interface is issuing a special ioctl() system call, whose arguments are the descriptor obtained in the previous step, the TUNSETIFF constant, and a pointer to a data structure containing the parameters describing the virtual interface (basically, its name and the desired operating mode - tun or tap). As a variation, the name of the virtual interface can be left unspecified, in which case the kernel will pick a name by trying to allocate the . All of this must be done by root (or by a user with the CAP. The program can start using the interface right away (probably configuring it with at least an IP address before), and, when it's done, terminate and destroy the interface. The other option is to issue a couple of other special ioctl() calls to make the interface persistent, and terminate leaving it in place for other programs to attach to it. This is what programs like tunctl or openvpn - -mktun do, for example. These programs usually can also optionally set the ownership of the virtual interface to a non- root user and/or group, so programs running as non- root but with the appropriate privileges can attach to the interface later. We'll come back to this below. The basic code used to create a virtual interface is shown in the file Documentation/networking/tuntap. Modifying it a bit, we can write a barebone function that creates a virtual interface: #include < linux /if. MUST have enough. IFF. Note that the caller MUST reserve space in *dev (see calling. Any name can be used, though it's probably better to choose a name that suggests which kind of interface it is. In practice, names like tun. X or tap. X are usually used. If *dev is '\0', the kernel will try to create the . Basically, it can either take the value IFF. Also note that when capturing traffic on the interface with Wireshark, those 4 bytes are never shown. A program can thus use the following code to create a device: char tun. If it does the former, there's not much more to be said. But if it does the latter, here's what happens. Two additional ioctl()s are available, which are usually used together. The first syscall can set (or remove) the persistent status on the interface. The second allows assigning ownership of the interface to a regular (non- root) user. Both features are implemented in the programs tunctl (part of UML utilities) and openvpn - -mktun (and probably others). Let's examine the tunctl code since it's simpler, keeping in mind that it only creates tap interfaces, as those are what user mode linux uses (code slightly edited and simplified for clarity).. But what we have now is a persistent interface owned by a specific user, so processes running as that user can successfully attach to it. As said, it turns out that the code to (re)attach to an existing tun/tap interface is the same as the code used to create it; in other words, tun. When doing so, for it to be successful three things must happen: The interface must exist already and be owned by the same user that is attempting to connect (and probably be persistent)the user must have read/write permissions on /dev/net/tun. The flags provided must match those used to create the interface (eg if it was created with IFF. In this case, no new interface has to be created, so a regular user can successfully perform the operation. So this is an attempt to explain what happens when ioctl(TUNSETIFF) is called, and how the kernel differentiates between the request for the allocation of a new interface and the request to connect to an existing interface: If a non- existent or no interface name is specified, that means the user is requesting the allocation of a new interface. The kernel thus creates an interface using the given name (or picking the next available name if an empty name was given). This works only if done by root. If the name of an existing interface is specified, that means the user wants to connect to a previously allocated interface. This can be done by a normal user, provided that: the user has appropriate rights on the clone device AND is the owner of the interface (set at creation time), AND the specified mode (tun or tap) matches the mode set at creation time. You can have a look at the code that implements the above steps in the file drivers/net/tun. The usual methods (suid binary wrapper, sudo, etc.) can be used if a non- root user needs to do some operation that requires root privileges. This is a possible usage scenario (one I use all the time): The virtual interfaces are created, made persistent, assigned to an user, and configured by root (for example, by initscripts at boot time, using tunctl or equivalent)The regular users can then attach and detach as many times as they wish from virtual interfaces that they own. The virtual interfaces are destroyed by root, for example by scripts run at shutdown time, perhaps using tunctl - d or equivalent. Let's try it. After this lengthy but necessary introduction, it's time to do some work with it. So, since this is a normal interface, we can use it as we would another regular interface. For our purposes, there is no difference between tun and tap interfaces; it's the program that creates or attaches to it that must know its type and accordingly expect or write data. Let's create a persistent interface and assign it an IP address: # openvpn - -mktun - -dev tun. Fri Mar 2. 6 1. 0: 2. TUN/TAP device tun. Fri Mar 2. 6 1. 0: 2. Persist state set to: ON. Let's fire up a network analyzer and look at the traffic: # tshark - i tun. Running as user . This could be dangerous. There is no traffic going through the interface. This is correct: since we're pinging the interface's IP address, the operating system correctly decides that no packet needs to be sent . If you think about it, it's exactly what would happen if you pinged another interface's IP address (for example eth. This might sound obvious, but could be a source of confusion at first (it was for me). Knowing that the assignment of a /2. IP address to an interface creates a connected route for the whole range through the interface, let's modify our experiment and force the kernel to actually send something out of the tun interface (NOTE: the following works only with kernels < 2. PING 1. 0. 0. 0. 2 (1. The kernel sees that the address does not belong to a local interface, and a route for 1. So it duly sends the packets out tun. Note the different behavior here between tun and tap interfaces: with a tun interface, the kernel sends out the IP packet (raw, no other headers are present - try analyzing it with tshark or wireshark), while with a tap interface, being ethernet, the kernel would try to ARP for the target IP address: # pinging 1.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
August 2017
Categories |