Bridging over VPN

Hello,

I have to network devices dev1 and dev2 that I want to fool that they
are on the same Ethernet LAN. I took two computers having two network
devices each, and called those computers gw1 and gw2. Then I connected
my devices to them, and connected the computers so I got this setup:

[dev1-LAN] <-> [LAN-gw1-WAN] <-> [WAN-gw2-LAN] <-> [LAN-dev2]

gw1 and gw2 can talk to each other over their WAN interfaces. I
created an SSH VPN between gw1 and gw2, resulting in virtual
interfaces tun0 on both computers. Then I planned to use bridge-utils
to create a bridge between the LAN interface and tun0 on both gw1 and
gw2. But no! The utility brctl does not allow virtual interfaces to be
added to the bridge.

Anyone no something else I can try?

Regards,
Daniel

Hello,

Daniel a écrit :
>
> I created an SSH VPN between gw1 and gw2, resulting in virtual
> interfaces tun0 on both computers. Then I planned to use bridge-utils
> to create a bridge between the LAN interface and tun0 on both gw1 and
> gw2. But no! The utility brctl does not allow virtual interfaces to be
> added to the bridge.

Linux bridging requires ethernet-like layer-2 interfaces. I guess that
by default ssh creates a point-to-point routed layer-3 tunnel. You may
need to add the "tunnel ethernet" option either in ssh_config or with -o
on the command line.

On 26 Jan, 13:35, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:
> Linux bridging requires ethernet-like layer-2 interfaces. I guess that
> by default ssh creates a point-to-point routed layer-3 tunnel. You may
> need to add the "tunnel ethernet" option either in ssh_config or with -o
> on the command line.

Thanks a lot! That took me further along the way. I was able to add
the tap interface to the bridge, and could ping through the system as
expected. However... When running iperf with TCP to test the
throughput, I got the following result:

root@delilah:~# iperf -s -i 1
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
Disconnecting: Bad packet length 2377517191.
root@hedvig:~#

Referring to the ASCII picture below, the WAN interfaces are on
different subnets and are connected with an IP-layer router. So it
doesn't seem to be a problem with a loop over a physical cable and a
virtual tunnel. I haven't seen this kind of problem before and have no
idea what might be creating it.

[dev1-LAN] <-> [LAN-gw1-WAN] <-> [WAN-gw2-LAN] <-> [LAN-dev2]

Daniel a écrit :
>
> Thanks a lot! That took me further along the way. I was able to add
> the tap interface to the bridge, and could ping through the system as
> expected. However... When running iperf with TCP to test the
> throughput, I got the following result:
>
> root@delilah:~# iperf -s -i 1
> ------------------------------------------------------------
> Server listening on TCP port 5001
> TCP window size: 85.3 KByte (default)
> ------------------------------------------------------------
> Disconnecting: Bad packet length 2377517191.

Sorry I cannot help you much more, as I have never used this tunneling
feature in ssh. Is this between dev1 and dev2 or gw1 and gw2 ? Watching
the packets at the WAN and TAP interfaces on both sides may provide some
information. What about a regular TCP connection ?

On 27 Jan, 23:04, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:
> Daniel a écrit :
>
>
>
> > Thanks a lot! That took me further along the way. I was able to add
> > the tap interface to the bridge, and could ping through the system as
> > expected. However... When running iperf with TCP to test the
> > throughput, I got the following result:
>
> > root@delilah:~# iperf -s -i 1
> > ------------------------------------------------------------
> > Server listening on TCP port 5001
> > TCP window size: 85.3 KByte (default)
> > ------------------------------------------------------------
> > Disconnecting: Bad packet length 2377517191.
>
> Sorry I cannot help you much more, as I have never used this tunneling
> feature in ssh. Is this between dev1 and dev2 or gw1 and gw2 ? Watching
> the packets at the WAN and TAP interfaces on both sides may provide some
> information. What about a regular TCP connection ?

I used OpenVPN instead of SSH VPN, and it worked!