rrqnet(8) ========= :doctype: manpage :revdate: {sys:date "+%Y-%m-%d %H:%M:%S"} :COLON: : :EQUALS: = NAME ---- rrqnet - Packet tunneling over UDP, multiple channels SYNOPSIS -------- *rrqnet* [ OPTIONS ] _port_ ( _remote_ [*-i* _mac_]* )* DESCRIPTION ----------- *rrqnet* is a bi-directional networking plug that channels Ethernet packets between a UDP port and either a tap interface or standard input/output. It is configured on the command line by declarations of the remotes it may communicate with. OPTIONS ------- Note that any options must be given in the fixed order: [-v] [-4] [-B n] [-T n] [-m mcast] [-t tap] *-v*:: This tells *rrqnet* to log its operation on +stderr+. Use *-vv* to also see logs about connections and messaging, or *-vvv* for *rrqnet* to be insanely verbose on +stderr+ about virtually everything. *-4*:: This directs *rrqnet* to use an ipv4-only socket for its UDP. By default it opens a dual ipv4/ipv6 socket and internally it then uses address mapping for ipv4 (i.e. the ::ffff/96 prefix). *-B* _n_:: This sets the number of receive buffers *rrqnet* should use. The default is computed to be twice the number of dispatch threads (see *-T* below). Receive buffers are pre-allocated and recycled. *-T* _n_:: This sets the number of dispatch threads *rrqnet* should use. The default is 5. The (additional) main thread handles packet reception, where it immediately puts received packets into the buffer queue which is serviced by the dispatch threads for optional decryption, dispatch decision, optional encryption and delivery. *-m* _mcast_:: This tells *rrqnet* to open an ipv4 UDP multicast channel as an additional remote channel. *-t* _tap_:: This tells *rrqnet* to open the nominated tap (the _tap_ interface name) as local channel. * When a tap is used, stdin and stdout are closed, but stderr remains open. * Without a *-t* argument, *rrqnet* will merely operate as a virtual switch among its channels. * With "*-*" as tap name, *rrqnet* will use stdin/stdout as local networking channel in a format compatible with VDE plugs. _address-block[:port][=cryptfile]_ [ *-i* _mac_[,_mac_]* ]:: Remotes are declared as +ipv4+ or +ipv6+ network address blocks optionally with port and transport encryption key file pathname, and optionally with specific MAC addresses (in a comma separated list) to ignore. Note that an ipv6 address block might need surrounding square brackets, to avoid confusion with the port number. DETAILED DESCRIPTION -------------------- The intended use of *rrqnet* is to provide VPN (virtual private network) connectivity between hosts. Each VPN host runs its own *rrqnet* daemon to channel the traffic to/from tap interfaces on the hosts via UDP messaging between the hosts. *rrqnet* is prepared for almost any network layout, even including a collection of fully connected hosts, although the more common is a "star' formation. See the EXAMPLES section for inspiration. *rrqnet* includes logic aiming to protect against broadcast cycles. Howewer it does not have the more advanced spanning tree logic that is offered by bridge interfaces. In general it's best to avoid cycles and rather run several *rrqnet* on a host with their local taps connected in a bridge interface. By default *rrqnet* opens an +ipv6+ socket on the given port. This mode handles both +ipv6+ and +ipv4+ remotes with +ipv4+ remotes handled by means of ipv6-mapped address translations. If *-4* is given, *rrqnet* opens an +ipv4+ socket instead, and it cannot then have +ipv6+ remotes. A *rrqnet* daemon delivers the packets received from the local end, i.e., the _tap_ or _stdio_, to known remote ends according the targeted MAC addresses and established remote channels. Likewise, packets from remotes are delivered to the local end or to other remotes according to the targeted MAC addresses. If a packet is an Ethernet broadcast, it is delivered to all (known) channels except the one it came from. If *rrqnet* is started without *-t* option it will operate like an Ethernet switch that provides connectivity among its +UDP+ channels without involving the host network other than for the tunneling. REMOTE DECLARATIONS ~~~~~~~~~~~~~~~~~~~ .ipv4 address block This format declares remotes by +ipv4+ address, with optional network prefix length (0-32), optional port (1-65535) and/or optional key file pathname. *rrqnet* will accept packets from sources that match. If the network prefix length, +n+, is omitted or given as 32, and a port is given, then the remote is taken as an _uplink_. .matching ipv4 uplink and downlink ==== ---- [1.2.3.4]# rrqnet -t vpn0 2300 5.6.7.1:2300=/sec/vpn0.key [5.6.7.1]# rrqnet -t vpn0 2300 1.2.3.0/24:2300=/sec/vpn0.key ---- ==== .plain ipv6 address block This format declares remotes by ipv6 address, with optional network prefix length (0-128) and/or optional key file pathname. *rrqnet* will accept packets from sources that match. This format (without square brackets) is without port number part, and it thus only declares a prefix mask for allowed sender hosts. .ipv6 address block within square brackets This format declares remotes by ipv6 address, with optional network prefix length (0-128) within square brackets, then optionally a port number and/or an optional key file pathname. *rrqnet* will accept packets from sources that match. If the network prefix length, +n+, is omitted, or given as 128, and a port number is given, then it declares an _uplink_. .matching ipv6 uplink and downlink ==== ---- [fd::4]# rrqnet -t vpn0 2300 '[fe::1:4]:2300=/sec/vpn0.key' [fe::1:4]# rrqnet -t vpn0 2300 '[fd::/120]:2300=/sec/vpn0.key' ---- ==== Remotes are declarations to match the source IP addresses for UDP traffic. It is either a full host and port address, or an address block with or without port number. A full network address and port (e.g +[fe::1:4]:2300+ of example 2) declares an _uplink_ that the declaring *rrqnet* daemon will establish and maintain by means of regular heartbeat messaging. An address block declaration defines the mask for allowed incoming connections, aka _downlinks_, that teh declaring dameon expects are maintained as uplinks by the remote *rrqnet* daemons. The *-i* option, if used for a remote declaration, is followed by a comma separated list of the MAC addresses to ignore on the associated channel. The *rrqnet* daemon will then just drop any packet with those MAC addresses (whether source or destination) on the remotes of the channel. MULTICAST CHANNEL ----------------- With the *-m* option, the *rrqnet* daemon also listens for packets on the declared ipv4 multicast address. It is then treated as a separate, persistent remote channel. A multicast channel is declared using the format: *ipv4:port{=keyfile}*. I.e. it includes the multicast ipv4 address, the port number (1-65535), and optionally a key file pathname. The multicast channel is an additional communication channel, but anything received on it will be treated as being from the multicast IP rather than the actual source IP. .multicast example without other remotes ==== ---- # rrqnet -m 244.0.2.1:2000 -t vpn0 ---- ==== The multicast channel is compatible with QEMU multicast socket. TRANSPORT ENCRYPTION -------------------- Transport encryption is added to a channel by menas of using a shared key. This is a sizable file, say 1 Mb, of binary data that is used for scrambling the network packets. For example, 1 Mb random data is fine. .preparing 1 Mb key file with random content ==== ---- dd if=/dev/random of=/sec/keyfile bs=1M count=1 ---- ==== The key file needs to be copied to all hosts. A channel that has a key file is declared by appending it to the channel declaration, as in the following example. .another example of a downlink with encryption ==== ---- [10.0.0.1]# rrqnet -v -t tap0 1400 10.2.0.0/16:1400=/sec/keyfile ---- ==== That declaration says that all channels with hosts of ipv4 address +10.2.0.0/16+, port 1400, use the file +/sec/keyfile+ for transport encryption. FURTHER EXAMPLES ---------------- Simple rrqnet set up (ipv6) ~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is an example set up for connecting two hosts with *rrqnet*, without transport encryption. We pretend these hosts are mutually reachable with ipv6 addresses +fe::2+ and +fe::1:3+ respectively, and we want to use the ipv6 network +fd::1000:0/120+ over *rrqnet*. A nominal set up might then be as follows: .simple rrqnet set up (ipv6) ==== ---- [fe::2]# ip tuntap add tap0 mode tap [fe::2]# ifconfig tap0 fd::1000:10/120 up [fe::2]# rrqnet -v -t tap0 1400 '[fe::1:3]:1400' & -- [fe::1:3]# ip tuntap add tap0 mode tap [fe::1:3]# ifconfig tap0 fd::1000:20/120 up [fe::1:3]# rrqnet -v -t tap0 1400 '[fe::2]:1400' & ---- ==== Thus, the host +fe::2+ is set up with a tap, +tap0+, having +ipv6+ address and net +fd::1000:10/120+, and a *rrqnet* daemon for the tap and UDP port +1400+ that uplinks to a remote *rrqnet* at +fe::1:3+ port +1400+. Similarly, the host +fe::1:3+ is set up with a tap +tap0+, having +ipv6+ address and net +fd::1000:20/120+, and a *rrqnet* daemon for the tap and UDP port +1400+ that uplinks to a remote *rrqnet* at +fe::2+ port +1400+. This example also needs ipv6 address resolution set up, which uses the MAC addresses of the two taps. Let's say it's +02:00:00:00:00:02+ for +tap0+ on +fe::2+ and +04:00:00:00:00:04+ for +tap0+ on +fe::1:3+. Then address resolution is established with the following: .example of ipv6 address resolution set up ==== ---- [fe::2]# ip neigh add fd::1000:20 dev tap0 lladdr 04:00:00:00:00:04 -- [fe::1:3]# ip neigh add fd::1000:10 dev tap0 lladdr 02:00:00:00:00:02 ---- ==== Simple rrqnet set up (ipv4) ~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is an example set up for connecting two hosts with *rrqnet*, without transport encryption. We pretend these hosts are mutually reachable with ipv4 addresses +10.0.0.1+ and +192.168.0.1+ respectively, and we want to use the ipv4 network +10.100.100.0/24+ over *rrqnet*. A nominal set up might be as follows: .Simple rrqnet set up (ipv4) ==== ---- [10.0.0.1]# ip tuntap add tap0 mode tap [10.0.0.1]# ifconfig tap0 10.100.100.1/24 up [10.0.0.1]# rrqnet -v -t tap0 1400 192.168.0.1:1400 & -- [192.168.0.1]# ip tuntap add tap0 mode tap [192.168.0.1]# ifconfig tap0 10.100.100.2/24 up [192.168.0.1]# rrqnet -v -t tap0 1400 10.0.0.1:1400 & ---- ==== Thus, the host +10.0.0.1+ is set up with a tap, +tap0+, having ipv4 address and net +10.100.100.1/24+, and a *rrqnet* daemon for the tap and UDP port +1400+ that uplinks to a remote *rrqnet* at +192.168.0.1+ port +1400+. Similarly, the host +192.168.0.1+ is set up with a tap +tap0+, having +ipv4+ address and net +10.100.100.2/24+, and a *rrqnet* daemon for the tap and UDP port +1400+ that uplinks to a remote *rrqnet* at +10.0.0.1+ port 1400. The kernel automagically performs ipv4 address resolution to learn the MAC addresses associated with the remote ipv4 addresses through the taps. rrqnet set up through NAT ~~~~~~~~~~~~~~~~~~~~~~~~~ If one of the hosts, say +192.168.0.1+ is behind a NAT router with different IP, say, a dynamic IP on the net +10.2.0.0/16+, we need a different set up. In this scenario, the first host would be set up as a "server" and the second a client that would utilize the router's NAT function for return traffic. The set up would be as follows: .rrqnet set up through NAT ==== ---- [10.0.0.1]# ip tuntap add tap0 mode tap [10.0.0.1]# ifconfig tap0 10.100.100.1 up [10.0.0.1]# rrqnet -v -t tap0 1400 10.2.0.0/16:1400 & -- [192.168.0.1]# ip tuntap add tap0 mode tap [192.168.0.1]# ifconfig tap0 10.100.100.2 up [192.168.0.1]# rrqnet -v -t tap0 1400 10.0.0.1:1400 & ---- ==== Thus, the "server" is set up to allow connections from any host on the network +10.2.0.0/16+, port 1400, while the "client" is set up the same way as in the simple example above. The client will establish and uphold the connection by virtue of its 30 second "heart beat", and return traffic will be channeled via the router's NAT function. Note that the server sees the _external_ IP of the client and not its _internal_ IP. The server's *rrqnet* therefor has a remote declaration to allow messages from that external IP, and in the example case, even an address block of a 16 bit common prefix (the choice of a 16 bit prefix is merely for the sake of this example). Multiple client hosts ~~~~~~~~~~~~~~~~~~~~~ In a "client-server" set up, there can be any number of "client" hosts. However, the "clients" behind a common NAT router must then use distinct ports as otherwise the router will be confused about the return traffic. With multiple remote channels, a *rrqnet* daemon serves as a network switch that forwards traffic in between the channels as well as to and from the "server" tap. The daemon also forwards Ethernet broadcasts out on all established channels in support of ARP messaging. Further, a *rrqnet* daemon may be both a "server" with down-link channels, and a "client" with one or more up-link channels, all at the same time. Such a daemon forwards traffic between all established channels by means of the Ethernet addresses, as well as broadcasts onto all channels Stdio network ~~~~~~~~~~~~~ The *rrqnet* daemon may be set up to use standard input/output rather than a tap for local network traffic. This operation mode has some rare use cases, such as linking two *rrqnet* daemons, or connecting to a VDE network. For example: .stdio network between two rrqnet plugs ==== ---- # dpipe rrqnet 1400 0.0.0.0/0=keyfile0 = rrqnet 1401 0.0.0.0/0=keyfile1 & ---- ==== That example set up would make a connection between the two "server" daemons operating at different UDP ports, accepting messages from any ipv4 host, where port +1400+ has +keyfile0+ for transport encryption, and +1401+ has +keyfile1+ for transport encryption. Another example would be for connecting the *rrqnet* traffic to a VDE network via a +vde_plug+ as in the following example: .stdio network to a vde_plug ==== ---- # dpipe rrqnet 1400 0.0.0.0/0 = vde_plug /tmp/vde1.ctl & ---- ==== Note that *rrqnet* and +vde_plug+ use compatible stdio packet representation. NOTES ----- The UDP receiver in *rrqnet* accepts packets from the specified remote ends only, but it doesn't perform any payload verification. Messages smaller than 12 bytes are taken as "heartbeats", and larger messages are first decrypted as applicable, then treated as Ethernet messages and delivered according to their destination MAC addresses. *rrqnet* versions after 0.2.3 adds some data to the Ethernet packet in the UDP communication. *rrqnet* bridges its connections, and forwards Ethernet broadcasts to all known end-points except the incoming one. The input logic takes care of avoiding broadcast cycles. *rrqnet* does not have Spanning Tree Logic (STL), but some simple timing logic based on binding MAC addresses to remotes. That binding is sticky for a short time: 6s for broadcast and 20s for unicast. Any packet received during that time from the same MAC address via another remote is dropped. Also, a downlink without incoming traffic for 3 minutes is considered stale. *rrqnet* sends a "heartbeat" of an empty UDP message on its uplinks every 30 seconds. This is done in order to maintain the channel with the remote end without actually binding any MAC address. When the local input is a tap, *rrqnet* closes standard input and standard output, but not standard error, before entering the packet handling loop. Using +-t -+ for stdin/stdout packet traffic is compatible with +vde_plug+. SEE ALSO -------- *rrqnet-cron.sh(8)* - Management script to uphold a *rrqnet* plug. *vde_plug(1)* - Virtual Distributed Ethernet plug. AUTHOR ------ Ralph Rönnquist