ip-tunnel

ip tunnel { add | change | del } NAME type TYPE [ OPTIONS ]
ip tunnel { show | help }

add
    Creates a new tunnel device.

change
    Modifies an existing tunnel device.

del
    Deletes a tunnel device.

show
    Lists all configured tunnel devices and their parameters.

NAME
    The name of the tunnel device (e.g., tun0).

type TYPE
    Specifies the tunnel type. Common types include ipip, gre, sit, vti, fou, gretap, ip6tnl.

local ADDRESS
    The local IP address to use as the tunnel source endpoint.

remote ADDRESS
    The remote IP address to use as the tunnel destination endpoint.

dev NAME
    Specifies the underlying physical device through which tunnel traffic will be sent.

ttl N
    Sets the Time-To-Live (TTL) for encapsulated packets. 0 indicates inheritance from the inner packet.

tos N | dsfield N
    Sets the Type of Service (ToS) or Differentiated Services field (DSCP) for encapsulated packets.

nopmtudisc | nopmssdiscovery
    Disables Path MTU Discovery for the tunnel, meaning the MTU won't be dynamically adjusted.

key N | ikey N | okey N
    Specifies a GRE key for identifying the tunnel. key applies to both input and output, while ikey and okey are for input and output separately.

mode { ipip | gre | fou | vti }
    Specifies the encapsulation mode. Primarily used with FOU (Foo over UDP) to indicate the inner protocol.

encaptype { none | fou | udp }
    Defines the encapsulation type for the tunnel, e.g., fou for UDP encapsulation of IP packets.

encapsport N
    Specifies the UDP source/destination port for FOU (Foo over UDP) encapsulation.

inherit
    Causes the tunnel to inherit certain parameters (like TTL, TOS) from the outer IP header of the underlying device.

The ip tunnel command, part of the iproute2 suite, is a powerful utility for configuring and managing IP tunnels on Linux systems. It allows administrators to create, modify, delete, and display various types of IP-over-IP tunnels, such as GRE (Generic Routing Encapsulation), IPIP (IP-over-IP), SIT (Simple Internet Transition, often for IPv6-in-IPv4), VTI (Virtual Tunnel Interface), and FOU (Foo Over UDP).

These tunnels encapsulate IP packets within another IP header, enabling communication between networks that are not directly connected or providing a means for VPN-like connectivity without native encryption. It's an essential tool for setting up site-to-site VPNs, routing traffic through non-native IP protocols, or overcoming network topology limitations. Unlike older tools, ip tunnel provides fine-grained control over tunnel parameters, including local/remote endpoints, keys, TTL, and DSCP values.

IP tunnels, by themselves, do not provide encryption. For secure communication, they should be used in conjunction with encryption protocols like IPsec.
Kernel modules specific to the tunnel type (e.g., ip_gre, ip_ipip, fou) must be loaded.
Tunnel configurations made via ip tunnel are not persistent across reboots by default; they require integration with network configuration scripts or services.

• IPIP: Simple IP-in-IP encapsulation, primarily for IPv4-in-IPv4.
• GRE: Generic Routing Encapsulation, more flexible than IPIP, supporting arbitrary network layer protocols over IP, often used with keys for identification.
• SIT: Simple Internet Transition, typically used for IPv6-in-IPv4 tunnels.
• VTI: Virtual Tunnel Interface, often used in conjunction with IPsec for secure tunnels, as it provides a dedicated interface for encapsulated traffic.
• FOU: Foo over UDP, a generic UDP encapsulation mechanism that can carry various protocols (like IP, GRE) over UDP, useful for firewall traversal.
• GRETAP: A variant of GRE that creates a Layer 2 tunnel, allowing Ethernet frames to be encapsulated.
• IP6TNL: IPv6-in-IPv6 tunnels, similar to IPIP but for IPv6.

The ip tunnel command is an integral part of the iproute2 utility suite, which has been the standard for Linux networking configuration since its inception in the late 1990s. Developed to overcome the limitations of older tools like ifconfig and route, iproute2 provides a unified and more powerful command-line interface for managing all aspects of TCP/IP networking, including advanced routing, traffic shaping, and tunnel management. The ip tunnel subcommand specifically evolved to support various IP encapsulation methods as network requirements for VPNs, data center networking, and IPv6 transitions grew.

ip(8), ip-link(8), ip-address(8), ip-route(8), gre(4), ipip(4), sit(4), vti(4)