ip-tunnel

ip tunnel add [NAME] mode [MODE] remote [REMOTE_IP] local [LOCAL_IP] [options]
ip tunnel show [NAME]
ip tunnel del [NAME]
ip tunnel change [NAME] [options]

add
    Creates a new tunnel interface.

change
    Modifies the settings of an existing tunnel interface.

delete
    Deletes a tunnel interface.

show
    Displays the configuration of a tunnel interface or all tunnel interfaces.

NAME
    The name of the tunnel interface (e.g., tun0).

mode [MODE]
    The tunneling protocol. Common modes include: ipip, gre, sit, vti, erspan.

remote [REMOTE_IP]
    The IP address of the remote tunnel endpoint.

local [LOCAL_IP]
    The IP address of the local tunnel endpoint.

ttl [TTL]
    Sets the Time-To-Live (TTL) value for the outer IP header.

tos [TOS]
    Sets the Type of Service (TOS) field for the outer IP header.

dev [DEVICE]
    Binds the tunnel to a specific network interface.

key [KEY]
    Sets the key for GRE tunnels. Provides a simple level of traffic isolation.

The ip-tunnel command in Linux is part of the iproute2 suite and is used to configure and manage IP tunnels. IP tunnels allow you to encapsulate IP packets inside other IP packets, enabling traffic to traverse networks that would otherwise be inaccessible. This is fundamental for creating virtual private networks (VPNs), connecting geographically dispersed networks, and implementing various network overlays.

Tunnels operate by encapsulating an inner IP packet within an outer IP packet. The outer IP header contains the source and destination addresses of the tunnel endpoints, while the inner IP header contains the source and destination addresses of the original data. When a packet reaches the tunnel endpoint, the outer header is removed, and the original packet is forwarded to its destination.

ip-tunnel supports various tunneling protocols, including IPIP, GRE, SIT (IPv6-in-IPv4), and others. Each protocol has its own advantages and configuration options. The command offers flexibility in defining tunnel endpoints, setting tunnel options such as TTL (Time-To-Live), TOS (Type of Service), and fragmentation behavior, and managing tunnel interfaces like any other network interface.

Misconfiguration of tunnel parameters, such as incorrect remote or local IP addresses, or incompatible tunneling modes, can lead to connectivity issues. Ensure proper firewall rules are in place to allow tunnel traffic. Tunneling adds overhead and can decrease network performance due to encapsulation.

When configuring tunnels, be mindful of the Maximum Transmission Unit (MTU). Tunneling adds overhead, potentially exceeding the MTU of underlying network links. To avoid fragmentation, adjust the MTU of the tunnel interface accordingly (e.g., using ip link set tun0 mtu 1400). Path MTU Discovery (PMTUD) can help automatically adjust the MTU, but it may not always work reliably. I recommend setting MTU size to 1400.

IPIP and GRE tunnels without encryption are not secure. Data is transmitted in clear text. For secure tunnels, consider using technologies like IPsec or WireGuard, which provide encryption and authentication.

The ip-tunnel command is part of the iproute2 suite, which replaced the older net-tools package for network configuration in Linux. It was developed to provide a more powerful and flexible way to manage network interfaces and routing. It gained prominence with the widespread adoption of virtual networking and VPN technologies.

ip(8), ifconfig(8), route(8)