Linux foo-over-udp tunnel creation issues

Question

I want to create fou(foo-over-udp) tunnel on linux 4.4.10 using iproute2 4.5.0 and while trying to create a tunnel i get the following error:

sudo ip link add dev tun0 type ipip remote 172.19.0.9 local 172.19.0.8 encap fou encap-sport auto encap-dport 4444
RTNETLINK answers: Invalid argument

While this usually indicates, that i provided wrong arguments, device still gets created with a wierd name and unconfigured:

10: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT
group default qlen 1
     link/ipip 0.0.0.0 brd 0.0.0.0

I should also mention that fou and ipip kernel modules are loaded:

fou                     9093  0
ip6_udp_tunnel          1967  1 fou
udp_tunnel              2547  1 fou
ipip                    5260  0
ip_tunnel              13315  1 ipip
tunnel4                 2389  1 ipip

I didn't try with any other kernel version, but i did try with latest version of iproute2. I should also mention that i was trying this setup in linux network namespace, but i get the same problem if i do it outside of the namespace. What could be causing this issue, and is there any other alternative to configure fou tunnel? By my observations iproute2 is problematic one.

Answer 1

I was able to setup a FOU tunnel between two virtual machines on the same LAN running unmodified ubuntu 16.04.01. They started with the following configuration network-wise:

jeff@jeff-VirtualBox-ubuntu-16:~$ ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

   valid_lft forever preferred_lft forever

inet6 ::1/128 scope host 

   valid_lft forever preferred_lft forever

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:97:1d:bb brd ff:ff:ff:ff:ff:ff

inet 192.168.1.137/24 brd 192.168.1.255 scope global dynamic enp0s3

   valid_lft 86358sec preferred_lft 86358sec

inet6 fe80::3675:b335:4de3:9d6c/64 scope link 

   valid_lft forever preferred_lft forever

jeff@jeff-VirtualBox-ubuntu-16:~$ 

jeff@jeff-VirtualBox-ubuntu-16-2:~$ ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

   valid_lft forever preferred_lft forever

inet6 ::1/128 scope host 

   valid_lft forever preferred_lft forever

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
 state UP group default qlen 1000
link/ether 08:00:27:40:13:85 brd ff:ff:ff:ff:ff:ff

inet 192.168.1.135/24 brd 192.168.1.255 scope global dynamic enp0s3

   valid_lft 86352sec preferred_lft 86352sec

inet6 fe80::7086:fe13:ab8:b44f/64 scope link 

   valid_lft forever preferred_lft forever

I then ran the following to configure both VMs in a 10-net using a FOU tunnel:

root@jeff-VirtualBox-ubuntu-16:~# modprobe fou

root@jeff-VirtualBox-ubuntu-16:~# ip fou add port 55137 ipproto 4

root@jeff-VirtualBox-ubuntu-16:~# ip link add name fou0 type ipip remote 192.168.1.135 local 192.168.1.137 encap fou encap-sport 55137 encap-dport 55135 dev enp0s3

root@jeff-VirtualBox-ubuntu-16:~# ip link set up dev tunl0

root@jeff-VirtualBox-ubuntu-16:~# ip link set up dev fou0

root@jeff-VirtualBox-ubuntu-16:~# ip addr add 10.0.0.137/24 dev fou0

root@jeff-VirtualBox-ubuntu-16:~#


root@jeff-VirtualBox-ubuntu-16-2:~# modprobe fou

root@jeff-VirtualBox-ubuntu-16-2:~# ip fou add port 55135 ipproto 4

root@jeff-VirtualBox-ubuntu-16-2:~# ip link add name fou0 type ipip remote 192.168.1.137 local 192.168.1.135 encap fou encap-sport 55135 encap-dport 55137 dev enp0s3

root@jeff-VirtualBox-ubuntu-16-2:~# ip link set up dev tunl0

root@jeff-VirtualBox-ubuntu-16-2:~# ip link set up dev fou0

root@jeff-VirtualBox-ubuntu-16-2:~# ip addr add 10.0.0.135/24 dev fou0

root@jeff-VirtualBox-ubuntu-16-2:~#

It worked fine for me. Your mileage may vary. 8^)

Answer 2

Make sure you have CONFIG_NET_FOU_IP_TUNNELS enabled and rebuild the the kernel if not, with the this configuration.

Following command works for me. ip link add name fou-ipip type ipip remote 192.168.1.2 local 192.168.1.1 encap fou encap-sport auto encap-dport 6635

Answer 3

While this usually indicates, that i provided wrong arguments, device still gets created with a wierd name and unconfigured

tunl0 is default ipip device and created automatically when ipip kernel module is loaded. It's loaded automatically when you execute your command even if it's failed. You cannot get rid of that device if you're using ipip tunneling, you can either configure it or leave unconfigured. In case you do not use ipip anymore, just unload the module by modprobe -r ipip to get rid of it.

RTNETLINK answers: Invalid argument

It may indicate that some options is not supported by your kernel or ip.

I'll quote IPIP over FOU tunnel creation instruction from ipipou repo. It's comprehensive enough so includes your case too, worth to try, just substitute example values to yours.

on server side:

# Load FOU kernel module
modprobe fou

# Create IPIP tunnel encapsulated to FOU,
# ipip kernel module will be loaded automatically.
ip link add name ipipou0 type ipip \
    remote 198.51.100.2 local 203.0.113.1 \
    encap fou encap-sport 10000 encap-dport 20001 \
    mode ipip dev eth0

# Add FOU listener for this tunnel
ip fou add port 10000 ipproto 4 local 203.0.113.1 dev eth0

# Assign IP address to the tunnel
ip address add 172.28.0.0 peer 172.28.0.1 dev ipipou0

# Up tunnel
ip link set ipipou0 up

on client side (the client can be behind NAT):

modprobe fou

ip link add name ipipou1 type ipip \
    remote 203.0.113.1 local 192.168.0.2 \
    encap fou encap-sport 10001 encap-dport 10000 encap-csum \
    mode ipip dev eth0

# Options "local", "peer", "peer_port", "dev" can be not supported
# by old kernels and can be skipped.
ip fou add port 10001 ipproto 4 \
    local 192.168.0.2 peer 203.0.113.1 peer_port 10000 dev eth0

ip address add 172.28.0.1 peer 172.28.0.0 dev ipipou1

ip link set ipipou1 up

where:

• ipipou* — tunnel interface name
• 203.0.113.1 — server public IP
• 198.51.100.2 — client public IP
• 192.168.0.2 — client IP assigned to eth0
• 10001 — client local FOU port
• 20001 — client public FOU port
• 10000 — server public FOU port
• encap-csum — an option to add checksum to inner UDP packets; can be replaced with noencap-csum to avoid calculation and keep it empty, packets integrity will be controlled by outer UDP layer (while the packet is in the tunnel).
• eth0 — local base interface for the tunnel
• 172.28.0.1 — tunnel client private IP address
• 172.28.0.0 — tunnel server private IP address

Answer 4

I got the same error on Raspberry Pi. I tried the same 'ip link' command on PC Ubuntsu and it worked.

The reason seems to be the CONFIG_NET_FOU_IP_TUNNELS which Vijaya commented.

PC Ubuntsu:

$ lsmod | grep fou
fou                    28672  0
ip6_udp_tunnel         16384  1 fou
udp_tunnel             16384  1 fou
ip_tunnel              24576  3 fou,ipip,ip_gre

Raspberry Pi:

$ lsmod | grep tunnel
ip6_udp_tunnel         16384  1 fou
udp_tunnel             28672  1 fou
ip_tunnel              32768  1 ip_gre

Note that the ip_tunnel mod is not used by fou on Raspberry Pi. It seems I need to build kernel module by myself.

Answer 5

In my experience, the command has this format, which does not match yours:

ip link add name {name} type ipip ...

In general, nothing is "created with a weird name", i.e., created with a name which is a sequence of characters (in this case, "tunl0") which does not appear in the software's input. So it's very likely that the tunl0 device is entirely unrelated to your actions; it probably was there before. Also, it suggests using a different name for the device you're trying to create, to reduce confusion regarding status reports.