Two item overlooked are the NAT problem and the filtering problem.

GRE through many routers won't work if NAT is involved, those that do support GRE may may have it disabled and at the moment directly exposing a node on the public web wouldn't be wise in my opinion.

vtund  has a better chance of working as it's either TCP or UDP based on config and can't be blocked based on protocol number(as GRE can) this may mean it is more likely to work on random networks as well, of course a true layer 7 firewall may be able to block it but that's even more rare.

GRE - by itself no encryption, light weight kernel mode tunnel, performance edge. Add on top ipSec for encryption also in kernel mode (or other designed encryption techniques/strengths over this tunnel). Googled internet posts claim it is more complicated to do encryption over GRE and depending on technique may limit the protocols.

vtund - on top of vtun kernal driver with everything else in user space. Packaged with basic level of 128 bit encryption->easier to setup. Doesn't limit protocols in use. I'd call this the middle ground solution.

What is best for our community? Depends... If we have no need to encrypt data carried over the internet, basic GRE with no encryption is lighter weight and straight forward. If we need to do encryption (let's say a city EOC has requirements to encrypt their data if going over the open internet), then vtund. If 'strong' encryption is required, then we'd want to look at something like openVPN (over vtun driver) and 1024 bit keys.

All, What do we as a community think are our requirements? What level of security (for the purpose of tunneling traffic over the internet to connect MESHes) should be packaged in a future release of bbhn? This need is likely the significant factor (while still considering options that are easy, supportable, and work). Any opinions?

For the sake of discussion, what are the advantages/disadvantages in vtun vs gre tunneling? 

I've setup gre tunneling before have not had the opportunity to play with vtun.

Corby

kd5aeq

got it

Not true. This is what is happening in the background: http://wiki.openwrt.org/doc/howto/generic.uninstall. You have to do it manually.

Zl4DK, Your answer can be found in Chapter 10 of WNDW on pages 7 and 8.

Hi,

Well, we are using GRE tunneling as we wanted to keep the footprint of implementation to such minimum that it could successfully be run on even the GL models.

I will be releasing the latest docs soon, but please feel free to look at the documentation found at http://www.ssra.se/upload/hsmm%20scripts.pdf

Here's my setup of vtun with instructions to install on both server and client. untar and check out the README files. Anyone that would like to connect to the mesh in Southern CA, send me email to exchange a password. My internet IP is already in the config files here...  ae6xe@cox.net 

Note, I've not tested my instructions with a fully clean test run.   let me know if I may need corrections. (but not with basic linux command line, etc.)

Download tar file here:

https://dl.dropboxusercontent.com/u/58390217/vtun_install.tar

Trying to get my client connected to a server.

I'm getting a "vtund[2242]: Connection denied by...." error.

Here is a tcpdump of the conversation: (I've replaced the actual target IP with 4.5.6.7 and my actual client name with "myclientname")

Any ideas???

73, K5DLQ - Darryl

Attachments
 tcpdump.txt.zip [0 KB] ::