How to create a tun network interface for a specific application?

ogogon

ogogon

Colleagues, please tell me how I can create a tun-type network interface from rc.conf, which obviously will not be used by other programs?
For example, changing his name... Is this technically possible?

Thanks for the answers,
Ogogon.
 
I'm not sure what your goal is, but I know most tun-type interfaces are for a VPN. Is this what you are trying to do? If so you could do this by setting up openvpn or maybe you can look at its source code and mimic how it does this. Maybe you just need a virtual lan, which can use other protocols. If so FreeBSD has a lot of documentation on this here. Again, not 100% sure what your goal is, but hopefully that helps.
 
Azrael said:
I'm not sure what your goal is, but I know most tun-type interfaces are for a VPN. Is this what you are trying to do? If so you could do this by setting up openvpn or maybe you can look at its source code and mimic how it does this. Maybe you just need a virtual lan, which can use other protocols. If so FreeBSD has a lot of documentation on this here. Again, not 100% sure what your goal is, but hopefully that helps.
Click to expand...
Not certainly in that way. We are talking about OpenConnect. It also uses tun interfaces. This client is not as detailed as OpenVPN and important settings - nat, port remapping - can only be done using a firewall. I use PF.
I can have up to three clients running. I need each client to use their own individual interface, with their own PF rules. OpenConnect has an option that allows you to specify the interface name.
Since other clients (eg OpenVPN) may be running on the router, I need to avoid hijacking interfaces by other processes. Without the PF rules applied it doesn't matter, but in my case it shouldn't happen.
 
cloning and renaming works pretty well (replace tun77 with another number, just an example):
/etc/rc.conf
Code: 
cloned_interfaces="tun77"
ifconfig_tun77_name="myfunname"

This doesn't guarantee that nothing else will use the tunnel, nor that tun77 is available on rc startup (for example, with a jail). Other things that may use the tunnel for example might be programs that iterate over tun devices in /dev until they find one available to use (I think openvpn and ppp have configurations that do this), but if you have control on your system over what is using tunnels then it shouldn't be an issue.

I usually use static names for my tunnels to make writing pf rules more straightforward.
 
junkyalleycat said:
but if you have control on your system over what is using tunnels then it shouldn't be an issue.
Click to expand...
I don't really see how this problem can be controlled. Is renaming the interface from tunXX not enough?

junkyalleycat said:
I usually use static names for my tunnels to make writing pf rules more straightforward.
Click to expand...
Yes, alone the problem with NAT, if the VPN client itself cannot do it, can drive you crazy.
 
Well there isn't really a way to control that a tun can be used only by a single application beyond standard permissions, if an application has the permission to open a tun device in /dev, then it can use it. This is what I meant by having control over the system and the applications that use tun devices. As long as your applications are configured to not grab tun devices optimistically (like the way ppp does), then you should be good. Renaming an interface really just helps with static configuration and predictability, it's not a method of permission control.
 
junkyalleycat said:
Code: 
cloned_interfaces="tun77"
ifconfig_tun77_name="myfunname"
Click to expand...
Where is it described what commands these macros are expanded into?
If I understand correctly, cloned_interfaces="tun77" expands into the ifconfig tun77 create command.
And what spells does ifconfig_tun77_name="myfunname" generate?
 
man tun would yeild you amazing results. Have you looked?

tun devices are created using interface cloning. This is done using the
“ifconfig tunN create” command. This is the preferred method of creating
tun devices. The same method allows removal of interfaces. For this,
use the “ifconfig tunN destroy” command.
Click to expand...
 
You could check man rc.conf, search for the "network_interfaces" section for a quick blurb about the ifconfig_{interface}_name variable. More generally you can check rc.conf for ifconfig_* stuff to find more capabilities, or to check for things rc.conf related.

Usually when I want to know more about rc.conf stuff, I search the rc.conf man, or I check /etc/defaults/rc.conf, or I read the rc code, but as Phishfry shared, checking the forums and web work really well too.
 
You must log in or register to reply here.
Back
Top