Let A be the local OpenBSD host and D the remote peer, assume public DNS names and IPv6 reachability.
fd42::1 be the IPs of A and D respectively where both are allocated as
/127 subnet from one of the peer's DN42 prefix.
This will resolve FQDNs at parse time, set A's and D's IPs as source and destination tunnel address and set A's assigned IP as point-to-point address on the interface.
tunnel A.example.com D.example.net inet6 fd42::/127
Replace hostnames in the
tunnel line with literal IPs if DNS is not available (at system boot).
Reboot or run
sh /etc/netstart gre0 to bring up the tunnel.
Reboot or run
sysctl net.inet.gre.allow=1to allow GRE packet processing.
At this point,
gre0 will be administratively UP:
$ ifconfig gre0 gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476 index 22 priority 0 llprio 6 encap: vnetid none txprio payload rxprio packet groups: gre tunnel: inet6 2001:db8::a --> 2001:db9::d ttl 64 nodf ecn inet6 fe80::221:28ff:fef9:c1d8%gre0 --> prefixlen 64 scopeid 0x16 inet6 fd42:: --> prefixlen 127
All traffic destined to
fd42::1/127 will be encapsulated and routed to D:
$ route show [...] Internet6: Destination Gateway Flags Refs Use Mtu Prio Iface fd42::/127 fd42:: UCn 1 0 - 4 gre0 fd42:: fd42:: UHl 0 0 - 1 gre0 fd42::1 link#0 UHc 0 3180 - 3 gre0 fe80::%gre0/64 fe80::221:28ff:fef9:c1d8%gre0 Un 0 0 - 4 gre0 fe80::221:28ff:fef9:c1d8%gre0 fe80::221:28ff:fef9:c1d8%gre0 UHl 0 0 - 1 gre0 ff01::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0 ff02::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0 [...]
$ route -n get fd42::1 route to: fd42::1 destination: fd42::1 mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff interface: gre0 if address: fd42:: priority: 3 () flags: <UP,HOST,DONE,CLONED> use mtu expire 3181 0 0
GRE may be protected with IPsec to encrypt and authenticate traffic, OpenIKED can be used to establish an IKEv2 session between A and D.
Last edited by lare, 2023-04-08 22:08:13