I have a dedicated server. There's a VNC Server and I can connect to VNC Server with a VNC Client with port 5901 so it takes me to display :1 when I connect there with a VNC Client. I've read pretty many documents about ssh -L and ssh -R command-line commands, but it's pretty weird, because they have servers and such on their own machines and on their remote machines so I get confused about that where are they even trying to connect and what etc. 1. I have dedicated server with VNC Server, Web Server, Game Server and Firewall. 2. VNC Server is running and TCP/UDP connection has been enabled only to ports of Web Server, SSH, Game Server. 3. I want connect to my VNC Server with my VNC Client (from my own pc), but using a tunneled connection, because people are trying my password too many times or something, because sometimes it says "Too many authentication failures" what a tards they are, because they will never guess the password. Anyways. I have tried similar: ssh root@DEDICATEDIP -L 5901:DEDICATEDIP:5901 ssh root@DEDICATEDIP -R 5901:DEDICATEDIP:5901 I also tried this one (found from this site): ssh -L 5901:localhost:5901 -p 22 root@DEDICATEDIP If I write "su" in SSH and I write my root password I can get in with root account, but when it asks my root password on ssh after trying to fill any of these tunneling commands it says the password is wrong and permission denied? **Edit:** - My PC: PuTTy (SSH Client), VNC Viewer (VNC Client) - Dedibox: VNC Server, GameServer, Web Server, SSH Server ufw status - 22 - ALLOW - Anywhere - 22 - ALLOW OUT - Anywhere VNC Server is running and I can confirm that. If I add 5901 to ALLOW and ALLOW OUT I can simply connect there without a tunneling. 1. (My PC) Open PuTTY 2. (My PC) PuTTY Configuration -> Connection -> SSH -> Tunnels - Source port - Destination [163.xxx.xxx.xxx:5901] - [ADD] 3. Now PuTTY shows "Forwarded ports: " -> "L5902 163.xxx.xxx.xxx:5901" 4. I connect to server with SSH including the Tunnel settings I've configured now. 5. I type "su" and I submit my root password. 6. root@MyBox: /home/sysadmin# (sysadmin is normal user for my box) 7. I type: "ssh root@IP_OF_DEDI -L 127.0.0.1:5902:127.0.0.1:5901" 8. VNC Client keeps connecting for a while. Like (15 seconds) and says: "The connection was refused by the computer"

I have the following setup: * Witopia SSL account * Synology 409 NAS (with OpenVPN and Apache etc) * PS3 * Mac * Apple AirPort router (configured for NAT) * Locked IPT-box (using DHCP and NAT traversing) Internet | Router (192.168.0.1) | |--NAS |--Mac |--PS3 |--IPT-box Requirements: 1. The NAS should handle the VPN connection with Witopia. 2. All connections originating outside the Router and who are routed to the NAS or Mac should reach its target. Nothing originating from outside should enter the VPN tunnel. 3. All connections that originates behind the router and are "aimed specificly" at the NAS should reach it and not be hijacked by the VPN tuinnel.(NFS, SBM, HTTP etc.) 4. Connections that originates from applications on the NAS and terminates anywhere outside the router should go through the VPN tunnel. 5. All connections from PS3 that terminates outside router should go through the tunnel. Connections from PS3 to NAS (SMB, NFS, DLNA etc) should not go through the tunnel, but be served by the NAS. 6. All connections to and from the IPT-box should go direct via the router, not the tunnel. Is this possible with the hardware that I already have? How and where should I configure it? /BE

I want to be able to route GTP-U traffic that arrives to my linux through two different interfaces. However, I want to route it using information inside the tunnel: inner ip addresses. My machine is not generating the GTP-U traffic, just a point in between. Is it possible to route GTP traffic in Linux using route, iptables or a similar approach? All I could find on this topic is and old GitHub repo that it is obsolet for Ubuntu 22 and higher.

I have the following system: root@debian:~# dpkg -l systemd-resolved Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-================-============-============-================================= ii systemd-resolved 257.4-3 amd64 systemd DNS resolver root@debian:~# cat /etc/issue Debian GNU/Linux trixie/sid \n \l root@debian:~# ls -l /etc/resolv.conf lrwxrwxrwx 1 root root 39 Mar 26 20:21 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf root@debian:~# cat /run/systemd/resolve/stub-resolv.conf # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). # Do not edit. # # This file might be symlinked as /etc/resolv.conf. If you're looking at # /etc/resolv.conf and seeing this text, you have followed the symlink. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search . Then I installed Zebedee tunneling and it's work fine.
And when I set my firefox on localhost:81 , I access to sites are filtered. root@debian:~# telnet localhost 81 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Now, I want to use DNS over localhost:81.
How can I do it? **UPDATE:** My resolvectl is: root@debian:~# resolvectl status Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub DNS Servers: 8.8.8.8 Link 2 (enp0s31f6) Current Scopes: LLMNR/IPv4 mDNS/IPv4 Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported Default Route: no Link 3 (wlp58s0) Current Scopes: none Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported Default Route: no Link 5 (docker0) Current Scopes: none Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported Default Route: no

I have three tunnels, tun0, tun1 and tun2, on which traffic can arrive from 10.10.0.0/16. I would like to update routes, prompted by the arrival of packets. If a packet arrives from 10.10.X.Y on tunZ, I would like to update the route-to-10.10.X.0/24 to use tunZ's far-address as the next hop, until further notice. How can I do this with existing Linux tools and configuration? (I could make a libpcap-based tool which spied on traffic from the tunnels and updated rules as needed.)

I'm facing a problem - I would like to connect many embedded devices with OpenWRT to my Wireguard server, but all the ports except 80, 443 and some others are blocked. Moreover only TCP is allowed in network. It seems like I need to tunnel WireGuard which is UDP, into TCP. On my server I would like to use SSHL (port sharing) service to run HTTPS server and tunnel for WireGuard simultaneously on 443 (or other allowed by firewall) port. I would like to have multiuser capable tunnel, so I suspect quick socat hacks will not work for more clients. - I tried wireguard-proxy, it works perfectly with port sharing over SSLH but it is written in Rust, and I cant deploy it on OpenWRT (I tried, and got compiling errors). -I tested also udp2raw, and it also works well on dedicated port, but I can't connect to it when using SSLH port multiplexer. I'm looking for some tunneling software written in C/C++ that I can cross-compile in OpenWRT build system, and use with my modded network devices.

What is the difference use case between GRE nad GRETAP? I understand that GRETAP is layer 2"Ethernet" tunnel. But when to use GRE and when to use GRETAP? Can you give me specific example for each use case? Thanks.

I have set a VPN server (ubuntu) with a docker from the kyle/manna project. I want to establish two different VPN tunnels (VPN tunnel 1 and VPN tunnel 2) from another device (ubuntu) which owns two wireless connection (two LTE modems). Then the device which will have the VPN client will have two different interfaces called wwan0 and wwan1. How can I establish two different VPN tunnels? How can I send traffic via one VPN tunnel or the other? In other words, I want both tunnels to be connected to the same server via different interfaces at the same time. The reason is that each tunnel will send the traffic through different cellular networks. It could happen that pne cellular network does not work at a moment and the other one does. Then the traffic could be sent via the one working

I would like to setup an Ethernet switch in the garage which will provide connections to the same LAN segment as the main building. However, there is no network cable between the main building and the garage, but there is WiFi coverage in the garage. I have already accomplished what I want with a TP-Link Archer A7 router which supports wireless bridge mode. However I would really like to do it with a simple Raspberry Pi and a basic ethernet switch instead. By using GRE TAP interfaces/tunnel, I was almost able to succeed, but it struggles with long packets (because of some annoying MTU issue), so many packets are lost. I have also found some ways online to solve this using NAT, but this is not acceptable in my use-case. The devices connecting to the switch need to be on the same LAN segment as all other devices in the main building. Can somebody provide an answer of the best way to accomplish this?

**Note:** I already checked this question and this question . The solution of the former is not relevant to my problem and the latter does not have any answers. I have a basic VPS from aeza.net . When I ping with IPv4 it is pretty stable and the mdev is less than 10ms, however, IPv6 pings are pretty unstable and have huge spikes. I decided to give tunnelbroker.net a try. I registered for a tunnel and I followed the directions for Debian/Ubuntu given on the website. According to the instructions, I had to edit /etc/network/interfaces and add another interface. Here is how my interfaces file looks like now:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto ens3
iface ens3 inet static
    address   109.120.xxx.xxx
    netmask   255.255.255.255
    gateway   10.0.0.1
    hwaddress ether 52:54:00:17:xx:xx
    dns-nameservers 1.1.1.1 8.8.8.8
iface ens3 inet6 static
    address   2a0b:4140:xxxx::xxxx
    netmask   48
    gateway   2a0b:4140:xxxx::xxxx
    dns-nameservers 1.1.1.1 8.8.8.8

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
    address 2001:470:27:xxxx::xxxx
    netmask 64
    endpoint 216.66.xxx.xxx
    local 109.120.xxx.xxx
    ttl 255
    gateway 2001:470:27:xxxx::xxxx

Then I proceeded restarting networking.service, but it couldn't restart successfuly and gave me the message:

Job for networking.service failed because the control process exited with error code.
See "systemctl status networking.service" and "journalctl -xeu networking.service" for details.

Upon looking at systemctl status networking.service I see the following:

× networking.service - Raise network interfaces
     Loaded: loaded (/lib/systemd/system/networking.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Thu 2024-06-06 16:18:54 CEST; 43s ago
       Docs: man:interfaces(5)
    Process: 8524 ExecStart=/sbin/ifup -a --read-environment (code=exited, status=1/FAILURE)
   Main PID: 8524 (code=exited, status=1/FAILURE)
        CPU: 16ms

Jun 06 16:18:54 systemd[1] : Starting Raise network interfaces...
Jun 06 16:18:54 ifup: add tunnel "sit0" failed: No buffer space available
Jun 06 16:18:54 ifup: ifup: failed to bring up he-ipv6
Jun 06 16:18:54 systemd[1] : networking.service: Main process exited, code=exited, status=1/FAILURE
Jun 06 16:18:54 systemd[1] : networking.service: Failed with result 'exit-code'.
Jun 06 16:18:54 systemd[1] : Failed to start Raise network interfaces.

I have had tunnels from hurricane electric before and they worked flawlessly when following the same instructions, albeit on different servers from different providers. What am I doing wrong here?

I'm trying to create a SSH tunnel between 2 Raspberry PI's both running Debian Bookworm. I try to establish the connection using the command sudo ssh -w0:0 @ -p true But it fails with

...
debug1: Requesting tun unit 0 in mode 1
debug1: sys_tun_open: failed to configure tunnel (mode 1): Invalid argument
Tunnel device open failed.
Could not request tunnel forwarding.
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
...

I've changed the below config files

/etc/ssh/sshd_config

PermitTunnel yes

/etc/ssh/ssh_config

Tunnel point-to-point

/etc/sysctl.conf

net.ipv4.ip_forward = 1

The tun0 interface is created on both devices using sudo nmtui

tun0: flags=209  mtu 1480
        inet   netmask 255.255.255.252  destination 
        tunnel   txqueuelen 1000  (IPIP Tunnel)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Can anybody help me getting this error fixed?

I need to use socks proxy in Firefox on my laptop, using ssh tunnel to server On my laptop, I set socks proxy in firefox, and connect to server: ssh server -D1234 When I visit any website in firefox, the proxy works, but I get these errors: on laptop (in the console where I started ssh) channel 15: open failed: connect failed: Address family for hostname not supported on server (in syslog): sshd: error: connect_to ff00::: unknown host (Address family for hostname not supported) this looks like firefox is trying to use IPv6. But I have no IPv6 support either on laptop or on server. And I have explicitly disabled IPv6 in firefox, by setting network.dns.disableIPv6 to true. As said, everything works. But I am just bothered by the flood of error messages. How can I prevent Firefox from even attempting to use IPv6, or if that is not possible, to get rid of the error messages on both laptop and server. The laptop is running Debian 12, and server is running Debian 10. Both have custom linux kernel, without IPv6 support.

Suppose I have UDP server that listen incoming message on 192.168.43.1:1234 and SOCKS5 proxy server that listen on 192.168.43.2:9999. How do I check whether SOCKS5 proxy server support UDP when accessed with a SOCKS5 client? I know that SOCKS5 support UDP, but I just want make sure if it's really supported. I expect UDP server receive message from client and client got reply from server with netcat or similiar tools.

I have a StrongSwan IPSEC VPN configured on my Ubuntu 22.04.4 LTS server. The VPN starts up and connects to the primary interface (eno1) successfully. Using qBittorrent, I bind to the IP Address that is assigned to the VPN connection so that torrent traffic is directed through the VPN. (I don't send any other network traffic through the VPN.) This works successfully so that if the VPN drops, the torrent traffic is halted. The issue is that upon reconnection, I may get assigned a different IP address by the VPN. And so the torrent traffic never resumes. I was hoping to solve this by setting up a tun interface (tun0) and having the VPN connect directly to that interface. Then I could have qBittorrent always stay connected to the tun0 interface rather than a specific IP address. But I can't get data to flow through the VPN connected to the tun0 interface. Any assistance would be appreciated. Here's what I have so far:

sudo tunctl -t tun0        # create tun0 interface
sudo ip link set tun0 up   # enable tun0 interface

Edit /etc/strongswan.d/vtun.conf:

charon {
  install_routes = no
  install_virtual_ip_on = tun0  # Connect VPN to tun0 interface
  if_id_in = 1
  if_id_out = 1
  remote_ts = 10.128.0.0/16
}

Restart VPN:

sudo ipsec down vpn-ca-torrent  # shut down VPN
sudo ipsec restart              # restart ipsec 
sudo ipsec up vpn-ca-torrent    # start VPN

VPN is now connected to tun0:

> ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 98:90:96:c0:1b:8c brd ff:ff:ff:ff:ff:ff
    altname enp0s25
    inet 192.168.0.5/24 metric 100 brd 192.168.0.255 scope global dynamic eno1
       valid_lft 84935sec preferred_lft 84935sec
    inet6 fe80::9a90:96ff:fec0:1b8c/64 scope link
       valid_lft forever preferred_lft forever
3: tun0:  mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 8a:2d:38:87:5d:5c brd ff:ff:ff:ff:ff:ff
    inet 10.128.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever

I now connect qBittorrent to the tun0 interface, but no data flows. Here is additional information:

> sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP

> cat /etc/ipsec.conf
  conn vpn-ca-torrent
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        eap_identity=xxxxx@xxx.com
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config
        right=ca-tr.vpnunlimitedapp.com
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        rightid=ironnodes.com
        type=tunnel
        auto=add
        leftupdown=/usr/lib/ipsec/_updown

> ip r
default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.5 metric 100
192.168.0.0/24 dev eno1 proto static
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.5 metric 100
192.168.0.1 dev eno1 proto dhcp scope link src 192.168.0.5 metric 100

> resolvectl
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (eno1)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
       DNS Servers: 192.168.0.1

Link 3 (tun0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

**UPDATE:** I've added the changes as suggested: /etc/strongswan.d/vtun.conf:

charon {
  install_routes = no
  install_virtual_ip_on = tun0
  if_id_in = 1
  if_id_out = 1
  remote_ts = 10.128.0.0/16

  leftfirewall=yes
  leftsourceip=%config
  leftsubnet=10.128.0.2/32
  rightsubnet=10.128.0.0/16
}

Once the vpn comes up and attaches to the tun0 interface I add a route to the assigned IP: > sudo ip route add 10.128.0.0/16 dev tun0 via 10.128.0.XX I can ping the remote ip at 10.128.0.XX, but qBittorrent still cannot send traffic over it. When I look through the charon logs, I see these errors:

11[IKE] scheduling reauthentication in 9950s
  11[IKE] maximum IKE_SA lifetime 10490s
  11[IKE] adding DNS server failed
  11[IKE] adding DNS server failed
  11[CFG] handling INTERNAL_IP4_DNS attribute failed
  11[IKE] installing new virtual IP 10.128.0.2
  11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
  11[IKE] CHILD_SA vpn-ca-torrent{3} established with SPIs ca04de43_i ce23bdaf_o and TS 10.128.0.2/32 === 0.0.0.0/0

ip r:

default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.5 metric 100
10.128.0.0/16 via 10.128.0.2 dev tun0 linkdown
192.168.0.0/24 dev eno1 proto static
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.5 metric 100
192.168.0.1 dev eno1 proto dhcp scope link src 192.168.0.5 metric 100

ip a:

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 98:90:96:c0:1b:8c brd ff:ff:ff:ff:ff:ff
    altname enp0s25
    inet 192.168.0.5/24 metric 100 brd 192.168.0.255 scope global dynamic eno1
       valid_lft 66730sec preferred_lft 66730sec
    inet6 fe80::9a90:96ff:fec0:1b8c/64 scope link
       valid_lft forever preferred_lft forever
3: tun0:  mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 8a:2d:38:87:5d:5c brd ff:ff:ff:ff:ff:ff
    inet 10.128.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever

I'm trying to create tun interface and to add address and peer to it via .netdev and .network files of systemd-networkd. I'm using Ubuntu 22.04.3 LTS and systemd 249. I have two following configuration files: /etc/systemd/network/991-tun1.netdev

[NetDev]
Name=tun1
Kind=tun

[Tun]
User=me

/etc/systemd/network/991-tun1.network

[Match]
Name=tun1

[Network]
Address=192.168.3.1/24
IPForward=yes

[Address]
Address=192.168.3.1/24
Peer=192.168.3.2/24

After reboot tun1 interface is created fine but it has no address.

me@host:~$ ip a
...
4: tun1:  mtu 1500 qdisc fq_codel state DOWN group default qlen 500
    link/none

But if I use ifconfig then address is added as expected.

me@host:~$ sudo ifconfig tun1 192.168.3.1 pointopoint 192.168.3.2 netmask 255.255.255.0
me@host:~$ ip a
...
4: tun1:  mtu 1500 qdisc fq_codel state DOWN group default qlen 500
    link/none 
    inet 192.168.3.1 peer 192.168.3.2/24 scope global tun1
       valid_lft forever preferred_lft forever

And I can see this in logs after reboot

me@host:~$ sudo journalctl --unit systemd-networkd -fe|grep tun1
...
systemd-networkd: tun1: loaded tun
systemd-networkd: tun1: Created
systemd-networkd: tun1: netdev has index 4
systemd-networkd: tun1: Permanent MAC address not found for new device, continuing without: Operation not supported
systemd-networkd: tun1: Link 4 added
systemd-networkd: tun1: Saved original MTU 1500 (min: 68, max: 65535)
systemd-networkd: tun1: Flags change: +MULTICAST +POINTOPOINT +NOARP
systemd-networkd: tun1: link pending udev initialization...
systemd-networkd: tun1: udev initialized link
systemd-networkd: tun1: State changed: pending -> initialized
systemd-networkd: tun1: Link state is up-to-date
systemd-networkd: tun1: found matching network '/etc/systemd/network/991-tun1.network'.
systemd-networkd: tun1: State changed: initialized -> configuring
systemd-networkd: Setting '/proc/sys/net/ipv6/conf/tun1/disable_ipv6' to '0'
systemd-networkd: Setting '/proc/sys/net/ipv6/conf/tun1/use_tempaddr' to '0'
systemd-networkd: Setting '/proc/sys/net/ipv6/conf/tun1/accept_ra' to '0'
systemd-networkd: Setting '/proc/sys/net/ipv6/conf/tun1/proxy_ndp' to '0'
systemd-networkd: Setting '/proc/sys/net/ipv4/conf/tun1/promote_secondaries' to '1'
systemd-networkd: tun1: Requested to set IPv6LL address generation mode
systemd-networkd: tun1: Requested to set master interface
systemd-networkd: tun1: Requested to activate link
systemd-networkd: tun1: Requesting address: 192.168.3.1/24 (valid forever, preferred forever), flags: n/a
systemd-networkd: tun1: Requesting address: 192.168.3.1 peer 192.168.3.2/24 (valid forever, preferred forever), flags: n/a
systemd-networkd: tun1: Setting addresses
systemd-networkd: tun1: link_check_ready(): link layer is configuring.
systemd-networkd: tun1: link_check_ready(): link layer is configuring.
systemd-networkd: tun1: link_check_ready(): link layer is configuring.
systemd-networkd: tun1: link_check_ready(): link layer is configuring.
systemd-networkd: tun1: link_check_ready(): link layer is configuring.
systemd-networkd: tun1: link_check_ready(): link layer is configuring.
systemd-networkd: tun1: link_check_ready(): link layer is configuring.
systemd-networkd: tun1: link_check_ready(): link layer is configuring.
systemd-networkd: tun1: Setting IPv6LL address generation mode
systemd-networkd: tun1: Setting master interface
systemd-networkd: tun1: IPv6LL address generation mode set.
systemd-networkd: tun1: master interface set.
systemd-networkd: tun1: link_check_ready(): link is not activated.
systemd-networkd: tun1: Bringing link up
systemd-networkd: tun1: Flags change: +UP
systemd-networkd: tun1: Link UP
systemd-networkd: tun1: link_check_ready(): static addresses are not configured.

Why is address not being added to the tun1 interface by systemd-networkd and how to make it to add the address?

There are certain websites/services which I can only access from the subnet on which my server is located (think of the typical intranet scenario). Is there a way to transparently route traffic that go to these addresses through an SSH tunnel? Consider the following setup: My laptop is connected on the home network. It cannot access services on ips X and Y directly. I have an SSH tunnel to a server which is on a subnet that can actually access these services. Can I somehow automatically encapsulate all the traffic to the subnets of X and Y to go through this tunnel, without having to run the entire VPN solution that would send all my traffic through the server? In other words: all traffic that goes to any other subnet should still go directly from the laptop, without passing through the server (using the tunnel).

I am developing a tunnel application that will provide a low-latency, variable bandwidth link. This will be operating in a system that requires traffic prioritization. However, while traffic towards the tun device is clearly being queued by the kernel, it appears whatever qdisc I apply to the device it has no additional effect, including the default pfifo_fast, i.e. what should be high priority traffic is not being handled separately from normal traffic. I have made a small test application to demonstrate the problem. It creates two tun devices and has two threads each with a loop passing packets from one interface to the other and back, respectively. Between receiving and sending the loop delays 1us for every byte, roughly emulating an 8Mbps bidirectional link:

void forward_traffic(int src_fd, int dest_fd) {
    char buf[BUFSIZE];
    ssize_t nbytes = 0;
    
    while (nbytes >= 0) {
        nbytes = read(src_fd, buf, sizeof(buf));

        if (nbytes >= 0) {
            usleep(nbytes);
            nbytes = write(dest_fd, buf, nbytes);
        }
    }
    perror("Read/write TUN device");
    exit(EXIT_FAILURE);
}

With each tun interface placed in its own namespace, I can run iperf3 and get about 8Mbps of throughput. The default txqlen reported by ip link is 500 packets and when I run an iperf3 (-P 20) and a ping at the same time I see a RTTs from about 670-770ms, roughly corresponding to 500 x 1500 bytes of queue. Indeed, changing txqlen changes the latency proportionally. So far so good. With the default pfifo_fast qdisc I would expect a ping with the right ToS mark to skip that normal queue and give me a low latency, e.g ping -Q 0x10 I think should have much lower RTT, but doesn't (I have tried other ToS/DSCP values as well - they all have the same ~700ms RTT. Additionally I have tried various other qdiscs with the same results, e.g. fq_codel doesn't have a significant effect on latency. Regardless of the qdisc, tc -s qdisc always shows a backlog of 0 regardless of whether the link is congested. (But I do see ip -s link show dropped packets under congestion) Am I fundamentally misunderstanding something here or there something else I need to do make the qdisc effective? Complete source here

read carefully pls.. im connecting to another local network IN (overWAN) using q vpn (openfortivpn) to access that local network. i can ping the local hosts on that network.. i can scan em with nmap and everything work perfectly. but the problem is when i use metasploit it seems like it doesnt reconize em (local hosts on that network) even tho i changed metasploit network interface.. so whats the problem in here..any ideas!!! └─$ sudo openfortivpn [sudo] password for redandwhite: INFO: Connected to gateway. INFO: Authenticated. INFO: Remote gateway has allocated a VPN. Using interface ppp0 Connect: ppp0 /dev/pts/2 INFO: Got addresses: [192.168.10.20], ns [0.0.0.0, 0.0.0.0] INFO: Negotiation complete. INFO: Got addresses: [192.168.10.20], ns [0.0.0.0, 0.0.0.0] INFO: Negotiation complete. INFO: Got addresses: [192.168.10.20], ns [0.0.0.0, 0.0.0.0] INFO: Negotiation complete. INFO: Negotiation complete. local IP address 192.168.10.20 remote IP address 169.254.2.1 INFO: Interface ppp0 is UP. INFO: Setting new routes... INFO: Adding VPN nameservers... INFO: Tunnel is up and running. thats my openfortivpn connection.. and it create a new ppp0 interface └─$ ifconfig lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 649733 bytes 90673438 (86.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 649733 bytes 90673438 (86.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ppp0: flags=4305 mtu 1354 inet 192.168.10.20 netmask 255.255.255.255 destination 169.254.2.1 ppp txqueuelen 3 (Point-to-Point Protocol) RX packets 111 bytes 1101 (1.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 132 bytes 4021 (3.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4163 mtu 1500 inet 192.168.1.4 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::a5b:d6ff:fea3:cd48 prefixlen 64 scopeid 0x20 ether 08:5b:e2:b8:ac:84 txqueuelen 1000 (Ethernet) RX packets 1991278 bytes 1637588280 (1.5 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1471015 bytes 669954984 (638.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 route -n output.. with the xx.xx.xx.xx IP that im connecting to └─$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 600 0 0 wlan0 xx.xx.xx.xx 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 151.8.75.25 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 169.254.2.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0 192.168.9.2 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 im able to ping google using my wlan0 interface but couldnt using ppp0 interface └─$ ping -I ppp0 google.com PING google.com (142.250.201.46) from 192.168.10.20 ppp0: 56(84) bytes of data. --- google.com ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4091ms └─$ curl --interface wlan0 ifconfig.co xx.xx.xx.xx ┌──(redandwhite㉿kali)-[~] └─$ curl --interface ppp0 ifconfig.co i think the idea is add two default gateways. the main idea behind the second gateway approach, is to create a second routing table..so that the routes are added and deleted whenever the vpn connection is established.. but hv no idea to do so + i dont wanna mess things up.

I noticed when running ifconfig that there is a network interface called tun0 and it has an ipv4 address. A bit of research shows that it is a tunneling device, but I don't really know how it's used, what's using it, and why it has an IP address. I do have iptables enabled, and there seems to be some link between iptables and tun, if that helps.

I need to create a tunnel in a remote MS-windows, so the port 443 in MS-windows is redirected to a remote target on port 443. What I'm trying to do is this, from my remote server: ssh -N -R 443:remote.target:443 administrator@windows.source But I get this error: Warning: remote port forwarding failed for listen port 443 In the windows server I installed OpenSSH. The tunnel works if I use the 8443 port in windows, eg: ssh -N -R 8443:remote.target:443 administrator@windows.source But I need do do the tunnel with 443. I tried to better configure OpenSSH ("AllowTcpForwarding yes", "PermitTunnel yes" and "GatewayPorts yes" and I tried also to restart the sshd service as an administrator), but it didn't work.