当前位置：网站首页>Tun equipment principle
Tun equipment principle
2022-04-23 15:04:00 【Mrpre】
TUN Equipment principle
What this article wants to elaborate is sslvpn Operation mechanism of . Technical refinement of its problems , It is to solve two private networks that are separated by the public network environment , How to establish a channel . The core detail is tun equipment .TUN The device is also used in flannel in , Network communication between containers as a cross host .
Let's start with a simple example https://github.com/gregnietsky/simpletun.git Then have an intuitive feeling
Let's find 2 Taiwan machine Separate use
make Command to compile the above code , Generate Binary system simpletun
A Physics ip 18.104.22.168 B Physics ip 22.214.171.124
stay B Executed on machine
sudo ./simpletun -i tun90 -s -d & sudo ifconfig tun90 126.96.36.199/24
stay A Executed on machine
sudo ./simpletun -i tun90 -c 188.8.131.52 -d & sudo ifconfig tun90 184.108.40.206/24
simpletun Binary will help generate a file called
tun90 Virtual network card , And then we use ifconfig To carry out ip Distribution of addresses
secondly ,B On the machine , adopt
-s tell simpletun monitor This machine TCP Of 55555 port , And as a server ;A Machine pass
-c Command attach B The physical ip.
Once the boot is complete , stay A Executed on machine
ping 220.127.116.11 The following log will appear , Some logs are ping Output , Express ping success , Part of it is simpletun Printed logs .
PING 18.104.22.168 (22.214.171.124) 56(84) bytes of data. TAP2NET 4: Read 84 bytes from the tap interface TAP2NET 4: Written 84 bytes to the network NET2TAP 4: Read 84 bytes from the network NET2TAP 4: Written 84 bytes to the tap interface 64 bytes from 126.96.36.199: icmp_seq=1 ttl=64 time=39.7 ms TAP2NET 5: Read 84 bytes from the tap interface TAP2NET 5: Written 84 bytes to the network NET2TAP 5: Read 84 bytes from the network NET2TAP 5: Written 84 bytes to the tap interface 64 bytes from 188.8.131.52: icmp_seq=2 ttl=64 time=39.9 ms
alike , We are B Execute above
nc -l -k 9090 monitor This machine 9090 Port program , And then again A Execute above
nc 184.108.40.206 9090 Rear knock in abc
A Output $nc 220.127.116.11 9090 TAP2NET 12: Read 60 bytes from the tap interface TAP2NET 12: Written 60 bytes to the network NET2TAP 11: Read 60 bytes from the network NET2TAP 11: Written 60 bytes to the tap interface TAP2NET 13: Read 52 bytes from the tap interface TAP2NET 13: Written 52 bytes to the network abc TAP2NET 14: Read 56 bytes from the tap interface TAP2NET 14: Written 56 bytes to the network NET2TAP 12: Read 52 bytes from the network NET2TAP 12: Written 52 bytes to the tap interface
B Output NET2TAP 12: Read 60 bytes from the network NET2TAP 12: Written 60 bytes to the tap interface TAP2NET 11: Read 60 bytes from the tap interface TAP2NET 11: Written 60 bytes to the network NET2TAP 13: Read 52 bytes from the network NET2TAP 13: Written 52 bytes to the tap interface NET2TAP 14: Read 56 bytes from the network NET2TAP 14: Written 56 bytes to the tap interface TAP2NET 12: Read 52 bytes from the tap interface TAP2NET 12: Written 52 bytes to the network abc
We found that ,A The machine passes through tcp visit 18.104.22.168 Of 9090 port , This 22.214.171.124/24 Equivalent to private network request , and A and B There is no network between 126.96.36.199/24 Route of network segment , that B How to receive A What about the private network request sent , Of course, this is the doubt that we need to explain in this article .
TUN Equipment characteristics
about tun The equipment
write operation （open tun, Then on fd Conduct write）,tun After the user state data is obtained in the kernel state , call
netif_rx, Usually ,
netif_rx This function is called and submitted to the protocol stack only when the machine receives the message , Show that we are right tun The equipment
write operation , It's equivalent to letting the machine simulate receiving packets . So the key point is ,tun
write The data must contain three protocol headers (IP), otherwise linux The protocol stack cannot route it .
about tun Data acquisition operation of the device , First tun Under what circumstances does the equipment , Will get the data ？ That is, when we have no perception in external applications tun In the presence of equipment ,tun How does the device get data from external programs .
First tun The equipment has three layers ip Address of the , Which means ,tun The device can be used as a three-layer forwarding interface to send data , We just need to let External procedures Requests made , Be routed to tun Equipment can . for example We visit 188.8.131.52 This public network address goes tun equipment ,
route add -net 184.108.40.206/32 dev tun90, So the request will go tun Go out .
then tun The equipment The driver and Conventional similar eth Different , It doesn't really send data from its own interface .
tun The sending interface of the device , The operation is to data Save it and put it in your list On , Then notify the listener tun The user program of the device reads .
So I want to TUN Intercepted data , Then you need the destination address of the application , Can from TUN Equipment port “ get out ”, Configuring a route is a common operation .
Be careful tun Data acquired by the device , When carrying the data of the three-tier head .
The above explanation says TUN The characteristics of the device , All features are TUN Character driver and device driver implementation , We combine this feature , You can make a simple private network traversal function , That's the beginning simpletun The function of
Request to send
1、 Applications send data , for example ping To 220.127.116.11, Because of the routing and other rules configured locally , The data is linux The kernel routes to tun90 Send .
2、tun90 After getting the data , There will be no real sending operation ,, Instead, it is encapsulated into three-tier messages , Then put it in your own queue , Wait for the user program to read , This is it. tun The characteristics of the device .
here tun client Will get the data . Data is data that contains three-tier headers , One of the sources ip yes tun The equipment 18.104.22.168 The destination address is the destination address accessed by the application 22.214.171.124.
3、tun client take This contains three-tier header data , Send through the public network , natural The five tuples on this public network are the local physical address and the destination physical address , Naturally, this message can be sent through the public network .
4、tun server received data , The data is The previous step 2 Data in , Contains 126.96.36.199->188.8.131.52 The data of this three-tier header ,tun server writes tun equipment .
5、tun90 Received from the user write After the operation , Will throw data into linux Protocol stack ,linux The protocol stack will parse 184.108.40.206->220.127.116.11 How to forward the data of the three-tier header , natural 18.104.22.168 Is your local address , Nature can handle .
Be careful 1 Sending of , the truth is that tun The equipment xmit send out ,4 Of write the truth is that tun The equipment receive, It's different .
This example is only based on PING As an example . If The physical machine A Of Applications What I visited was One The address of the public network , for example 100.100.100.100, that , The physical machine B If it's on ip_forward And myself and 100.100.100.100 through , that , The request is forwarded to 100.100.100.100, Turn on nat Under the circumstances , Will send to the public network 22.214.171.124 -> 100.100.100.100 Request , The response data 100.100.100.100->126.96.36.199 Come back and rely on nat restore 100.100.100.100->188.8.131.52.
The back package is also very interesting
6、 hypothesis machine B To reply 184.108.40.206->220.127.116.11 PING Corresponding Response package , So the machine B The response of IP The head is 18.104.22.168->22.214.171.124, This packet will be routed to the machine tun90, This process is equivalent to the above sending process 1,tun90 After intercepting this packet , expect tun server Read it .
7、tun server Detected tun The device has data , So I read the data , The data contains 126.96.36.199->188.8.131.52 This ip Header data .
8、tun server Use tun client Established access , Transmit data to via the public network client.
9、tun client Writes data to machine A Of tun.
10、 according to tun characteristic ,tun Opportunity will contain 184.108.40.206->220.127.116.11 This ip Header data The data will be thrown into the protocol stack ,linux can such , Externally executed ping You can get the response data .
- UML learning_ Day2
- Leetcode165 compare version number double pointer string
- Role of asemi rectifier module mdq100-16 in intelligent switching power supply
- What is the role of the full connection layer?
- JUC learning record (2022.4.22)
- Leetcode151 - invert words in string - String - simulation
- Resolve the conflict between computed attribute and input blur event
- Openfaas practice 4: template operation
- Lotus DB design and Implementation - 1 Basic Concepts
[NLP] HMM hidden Markov + Viterbi word segmentation
Swift protocol Association object resource name management multithreading GCD delay once
UML project example -- UML diagram description of tiktok
Leetcode149 - maximum number of points on a line - Math - hash table
Advanced version of array simulation queue - ring queue (real queuing)
[stc8g2k64s4] introduction of comparator and sample program of comparator power down detection
asp. Net method of sending mail using mailmessage
Flink datastream type system typeinformation
OC to swift conditional compilation, marking, macro, log, version detection, expiration prompt
Share 3 tools, edit 5 works at home and earn more than 400
Introduction to distributed transaction Seata
Select receives both normal data and out of band data
小红书 timestamp2 (2022/04/22)
Sword finger offer II 019 Delete at most one character to get palindrome (simple)
When splicing HQL, the new field does not appear in the construction method
Basic operation of sequential stack
On the day of entry, I cried (mushroom street was laid off and fought for seven months to win the offer)
Provided by Chengdu control panel design_ It's detailed_ Introduction to the definition, compilation and quotation of single chip microcomputer program header file
Redis master-slave synchronization