Supporting TUN/TAP

Overview/Intro

These steps are intended to be done as part of a guide that has other steps. Following just these steps, by themselves, might not fully implement TUN/TAP.

These steps are similar, or even identical, to SOME (but NOT all) of the steps described by Firewall NIC Configuration). Namely, the “Firewall NIC Configuration” guide describes a system with multiple NICs.

VLAN

All virtual machines should use the same Qemu VLAN setting if they are going to be directly communicating with each other.

  • The easiest way to handle that is to not specify any custom VLAN. Just leave the script's default setting unaltered.
    • Therefore, this step may not require any action.

If changes need to be made (to match customizations used by another machine), the relevant variable is VMNICONEVLAN (and VMNICONEALTVLAN should point to the same value).

Enabling TUN/TAP
New method

Simply make sure the startup script's value for VMScrGen is set to 2.

With the default script, minimally customized as this guide shows, you just need to check the first non-commented occurrence of the variable, which can be done with:

grep VMScrGen ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/sysstart/exc_${VMLILNAM} | grep -v ^\# | head -1
Older method

Edit the virtual machine's “startup script” file.

echo VMDirBas=${VMDirBas} VMGenNam=${VMGenNam} VMLILNAM=${VMLILNAM}
echo ${VISUAL}
sudoedit ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/sysstart/exc_${VMLILNAM}

Find the line that says:

export VMNICONETYP=default

Make it say:

export VMNICONETYP=VMNICTUNTAP

(The script's default is to use the “USER” networking mode, rather than TUN/TAP. That was done to simplify networking on the very first “virtual machine”. However, this guide is currently using TUN/TAP as the method that is recommended for most machines. If you don't like changing this too regularly, you can opt to use a different base script file.)

Additional file updates
sudo chown $(id -un) ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/sysstart/exc_${VMLILNAM}
sudo chmod u+x ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/sysstart/exc_${VMLILNAM}
ls -l ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/sysstart/exc_${VMLILNAM}
sudo mkdir ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/nicscr/
echo \#!/bin/sh| sudo -n tee -a ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/nicscr/upif0
echo \#!/bin/sh| sudo -n tee -a ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/nicscr/dnif0
sudo chmod u+x ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/nicscr/??if?
ls -l ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/nicscr/
Supporting networking
Setting a temporary variable

Since the name of the TUN/TAP device gets used multiple times, creating a temporary variable here, and customizing the value once, may be less work than needing to customize the following directions numerous times.

  • The name of the device ends with the number used by ${VMNUM} from the virtual machine's startup script.
  • For example, in OpenBSD: If the ${VMNUM} was 44 then the name of the device file would be tun144 (the “1” refers to this being the first NIC).
    • Different operating systems may use different NIC names. The concept of a TUN/TAP device's name was discussed in an earlier section. (That earlier section was about changing another NIC, and not all nearby details are related to the task of supporting the current machine. That earlier section was at Find the needed tunnel interface name.)

You'll need to set this variable in order for the following instructions to work with fewer required customized modifications.

The fast way

If you're feeling more adventurous...

export CURVMNUM=$( grep -i "VMNUM=" ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/sysstart/exc_${VMLILNAM} | cut -d = -f 3 | head -1 )
export CURTUNTP=tun1${CURVMNUM}
echo ${CURTUNTP}

Customizations to the script can make this “automated”/“fast” approach fail. Be sure to carefully check the results to make sure that they make goot sense.

The reliable way

This can be done manually...

export CURTUNTP=tun144
echo CURTUNTP=${CURTUNTP}
Making TUN/TAP

Make the TUN/TAP device. In the following sample command lines, one of the commands needs to customization of the TUN/TAP device's name.

ls -l /dev/tun[0-9]*
ls /dev/tun[0-9]*

pwd
cd /dev/
sudo ./MAKEDEV ${CURTUNTP} # Be sure to customize the TUN/TAP device number appropriately
cd ${OLDPWD}
pwd

See your creation.

ls -l /dev/${CURTUNTP}

Identify the newly created device as one that will be having bridged traffic.

ls -l /etc/hostname.${CURTUNTP}
[ -e /etc/hostname.${CURTUNTP} ] && cpytobak /etc/hostname.${CURTUNTP}
echo group usebrdge| sudo -n tee -a /etc/hostname.${CURTUNTP}
ls -l /etc/hostname.${CURTUNTP}
sudo ${SHELL} -c ". /etc/netstart ${CURTUNTP}"
ifconfig ${CURTUNTP}

Describe the newly created device.

ls -l /etc/hostname.${CURTUNTP}
[ -e /etc/hostname.${CURTUNTP} ] && cpytobak /etc/hostname.${CURTUNTP}
echo description \"bridge0 \& NIC \# of Qemu VMNUM \#\# ${VMLILNAM} : FurtherNICDescr\"| sudo -n tee -a /etc/hostname.${CURTUNTP}

e.g., if CURVMNUM was set earlier...

ls -l /etc/hostname.${CURTUNTP}
[ -e /etc/hostname.${CURTUNTP} ] && cpytobak /etc/hostname.${CURTUNTP}
echo description \"bridge0 \& NIC \1 of Qemu VMNUM ${CURVMNUM}\# ${VMLILNAM} : FurtherNICDescr\"| sudo -n tee -a /etc/hostname.${CURTUNTP}

The intent here is that the “\#” is actually replaced by an actual number. If a number is specified, there is no need for the backslash. However, the backslash is quoted in case someone just wishes to “copy and paste” from an electronic copy of these instructions, with intent to customize the values by editing a text file (instead of customizing the values before the command line is executed).

(The “ : FurtherNICDescr” is intended to describe the NIC, which may be particularly useful for machines that have multiple NICs. For a machine with a single NIC, that is probably not needed. A description of the machine could also be used, but the ${VMLILNAM} may do a suitable job of that. Remember that these descriptions show up in the ifconfig results, so it is not particularly desired to have super lenghty descriptions. (Namely, having them be longer than 63 characters is not possible, and having them be 60 characters or longer is generally undesirable because descriptions of that length cause ifconfig's output to exceed 80 columns when the description is shown.)

echo ${VISUAL}
sudoedit /etc/hostname.${CURTUNTP}

If needed, correct the NIC number (NIC #) and the VMNUM (VMNUM #). Also, if needed, correct or remove the optional description. (Remove the “ : FurtherNICDescr”.)

sudo ${SHELL} -c ". /etc/netstart ${CURTUNTP}"
ifconfig ${CURTUNTP}
Make sure the new TUN/TAP device will be operational
ls -l /etc/hostname.${CURTUNTP}
[ -e /etc/hostname.${CURTUNTP} ] && cpytobak /etc/hostname.${CURTUNTP}
echo link0| sudo -n tee -a /etc/hostname.${CURTUNTP}
echo up| sudo -n tee -a /etc/hostname.${CURTUNTP}
sudoedit /etc/hostname.${CURTUNTP}

If all looks well, make it effective:

sudo ${SHELL} -c ". /etc/netstart ${CURTUNTP}"
ifconfig ${CURTUNTP}
Add TUN/TAP to bridge

This can be done with this command:

echo ifconfig ${CURTUNTP} link0| sudo -n tee -a ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/nicscr/upif0
echo ifconfig ${CURTUNTP} up| sudo -n tee -a ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/nicscr/upif0
echo ifconfig bridge0 add ${CURTUNTP} blocknonip ${CURTUNTP} up| sudo -n tee -a ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/nicscr/upif0

It may be better to place that command somewhere before the end of the text file. (Or, perhaps not. As a possible example, if the end of the script had a command like “ echo End of script ”, then it would make sense to place the new command somewhere before the end of the text file.) If so, feel free to adjust the text file:

sudoedit ${VMDirBas}/execbin/${VMGenNam}/${VMLILNAM}/nicscr/upif0
Unsetting temporary variable
unset CURVMNUM
unset CURTUNTP