How should I understand writing responses to a TUN device?
by sbergman20 from LinuxQuestions.org on (#6FDCK)
I'm trying to understand TUN as I'm working on a toy VPN implementation.
I have a point-to-point TUN with local IPs of 10.0.1.170/10.0.1.171. If I ping 10.0.1.171, I can see the packet in my agent that listens on the tun interface.
My confusion is how I could either return a real reply or a simulated reply back to the client that initiated the ping request to begin with.
So far, I've tried crafting a echo response packet while swapping the src and destination IPs. However, the IP is just the TUN device. How does it reach the client? Am I understanding the flow correctly?
I tried to draw a picture, but feel my intuition is wildly off.
https://user-images.githubuserconten...961600e16a.png.
To further expand this to a real world application. In a VPN if packets proxy to the TUN device to be encrypted before being sent off to some UDP tunnel, the client device is still going to expect a response. The writing _back_ to the TUN device to pass the packet back to the kernel is what is confusing me!
Is the entire trick here a NAT rule that says masquerade all IPs going to 10.0.1.171?
I have a point-to-point TUN with local IPs of 10.0.1.170/10.0.1.171. If I ping 10.0.1.171, I can see the packet in my agent that listens on the tun interface.
My confusion is how I could either return a real reply or a simulated reply back to the client that initiated the ping request to begin with.
So far, I've tried crafting a echo response packet while swapping the src and destination IPs. However, the IP is just the TUN device. How does it reach the client? Am I understanding the flow correctly?
I tried to draw a picture, but feel my intuition is wildly off.
https://user-images.githubuserconten...961600e16a.png.
To further expand this to a real world application. In a VPN if packets proxy to the TUN device to be encrypted before being sent off to some UDP tunnel, the client device is still going to expect a response. The writing _back_ to the TUN device to pass the packet back to the kernel is what is confusing me!
Is the entire trick here a NAT rule that says masquerade all IPs going to 10.0.1.171?