User Tools

Site Tools


iprohc-run

How to run the IP/ROHC tunnel

This page is about the configuration of the IP/ROHC tunnel. Follow the installation instructions first if the IP/ROHC application is not already installed on your system.

Prerequisites

You need at least 2 UNIX-like systems:

  • the first one will be the server,
  • the second one will be the client.

You may add more clients later.

Check that both systems satisfy to all the following prerequisites:

  • You need write permissions to the directory /var/run on your system.
  • You need sufficient permissions to open a TUN interface.

Install software

Follow the installation instructions of IP/ROHC on both the client and server systems.

Create certificates

For testing purposes, we will create a local private Certification Authority (CA), then we will issue 2 certificates from it.

The following instructions use the CA.pl script provided by OpenSSL. It may be installed at a different location on your system. Text in blue below is either instructions or text for you to type.

DO NOT USE THE FOLLOWING PROCEDURE IN PRODUCTION WITHOUT KNOWING WHAT YOU DO.

Create a certification Authority (CA)

Create a Certification Authority:

$ /etc/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
<hit enter>
Making CA certificate …
Generating a 1024 bit RSA private key
…++++++
…………++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:test
Verifying - Enter PEM pass phrase:test
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Ile de France
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:<leave empty>
Common Name (e.g. server FQDN or YOUR name) []:MyCompany
Email Address []:mycompany@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<leave empty>
An optional company name []:<leave empty>
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:test
Check that the request matches the signature
Signature ok
Certificate Details:
  Serial Number:
    91:53:18:41:69:fd:ae:43
  Validity
    Not Before: May 8 08:21:05 2013 GMT
    Not After : May 7 08:21:05 2016 GMT
  Subject:
    countryName          = FR
    stateOrProvinceName  = Ile de France
    organizationName     = My Company
    commonName           = MyCompany
    emailAddress         = mycompany@example.com
  X509v3 extensions:
    X509v3 Subject Key Identifier:
      66:F1:97:11:FC:4C:F5:7E:23:C7:DF:ED:C1:61:EA:80:B3:11:1F:18
    X509v3 Authority Key Identifier:
      keyid:66:F1:97:11:FC:4C:F5:7E:23:C7:DF:ED:C1:61:EA:80:B3:11:1F:18

    X509v3 Basic Constraints:
      CA:TRUE
Certificate is to be certified until May 7 08:21:05 2016 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Create the certificate for server

Create a certificate request for the server's certificate:

$ /etc/ssl/misc/CA.pl -newreq
Generating a 1024 bit RSA private key
.++++++
…..++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:test
Verifying - Enter PEM pass phrase:test
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Ile de France
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:<leave empty>
Common Name (e.g. server FQDN or YOUR name) []:IpRohcServer
Email Address []:mycompany@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<leave empty>
An optional company name []:<leave empty>
Request is in newreq.pem, private key is in newkey.pem

Create the server's certificate from the certificate request and the CA:

$ /etc/ssl/misc/CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:test
Check that the request matches the signature
Signature ok
Certificate Details:
  Serial Number:
    91:53:18:41:69:fd:ae:44
  Validity
    Not Before: May  8 09:21:11 2013 GMT
    Not After : May  8 09:21:11 2014 GMT
  Subject:
    countryName          = FR
    stateOrProvinceName  = Ile de France
    localityName         = Paris
    organizationName     = MyCompany
    commonName           = IpRohcServer
    emailAddress        = mycompany@example.com
  X509v3 extensions:
    X509v3 Basic Constraints:
      CA:FALSE
    Netscape Comment:
      OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
      C8:F8:43:31:38:F5:A3:C4:FF:58:2E:84:C6:E3:E0:82:62:47:E2:5C
    X509v3 Authority Key Identifier:
      keyid:66:F1:97:11:FC:4C:F5:7E:23:C7:DF:ED:C1:61:EA:80:B3:11:1F:18

Certificate is to be certified until May  8 09:21:11 2014 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Export the certificate, the private key, and the public part of the CA in the PKCS#12 format:

$ openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile demoCA/cacert.pem -out newcert.p12 -export
Enter pass phrase for newkey.pem:test
Enter Export Password:<leave empty>
Verifying - Enter Export Password:<leave empty>

do not specify an export password, otherwise the IP/ROHC server won't be able to load the certificate and key

Save the generated certificates, private key, and PKCS#12 files:

$ mkdir demoCA/certs/IpRohcServer
$ mv new* demoCA/certs/IpRohcServer/

Create the certificate for one client

Be sure to perform the actions below with the same CA as the server. If you don't know exactly what it means, be sure to generate the client's certificate on the same machine and in the same directory as the server.

Create a certificate request for one client's certificate:

$ /etc/ssl/misc/CA.pl -newreq
Generating a 1024 bit RSA private key
.++++++
…..++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:test
Verifying - Enter PEM pass phrase:test
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Ile de France
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:<leave empty>
Common Name (e.g. server FQDN or YOUR name) []:IpRohcClient1
Email Address []:mycompany@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<leave empty>
An optional company name []:<leave empty>
Request is in newreq.pem, private key is in newkey.pem

Create the server's certificate from the certificate request and the CA:

$ /etc/ssl/misc/CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:test
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
91:53:18:41:69:fd:ae:44
Validity
Not Before: May 8 09:21:11 2013 GMT
Not After : May 8 09:21:11 2014 GMT
Subject:
countryName = FR
stateOrProvinceName = Ile de France
localityName = Paris
organizationName = MyCompany
commonName = IpRohcClient1
emailAddress = mycompany@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C8:F8:43:31:38:F5:A3:C4:FF:58:2E:84:C6:E3:E0:82:62:47:E2:5C
X509v3 Authority Key Identifier:
keyid:66:F1:97:11:FC:4C:F5:7E:23:C7:DF:ED:C1:61:EA:80:B3:11:1F:18

Certificate is to be certified until May 8 09:21:11 2014 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Export the certificate, the private key, and the public part of the CA in the PKCS#12 format:

$ openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile demoCA/cacert.pem -out newcert.p12 -export
Enter pass phrase for newkey.pem:test
Enter Export Password:<leave empty>
Verifying - Enter Export Password:<leave empty>

do not specify an export password, otherwise the IP/ROHC server won't be able to load the certificate and key

Save the generated certificates, private key, and PKCS#12 files:

$ mkdir demoCA/certs/IpRohcClient1
$ mv new* demoCA/certs/IpRohcClient1/

In order to create certificates for more clients, perform the same actions as above but replace IpRohcClient1 by IpRohcClientN with N incremented by 1 each time.

Server

Configure the server

Copy the generated PKCS#12 file demoCA/certs/IpRohcServer/newcert.p12 as /etc/ssl/server_voip.p12 on the server system.

Then edit the /etc/iprohc_server.conf file to fit your needs. The configuration file is in YAML format.

# Config file for iprohc server

general:
    port: 3126                           # the TCP port to listen client requests on
    pidfile: /var/run/iprohc_server.pid  # the file in which to record the PID file
    p12file: /etc/ssl/server_voip.p12    # the server certificate and private key (PKCS12 format)

tunnel:
    ipaddr: 192.168.42.1   # The local IP address assigned by the server on the tunnel interface
                           # (clients will get assigned one IP address in the associated /24 range)
    packing: 5 	           # The packing level, ie. do not put more than N packets together in a tunnel frame
    maxcid:  15            # The maximum allowed CID in the ROHC compressor
    unidirectional: 1      # The ROHC mode (1 = unidirectional, 0 = bidirecional)
    keepalive: 60          # The maximum time (in seconds) to receive keepalive before dying
                           # (keepalives are sent every third of this value)
 
# vim:ft=yaml

Notes:

  • change the value of the pidfile parameter if you don't have write permissions on the /var/run/ directory.
  • Modify the value of the p12file parameter if you prefer using a different path for your PKCS#12 certificate file.
  • Modify the value of the ipaddr parameter if you want to customize the subnet used for the IP/ROHC tunnel. Private IPv4 subnets are recommanded: 192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0/12.

Run the server

You may either run the server with its init script or manually.

Start the server with the dedicated init script (you may find it in the debian/init.d/ sub-directory in the sources):

# /etc/init.d/iprohc_server start

Start the server manually if the configuration file is located at /etc/iprohc_server.conf:

# iprohc_server

Start the server manually if the configuration file is not located at /etc/iprohc_server.conf:

# iprohc_server --conf /path/to/iprohc_server.conf

Then, check that server correctly started by looking at system logs (the storage of system logs may depend of your system configuration):

# grep iprohc_server /var/log/messages | tail -n 20
May  8 12:16:35 XXXX iprohc_server[18973]: load server certificate from file '/etc/ssl/server_voip.p12'
May  8 12:16:35 XXXX iprohc_server[18973]: generate Diffie–Hellman parameters (it takes a few seconds)
May  8 12:16:45 XXXX iprohc_server[18973]: listen on TCP 0.0.0.0:3126
May  8 12:16:45 XXXX iprohc_server[18973]: create TUN interface
May  8 12:16:45 XXXX iprohc_server[18973]: start TUN routing thread
May  8 12:16:45 XXXX iprohc_server[18973]: create RAW socket
May  8 12:16:45 XXXX iprohc_server[18973]: start RAW routing thread
May  8 12:16:45 XXXX iprohc_server[18973]: server is now ready to accept requests from clients
May  8 12:16:45 XXXX iprohc_server[18973]: Initializing routing thread
May  8 12:16:45 XXXX iprohc_server[18973]: Initializing routing thread

If the messages are different, please refer to the troubleshooting paragraph.

If everything seems correct, check that the tunnel interface is available and configured:

# ip link show tun_ipip
XX: tun_ipip: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 500
    link/none
# ip -4 address show tun_ipip
XX: tun_ipip: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    inet 192.168.42.1/24 scope global tun_ipip

If the output is different, please refer to the troubleshooting paragraph.

If everything seems correct once again, server is ready! Please go configuring one or more IP/ROHC clients.

Client(s)

This section describes how to setup one client. Several clients may be run simultaneously on different systems against the same server. Use different PKCS#12 files for the different clients.

Configure one client

Copy the generated PKCS#12 file demoCA/certs/IpRohcClient1/newcert.p12 as client1.p12 on the client system. The client's PKCS#12 file must be different from the server's PKCS#12 file.

Run one client

There is no init script on client-side, so you have to start it manually on command line. Run this command as root:

# iprohc_client --remote X.X.X.X --port 3126 --dev iprohc --p12 /path/to/client1.p12

Notes:

  • Replace X.X.X.X by the IP address of the server. This is not the IP address set in the server's configuration file (that is used for the tunnel interface), but the one assigned on the underlying network interface. On a basic setup, it is the IP address assigned to the eth0 interface.
  • The value of the --port argument shall match the value of the port parameter in server's configuration.
  • The value of the --dev argument may be customized to fit your need. The network interface of the IP/ROHC tunnel will be named in consequence.
  • Change the value of the --p12 argument to match the exact location of the client's PKCS#12 file.

Then, check that client correctly started by looking at client's system logs (the storage of system logs may depend of your system configuration):

# grep iprohc_client /var/log/messages | tail -n 20
May  8 12:31:14 XXXX iprohc_client[19202]: local address X.X.X.X:53137 is used to contact server
May  8 12:31:14 XXXX iprohc_client[19202]: TLS handshake succeeded
May  8 12:31:14 XXXX iprohc_client[19202]: client certificate accepted
May  8 12:31:14 XXXX iprohc_client[19202]: send connect message to server
May  8 12:31:14 XXXX iprohc_client[19202]: wait for connect answer from server
May  8 12:31:14 XXXX iprohc_client[19202]: run tunnel thread for new client

On the server system, new traces should have been recorded in system logs (the storage of system logs may depend of your system configuration):

# grep iprohc_server /var/log/messages | tail -n 20
May  8 12:31:14 XXXX iprohc_server[19198]: new connection from Y.Y.Y.Y:53137
May  8 12:31:14 XXXX iprohc_server[19198]: TLS handshake succeeded
May  8 12:31:14 XXXX iprohc_server[19198]: [Y.Y.Y.Y] Connection asked, negotating parameters
May  8 12:31:14 XXXX iprohc_server[19198]: [Y.Y.Y.Y] Connection asked, negotating parameters (proto version 1, asked packing : 0)
May  8 12:31:14 XXXX iprohc_server[19198]: [Y.Y.Y.Y] Connection started by client

If the messages are different, please refer to the troubleshooting paragraph.

If everything seems correct, check that the tunnel interface is available and configured:

# ip link show iprohc
XX: iprohc: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 500
    link/none 
# ip -4 address show iprohc_client
XX: iprohc: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    inet 192.168.42.11/24 scope global iprohc

If the output is different, please refer to the troubleshooting paragraph.

If everything seems correct once again, client is ready! Please go testing the tunnel connectivity.

Testing tunnel connectivity

On server:

$ ping 192.168.42.11

On any client:

$ ping 192.168.42.1

You may also set the default route of all or some clients to the tunnel:

# ip route add default via 192.168.42.1

You may get some statistics about the ROHC compression and the packing mechanism by sending the SIGUSR1 signal to the process of the IP/ROHC server:

# kill -USR1 $( cat /var/run/iprohc_server.pid )

The statistics are recorded in system logs (the storage of system logs may depend of your system configuration):

May  8 12:54:51 XXXX iprohc_server[19198]: ------------------------------------------------------
May  8 12:54:51 XXXX iprohc_server[19198]: Client Y.Y.Y.Y
May  8 12:54:51 XXXX iprohc_server[19198]: Packing : 0
May  8 12:54:51 XXXX iprohc_server[19198]: Stats : 
May  8 12:54:51 XXXX iprohc_server[19198]:  . Failed decompression : 0
May  8 12:54:51 XXXX iprohc_server[19198]:  . Total  decompression : 18
May  8 12:54:51 XXXX iprohc_server[19198]:  . Failed compression   : 0
May  8 12:54:51 XXXX iprohc_server[19198]:  . Total  compression   : 18
May  8 12:54:51 XXXX iprohc_server[19198]:  . Failed depacketization        : 0
May  8 12:54:51 XXXX iprohc_server[19198]:  . Total received packets on raw : 16
May  8 12:54:51 XXXX iprohc_server[19198]:  . Total compressed header size  : 90 bytes
May  8 12:54:51 XXXX iprohc_server[19198]:  . Total compressed packet size  : 1242 bytes
May  8 12:54:51 XXXX iprohc_server[19198]:  . Total header size before comp : 360 bytes
May  8 12:54:51 XXXX iprohc_server[19198]:  . Total packet size before comp : 1512 bytes
May  8 12:54:51 XXXX iprohc_server[19198]: Stats packing : 
May  8 12:54:51 XXXX iprohc_server[19198]:  . 0 : 0
May  8 12:54:51 XXXX iprohc_server[19198]:  . 1 : 14
May  8 12:54:51 XXXX iprohc_server[19198]:  . 2 : 2
May  8 12:54:51 XXXX iprohc_server[19198]:  . 3 : 0
May  8 12:54:51 XXXX iprohc_server[19198]:  . 4 : 0
May  8 12:54:51 XXXX iprohc_server[19198]:  . 5 : 0
May  8 12:54:51 XXXX iprohc_server[19198]: ------------------------------------------------------

In the above example:

  • The tunnel transported 1512 bytes of ICMP packets (pings). Among all those bytes, 360 bytes were for IPv4 headers. The ROHC protocol compressed those 360 bytes to 90 bytes, saving 270 bytes (75% of headers). With payload included, the ROHC protocol compressed the 1512 bytes to 1512 - 360 + 90 = 1242 bytes, still saving 270 bytes (17% of whole packets).
  • The packing mechanism was not very efficient because the rate of ICMP packets was too slow: 14 packets were transmitted without packing, 2 frames were transmitted with 2 packets glued together. A network stream with a higher rate would make better use of the packing mechanism (5 packets per frame).

Troubleshooting

Server troubleshooting

Q: You see the following message in logs

failed to open pidfile '/var/run/iprohc_server.pid': Permission denied (13)

A: You don't have the write permission on the /var/run/ directory. Either run the IP/ROHC server with a user with enough permissions, either change the location of the PID file in the configuration file (see the configuration paragraph above).

Q: You see the following message in logs

failed to open PKCS#12 file '/etc/ssl/server_voip.p12': No such file or directory (2)

A: The IP/ROHC server failed to find the PKCS#12 file. Either copy the PKCS#12 file at /etc/ssl/server_voip.p12, either change the location of the PKCS#12 file in the configuration file (see the configuration paragraph above).

Q: You see the following message in logs

failed to ioctl(TUNSETIFF) on /dev/net/tun: Operation not permitted (1)

A: You don't have the permission to create TUN interfaces. Run the IP/ROHC server as root or as any other user with the CAP_NET_ADMIN POSIX capability.

Client troubleshooting

Q: You see the following message in logs

failed to connect to server: Connection refused (111)

A: Check the network connectivity between client and server: try ping X.X.X.X on client, check any firewall rules (TCP/3126 shall be allowed)…

iprohc-run.txt · Last modified: 2015/10/29 19:06 by didier