We're going to use this case to explain the usage of various methods to build tunnels between networks.

192.168.1.2                                                      192.168.2.2
------------|                                                   |------------
            |                                                   |
192.168.1.2 | 192.168.1.1 (router1)       192.168.2.1 (router2) | 192.168.2.3
------------|---------------------=========---------------------|------------
            |              10.0.0.1       10.0.0.2              |
192.168.1.3 |                                                   | 192.168.2.4
------------|                                                   |------------

|---------------------------------|       |---------------------------------|
         192.168.1.0/24                             192.168.2.0/24
  

In the above diagram we see a network structure wich consists of 2 seperate physical networks. The ========= represents internet. Both network consist of 3 workstations and a router. We are going to use the tunneling software to connect to two routers in a secure fashion. Both routers have both a "real" ip address in the subnet of there respective networks, as well as a ip address that will be used for the tunnel device (10.0.0.x).

VTun is a piece of software that can be used to make point-to-point tunnels over IP links.

To use VTun you need the Universal TUN/TAP driver either as module or as part of the kernel.

For kernel 2.6 (
Device Drivers --->
[*] Networking support
    <*>     Universal TUN/TAP device driver support
) 

For kernel 2.4 (
)
  

After you enable the TUN/TAP driver either as module or as part of the kernel, compile the new kernel (and if you choose to make it part of the kernel, reboot).

If you choose to compile as module:
# make modules_install
# modules-update
# modprobe tun

If you choose to compile as part of the kernel:
# mount /boot
# make install
# reboot
  

The last kernel related step that has to be taken is the creation of a tunnel device file:

# mkdir /dev/net
# mknod /dev/net/tun c 10 200
  

VTun works with a server and a client. Both use the same daemon, but the server has more configuration options (like compressions and encryption). In the above diagram 192.168.1.1 (10.0.0.1) will be the server, and 192.168.2.1 (10.0.0.2) will be the client.

VTun configuration is done with two seperate configuration files. /etc/vtund.conf is used to configure the default option, and sessions specific options. /etc/vtund-start.conf is used to configure which sessions run as client and which run as server. We will begin by looking at vtund.conf.

default {
  type tun;
  keepalive yes;
}
                                                                                
mysession {
  pass mysecretpassword;
  proto tcp;
  comp zlib:6;
  encrypt yes;
  up {
    ifconfig "%% 10.0.1.1 pointopoint 10.0.1.2";
  };
  down {
    ifconfig "%% down";
  };
}
  

This file as two sections, default which (obviously) sets default values. And mysession which contains information specific to our session. As you can see a password is required to setup the tunnel, this password is supplied in clear text, so the file should not be world readable. Take a look at man 5 vtund.conf for more information on configuring VTun.

The client configuration file is basically the same as the server file. I removed all configuration options on which the client has no effect.

default {
  type tun;
  keepalive yes;
}
                                                                                
mysession {
  pass mysecretpassword;
  proto tcp;
  up {
    ifconfig "%% 10.0.1.2 pointopoint 10.0.1.1";
  };
  down {
    ifconfig "%% down";
  };
}
  

Basically the only thing that changed is the "up" part, the ip addresses are switched in this one.