Warning: This is a development version. The latest stable version is Version 4.0.1.

TUN Example: Network


This feature is only available for Linux!

The following examples shows how to use the rely application’s TUN feature.

The following example is a bit more advanced, but will allow you to pipe all your traffic through the rely tun interface.

Using this feature will cause the rely application to create a new virtual network interface on your machine. For this reason root permissions are required.

Using this feature basically creates a virtual network like a VPN, but instead of encryption you get reliability.

Setup NAT

To allow access to the Internet through a tunnel, you can setup NAT on one of the machines with Internet access (host 1). It is assumed that a tunnel interface ‘tun0’ and a network interface eth0 with Internet access is available:

|           Gateway          |
|        + <----+
|                            |      |
+----------------------------+      |
+----------------------------+      |      +----------------------------+
|           host 1           |      |      |           host 2           |
| +-> tun0:      |      |      |     tun0: <--+ |
| |                          |      |      |                          | |
| +-> eth0:      + <---------> +     eth0:  <-+ |
+----------------------------+             +----------------------------+

As root on the machine with Internet access:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --append FORWARD -i tun0 -j ACCEPT
iptables --append FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables --table nat --append POSTROUTING -o eth0 -j MASQUERADE

This also works with if the rely tunnel is using eth0 on the host setting up the NAT, so it is not necessary with a separate network interface.


If you need applications on host 1 and 2 to communicate or you want to add losses to the interfaces a secondary interface on host 1 to communicate with host 2 will make the setup a lot easier.

Setup NAT with Separate LAN Connection

Sometimes it is more convenient to keep the connection between host 1 and host 2 on a separate network. E.g. if your client machine is on a separate physical network, or for demo purposes if you want to introduce delay or losses in both directions. Then your setup could look something like this:

      |           Gateway          |
+---> +        +
|     |                            |
|     +----------------------------+
|     +----------------------------+             +----------------------------+
|     |           host 1           |             |           host 2           |
+---> +     eth1: <--+ |             |                            |
      |                          | |             |                            |
      | +-> tun0: <--+ |             |     tun0: <--+ |
      | |                          |             |                          | |
      | +-> eth0:         + <---------> +     eth0:    <--+ |
      +----------------------------+             +----------------------------+


The two networks on host 1 should be on separate subnets.

Assuming eth1 is up and provides Internet access, on host 1 (as root):

(bring interface up)
ipfconfig eth0 up

(start the tunnel)
./rely tun --local_endpoint --local_endpoint --tunnel_ip

(sets up NAT)
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --append FORWARD -i tun0 -o eth0 -j ACCEPT
iptables --append FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables --table nat --append POSTROUTING -o eth0 -j MASQUERADE

On host 2 (as root):

(bring up interface)
ipfconfig eth0 up

(start the tunnel)
./rely tun --local_endpoint --local_endpoint --tunnel_ip --default_route

(configure dns)
nano /etc/resolve.conf (setup dns address)

Now you should be able to access Internet resources on host 2, if you cannot try the following to see how far your setup works, on host 2:

(tunnel endpoint on host 1)

(Internet interface on host 1)

(Google Public DNS)

ping google.com

Add Delay and Losses on Interface

If you want to test the reliability on a network without losses, these can be added artificially. This can be done using the Traffic Control tool tc. This is how to add 5% losses and 100 ms of delay, as root:

tc qdisc add dev eth0 root netem loss 5% delay 100ms

And this is how to remove it again, as root:

tc qdisc del dev eth0 root


Make sure not to add loss on your tunnel interface. If you do, data will be discarded before it hits the tunnel, and hence the losses cannot be corrected.


Manipulating of the link as above only works on the egress, meaning it can only be applied to the output buffer of an interface. If you want to introduce bi-directional losses or delay you need to setup additional virtual interfaces or and additional physical interface.

More info here…