Introduction #

EtherTunnel is targeted to tunnel Ethernet LANs connected at speeds up to 2.5Gbit thus implementing something that is also known as a Site-to-Site VPN or a LAN-to-LAN VPN.

There are various other possibilities that a network administrator could choose, but maintaining the “standard” (or common) MTU unchanged at 1500 and the fact that there’s absolutely no “special” configuration required on routers is an unique property of EtherTunnel. The tunnel UDP packets need to pass between the tunnel endpoints, that’s basically it.

The packet management and injection technique is almost identical to what is running within our software load balancer BalanceNG, so there are no bad surprises expected regarding stability and performance.

EtherTunnel starts in BETA/relaunch state giving you the opportunity to participate early with a reduced pricing for the Dual License.

EtherTunnel Fragmentation/Reassembly #

EtherTunnel implements its own fragmentation and reassembly. This process keeps the size of the encapsulating tunnel UDP packets below 800 bytes and avoids unbalanced fragment sizes. This specialized fragmentation outperforms the standard generalized kernel IP fragmentation. This is mainly because of its limited scope for one single application specific purpose.

Authentication+Encryption #

EtherTunnel authenticates and encrypts - if needed - with ChaCha20-HMAC-SHA256 at several security levels. With a shared 32KB random material file it rotates 2^32 cryptographic secure HMAC and key secrets.

Filtering Capabilities #

The filtering capabilities of EtherTunnel are new compared to its predecessor. It allows allow/deny filters on various levels and separate for NIC-ingress and tunnel-ingress These are currently from most to least specific:

  • MAC addresses
  • Vendor/OUI specifiers on /24 level
  • Ethertypes


802.1q VLANs are consistently accessible with the 8021q module in place. Direct VLAN access/injection and descending into nested VLANs will be supported with upcoming releases utilizing eBPF and XDP (eXpress Data Path) as the NIC rx/tx access method on Linux.