tinc

The network is virtual, your privacy is not...

Links:

Main screen

Activities
Contact
Documentation
Download
Examples
FAQ
Goals
Mailing lists
News
Search
Security issues
Subversion
Supported platforms
VPN links

Hosted by:

non-gnu.uvt.nl

Example: bridging Ethernet segments using tinc under Linux

Normally, in the default router mode, tinc will only tunnel IPv4 and IPv6 unicast packets. However, since 1.0pre5 there is an option to let the tinc daemon act as a switch or a hub (using the Mode configuration variable). This mode is necessary for tinc to pass non-IP based protocols (NetBEUI, AppleTalk, IPX, etcetera), and to allow broadcast-based functionality in some applications (Windows 'Network Neighborhood' without a WINS server, among others) to be usable on a VPN created with tinc.

In switch and hub mode, broadcast packets are broadcast to other daemons and (in switch mode) MAC addresses are dynamically learned from other tinc daemons in order to route packets. With these mode tinc can be used to act as a bridge between two or more Ethernet segments.

Overview

The network setup is as follows:
  • Internal network, on both sides, is 192.168.0.0/16
  • The host's own IP address on the internal network is 192.168.10.20
The gateway of each segment has an external interface, eth0, and an internal interface eth1. Furthermore a bridge interface will be created with name "bridge", and the internal interface will be made a slave of this bridge. The virtual network interface used by tinc will also be a slave.

Configuration of the kernel

In addition to the standard kernel configuration described in the Configuring the kernel section of the manual, a bridge device needs to be added to your kernel configuration.

To add the bridge device to the Linux 2.4.0 and higher kernels, select the option under 'Networking options' called 802.1d Ethernet Bridging. You may either compile this option as a module or build it into the kernel.

Configuration of the interfaces

Switch and hub modes require that both sides of a tinc VPN be contained within the same subnet (in this example, the subnet is 192.168.0.0/16). This is no different from the configuration that would be required if tinc was replaced with an actual switch or hub. 

host# brctl addbr bridge
host# ifconfig bridge 192.168.10.20 netmask 255.255.0.0

host# ifconfig eth1 0.0.0.0
host# brctl addif bridge eth1
host# ifconfig eth1 up

After starting tinc:

host# brctl show
bridge name     bridge id               STP enabled     interfaces
bridge          8000.005004003002       yes             eth1
                                                        vpn

host# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:20:30:40:50:60
          inet addr:123.234.123.42  Bcast:123.234.123.255  Mask:255.255.255.0
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          ...

eth1      Link encap:Ethernet  HWaddr 00:11:22:33:44:55
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          ...

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3856  Metric:1
          ...

bridge    Link encap:Ethernet  HWaddr  00:11:22:33:44:55
          inet addr:192.168.10.20  Bcast:192.168.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

vpn       Link encap:Ethernet  HWaddr 00:11:22:33:44:55
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          ...

host# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
123.234.123.0   *               255.255.255.0   U     0      0        0 eth0
192.168.0.0     *               255.255.0.0     U     0      0        0 bridge
default         123.234.123.1   0.0.0.0         UG    0      0        0 eth0

Configuration of tinc

Note that switch' and hub' mode do not utilize the Subnet variable in the host files. Instead, any packet received by the bridge interface will be passed to the TUN/TAP device for processing. If your tinc instance is running in hub mode, all packets are forwarded to the remote tinc instance. In switch mode, tinc maintains an ARP cache to determine whether any received packet should be forwarded to the remote tinc instance. 

host# cat /etc/tinc/vpn/tinc.conf
Name = segment1
Device = /dev/tun
Mode = switch
ConnectTo = segment2

host# cat /etc/tinc/vpn/tinc-up
#!/bin/sh

ifconfig vpn 0.0.0.0
brctl addif bridge vpn
ifconfig vpn up

host# ls /etc/tinc/vpn/hosts
segment1  segment2  ...

host# cat /etc/tinc/vpn/hosts/segment1
Address = 123.234.123.42
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

host# cat /etc/tinc/vpn/hosts/segment2
Address = 200.201.202.203
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

Additional Configuration

If the Ethernet interface added to the bridge was used for the default route, you will need to re-add the default route.

If you want to be able to filter packets on your bridge interface, you will need to patch your kernel to support this functionality. The link to this patch is located in the section below.

More information

For more information on Linux bridging, see the bridge-utils homepage, or consult the Linux bridging mailing list.

In order to filter packets on the bridge interface, you probably need the bridge-netfilter patches.

$Id: bridging.html 292 2007-07-24 17:03:55Z guus $