[CVS] humbolt:/tinc/cabal/src net.c netutl.c protocol.c

Axel Müller axel.mueller at i2c-systems.com
Tue Jun 27 12:10:45 CEST 2000 

>> *** CLIENT routing table ***
>> root at pcamueller:/home/amueller/workspace.tinc/tinc/cabal > netstat -rn
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags   MSS Window  irtt
>> Iface
>> 212.79.58.20    192.168.9.1     255.255.255.255 UGH       0 0          0
>> tap0
>
> Well, that isn't going to work. Tinc absolutely doesn't know anything
> about your real IP addresses, and therefore doesn't know where to send
> them to, as can be seen from:
>
>> Jun 27 09:10:33 pcamueller tinc[28155]: Trying to look up 212.79.58.20
>> in  connection list failed!
I agree that tinc doesn't need to kow about real IP addresss but if running 
in "IndirectData" mode I would expect tinc to send everything to its one 
and only uplink (like I patched the lookup in tinc 0.3.3).

> Tinc will only route packets if the destination IP matches one of the
> MyOwnVPNIP lines in other tincd's tinc.conf files. There is a dirty hack
> that might even work in your case, and that is setting the server's
> MyOwnVPNIP to 0.0.0.0/0.
I have ONE VPN 192.168.9.0/24 which includes the VPN server (192.168.9.1) 
and all VPN clients (i.e. 192.168.9.99).
If a client runs in proxy mode it should send everything to the VPN server 
- there shouldn't be a need to add a MyOwnVPNIP in order to make every 
possible destination outside the VPN a part of VPN.

> Furthermore, adding a gateway for an interface that doesn't do ARP
> (ethertap devices normally don't) is quite meaningless.
There is no need for ARP - all that is needed is actually already done by 
tinc 0.3.3.
The gateway routing entries shown in my previous mail work perfectly using 
tinc 0.3.3 and the lookup patch.

>> *** CLIENT tinc.conf ***
>> MyOwnVPNIP = 192.168.9.99/24
>
>> *** SERVER tinc.conf ***
>> MyOwnVPNIP = 192.168.9.1/24
>
> That is certainly very bad! Those subnets overlap! No wonder things don't
> work. I think you need to clean up some things first :)!
I don't think it is bad. It worked with tinc 0.3.3 and the lookup patch.
As described above I have ONE VPN consisting of a server and some clients. 
They are in the SAME subnet. This is not an overlap - it is intention.

I think that the current development of the "IndirectData" feature goes 
into the wrong direction not suited for real-life scenarious.
The feature does fit with the rest of tinc (simple & clear). I should 
probably stay with tinc 0.3.3 but sometimes the SEGVs are annoying.

-
Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://ftp.nl.linux.org/pub/linux/tinc/

More information about the Tinc mailing list