1 Server, Multiple Client Setup

Guus Sliepen guus at tinc-vpn.org
Thu Mar 5 13:12:31 CET 2009 

On Thu, Mar 05, 2009 at 11:12:45AM +0000, Andrew Barlow wrote:

> OK... I've tried what you said, but I keep getting a "Error on ADD_SUBNET"
> on the client machine.
> 
> Here are my configuration files and setup:
> 
> *tinc.conf*

Ok I see a lot of possible problems here.

> AddressFamily = ipv4

You should not have to use that.

> Device = /dev/net/tun

You should also not need to specify the Device since it's the default.

> Mode = switch

If you use switch mode, then tinc will ignore the Subnet statements in the host
config files. Do you really want tinc to work like a switch?

> Name = masterserver
> PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv

You should not need to specify PrivateKeyFile since you're using the default
location to store the private key.

> BindToInterface = eth1

Do you really need to bind to a specific interface? If not then leave this out
as well.

> TunnelServer = yes

TunnelServer is what you do not want. As you said correctly in your first email:

> So, if this was set to No (which it is by fault for each client I guess),
> does this not suggest that Tinc forwards information about other clients, to
> other clients on the VPN?

If you set it to yes, then tinc does not forward information between clients,
and therefore the clients will not know about each other, and will not be able
to send data to each other directly.

Also, this is probably the cause of the errors when receiving ADD_SUBNET
messages, because in TunnelServer mode tinc drops connections to nodes that
send Subnets other than those listed in the server's copy of the host config
file of that node.

I suggest you remove everything except Name = masterserver. Do the same for the clients.

> *hosts/masterserver* (The address is my external IP address)
> 
> Compression = 0
> Subnet = 10.1.0.0/16
> Address = 87.*.*.*
> Port = 655
> TCPonly = yes

TCPOnly also sets IndirectData, which is not what you want, unless you are
behind a NAT. So only add TCPOnly = yes to the host config files of those nodes
that are behind a NAT.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://www.tinc-vpn.org/pipermail/tinc/attachments/20090305/9846153f/attachment.pgp

More information about the tinc mailing list