Only reaching one machine at network
Donald Pearson
donaldwhpearson at gmail.com
Sun Feb 7 23:46:23 CET 2010
I'm doing exactly what I think you're trying to do.
You are using switched mode, so you can remove the Subnet statements.
Otherwise, if you mean to have your VPN routed instead of switched, you need
to remove the mode=switch statements.
I recommend keeping switch mode, and removing the un-necessary Subnet
statements.
Now, you need to bridge your tun interface with your physical interface at
home. This will open the rest of your home network to your VPN provided all
hosts use the same network and netmask.
You say you are using Ubuntu, so you can do "apt-get install bridge utils"
You will need your tinc-up script to be something like this;
#!/bin/sh
modprobe tun
ifconfig vpn 0.0.0.0
ifconfig vpn up
ifconfig eth0 0.0.0.0
ifconfig eth0 up
brctl addbr bridge
brctl addif bridge vpn
brctl addif bridge eth0
ifconfig bridge 10.10.0.30 netmask 255.255.255.0
route add default gw 10.10.0.254 bridge
ifconfig bridge up
Here's my tinc.conf. it's *very* simple.
donald at DonaldTincVM:/etc/tinc/vpn$ cat tinc.conf
Name = Donald
ConnectTo = Pat
Device = /dev/net/tun
Mode = switch
PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
And here's my host files.
donald at DonaldTincVM:/etc/tinc/vpn/hosts$ cat Donald
Address = xxxx
Port = 8002
IndirectData = Yes
Compression = 0
PMTUDiscovery = Yes
RSA stuff.
donald at DonaldTincVM:/etc/tinc/vpn/hosts$ cat Pat
Address = nixon.endoftheinternet.org
Port = 8003
IndirectData = Yes
Compression = 0
PMTUDiscovery = Yes
RSA stuff.
On Sun, Feb 7, 2010 at 5:26 PM, M.Farghaly <m at farghaly.com> wrote:
> Hi there,
>
> I am using tinc since some monthes. I think the basic idea of
> extending vpn to a mesh of systems via tun/tap is great. And I think
> it is one of the useable developments compared to the much more
> complex vpn solutions I had used in the past. Great work.
>
> Setting up tinc I have fought with the configuration (and with the
> concepts) for a while as I have found no example that covers my
> special setup until I reached this fairly minimal config below.
>
> The setup is as follows:
> Home network is 10.10.0.x/24, Ubuntu Unix Server has internal IP
> 10.10.0.30, Gateway is 10.10.0.254
> I have a dynamic ip on this network and a masquerading firewall router.
>
> I am accessing home network via Ubuntu linux laptop via UMTS which
> means dynamic IP-Address, normally also in the 10.x.y.z Range (can
> this be a problem ?).
>
> From the forum answers I think I can delete the entries
> "PrivateKeyFile" as this is default, otherwise configuration is quite
> minimal.
>
>
> ======= Configuration =========
>
> Server Side
> ===========
> # cat tinc.conf
> Name = fsvpns3f30
> Mode = switch
> Device = /dev/net/tun
> AddressFamily = ipv4
> PingInterval = 30
> PrivateKeyFile = /etc/tinc/fsvpn/rsa_key.priv
>
> # cat tinc-up
> #!/bin/sh
> ifconfig $INTERFACE 10.10.100.30 netmask 255.255.0.0
>
> # cat hosts/fsvpns3f30
> Address = xyz.dyndns.org
> Port=655
> Compression=9
> Subnet=10.10.0.0/16
> TCPonly=yes <http://10.10.0.0/16%0ATCPonly=yes>
> -----BEGIN RSA PUBLIC KEY-----
> ...
> -----END RSA PUBLIC KEY-----
>
> Client Side
> ========
> # cat tinc.conf
> Name = fsvpnmf
> Mode = switch
> Device = /dev/net/tun
> AddressFamily = ipv4
> PingInterval = 30
> ConnectTo = fsvpns3f30
> PrivateKeyFile=/etc/tinc/fsvpn/rsa_key.priv
>
> # cat tinc-up
> #!/bin/sh
> ifconfig $INTERFACE 10.10.101.1 netmask 255.255.0.0
>
> # cat fsvpnmf
> Port = tinc
> Compression = 9
> Subnet = 10.10.101.1/32
> TCPonly=yes <http://10.10.101.1/32%0ATCPonly=yes>
> ConnectTo = xyz.dyndns.org
> -----BEGIN RSA PUBLIC KEY-----
> ...
> -----END RSA PUBLIC KEY-----
>
> This setup works now for a while with the restriction that I can
> directly only reach one machine on my network. I can ssh through it to
> reach the other machines in the network, but this is not ideal (e.g.
> if I want to directly reach windows machines). That means from my
> laptop I can only directly reach the 10.10.0.30/10.10.100/30 machine.
> It looks like a routing problem. I guess I will have to add on tinc-up
> script on both sides but in combination with the vpn device I need
> some guidance.
>
> Can you see how the configuration can be enhanced to reach the whole
> network of machines on the home network from laptops directly ?
>
> Any suggestions are welcome.
>
> Mansour Farghaly
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100207/b20033cf/attachment.htm>
More information about the tinc
mailing list