Windows subnets
Andrew Savinykh
andrews at brutsoft.com
Thu Oct 7 01:57:38 CEST 2010
Donald, thank you for the explanation.
I understand the part about the switch mode and absence of subnet in
tinc.config.
However, could you please explain what bridging the tap adapter will
achieve and what kind of ip address will be used on tinc nodes and in
the rest of the network.
In my example one household has local network addresses of 192.168.1.*
and the other has 10.1.1.*
If we don't install tap interfaces on other PC's this means that the
other PCs won't have another ip address.
I understand that bridging is going to solve this somehow, but I still
don't see how broadcast from 10.1.1.7 can reach 192.168.1.5 in the other
LAN.
In short I don't understand how bridging to adapters work. I'll try to
google this topic to get a better understanding, meanwhile, could you
please explain
how this applies to our tinc configuration case.
Also can you briefly describe what we achieve by setting PMTUDiscovery =
Yes. I read the description in manual but it didn't tell me much.
Thank you again for all your help,
Andrew
On 7/10/2010 11:40 a.m., Donald Pearson wrote:
> Oh okay. Yes you can make it appear as a single LAN. Your Tinc nodes
> will behave as bridges instead of routers (or gateways as you put it).
>
> Your tinc nodes will have the same subnet mask and default router as
> all your other devices at that location.
>
> You will need to run the add-tap script only on the tinc nodes on each
> side.
>
> You will then need to bridge the tap adapter to the local area
> connection on the tinc nodes on each side.
>
> This will create a bridge network object under your network
> connections. This bridge will have the IP configuration you illustrated.
>
> You have the right idea in segregating the IP distribution while still
> using the 255.255.255.0 subnet mask.
>
> One both nodes are up and connected, and the interfaces have been
> bridged on the Tinc nodes for each location, you will have a virtual
> LAN between the two locations.
>
> Your Tinc configuration will be Switch mode. This means no Subnet
> configurations are required in your tinc.conf
>
> Your tinc.conf will be something like
>
> Name = NodeA
> ConnectTo = NodeB
> Interface = <something>
> Mode = switch
> PrivateKeyFile = <path to the rsa_key.priv>
>
> Host files will be something like
> For the host file named "NodeA"
>
> Address = <host.dyndns.org <http://host.dyndns.org>>
> PMTUDiscovery = Yes
>
> --Begin RSA etc. etc.--
>
>
> On Wed, Oct 6, 2010 at 6:17 PM, Andrew Savinykh <andrews at brutsoft.com
> <mailto:andrews at brutsoft.com>> wrote:
>
> Donald,
>
> thank you, while I still have some questions, your answer is
> definitely a step in the right direction.
> In the other reply I was asked what I'm trying to achieve. Let's
> consider the following scenario (which is quite similar to the one
> that described in the tinc manual).
>
> Let's assume we have two households, each has 3-5 computers in
> it. Both house holds have similar network configuration:
> They are connected to internet with an ADSL line and a router.
> The computers in the local network access internet via the router.
> The router is configured so that one of the computers have port
> 665 forwarded to be accessible outside.
> The external IP is changed rarely and there is dynamic DNS service
> (external) in use to accommodate for the change of IP when it happens.
>
> One household has local network addresses of 192.168.1.* and the
> other has 10.1.1.*
> I'm installing tinc on one computer in each household.
>
> The goal is to let all computers in both house holds to see each
> other by ip address. Also it is desired that for computer games
> purposes
> all computers appear to be on the same LAN (for broadcasts). But
> this is not mandatory. (it appears that it's not possible without
> installing tinc on every PC
> as every tinc daemon serves a subnet and two tinc daemons can't
> serve a part of subnet each)
>
> All computers run different flavours of Windows, most being Windows 7.
>
> I have two ideas how to set this up, although I'm not sure if any
> of these two works:
>
> IDEA1.
> =====
> Household A
> Gateway IP: 10.30.0.1
> Gateway Mask: 255.255.255.0
> Gateway Default Gateway: ????
>
> Other PCs IP: 10.30.0.2,3,4 etc
> Other PCs Mask: 255.255.255.0
> Other PCs Deafult Gateway: 10.30.0.1
>
> Tinc Subnet: 10.30.0.0/25 <http://10.30.0.0/25>
>
> Household B
> Gateway IP: 10.30.0.129
> Gateway Mask: 255.255.255.0
> Gateway Default Gateway: ????
>
> Other PCs IP: 10.30.0.130,131,132 etc
> Other PCs Mask: 255.255.255.0
> Other PCs Default Gateway: 10.30.0.129
>
> Tinc Subnet: 10.30.0.128/25 <http://10.30.0.128/25>
>
>
> IDEA2.
> =====
> Household A
> Gatway IP: 10.30.0.1
> Gateway Mask: 255.255.255.0
> Gateway Default Gateway: ????
>
> Other PCs IP: 10.30.0.2-255 etc
> Other PCs Mask: 255.255.255.0
> Other PCs Default Gateway: 10.30.0.1
>
> Tinc Subnet: 10.30.0.0/24 <http://10.30.0.0/24>
>
> Household B
> Gateway IP: 10.30.1.1
> Gateway Mask: 255.255.255.0
> Gateway Default Gateway: ????
>
> Other PCs IP: 10.30.1.2-255 etc
> Other PCs Mask: 255.255.255.0
> Other PCs Default Gateway: 10.30.0.129
>
> Tinc Subnet: 10.30.1.0/24 <http://10.30.1.0/24>
>
>
> So IDEA 1 probably won't work at all. Will it? And with IDEA 2 the
> pc's won't appear on the same LAN and their broadcasts won't reach
> each other.
> As far as I understand I need to install TAP interface on each of
> the participating windows PCs, correct?
> What is specified in default gateway of the gateways?
>
>
>
> Thank you in advance,
> Andrew
>
> On 7/10/2010 4:36 a.m., Donald Pearson wrote:
>> The PCs that you want to participate need to have a route for the
>> VPN subnet pointing to their local VPN gateway, which would be
>> the local device with Tinc installed on it.
>>
>> Theoretical configuration example.
>>
>> VPN subnet is 10.10.10.0/24 <http://10.10.10.0/24>
>>
>> At a location, one computer 192.168.1.254/24
>> <http://192.168.1.254/24> connects to the VPN and serves as the
>> VPN gateway. This gateway needs to be configured for TCP/IP
>> forwarding.
>>
>> http://support.microsoft.com/kb/315236 - windows
>> http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ -
>> linux
>>
>> Other computers local to the gateway need a route to the VPN
>> network added so they know how to get there.
>>
>> In windows. route -p add 10.10.10.0 mask 255.255.255.0
>> 192.168.1.254
>> This will add the persistent route that remains after reboot.
>>
>> Does that answer your question?
>>
>> On Wed, Oct 6, 2010 at 6:41 AM, Andrew Savinykh
>> <andrews at brutsoft.com <mailto:andrews at brutsoft.com>> wrote:
>>
>> Thank you for your reply. As far as I can see there is no
>> point specifying subnet that consists of more than one PC in
>> tinc config if you are going to install tinc on every PC in
>> the subnet anyway. Correct me if I'm wrong.
>> Now, assuming I'm right, there will be PCs in the subnet that
>> don't have tinc installed on them. How to configure these PCs
>> so they are a part of the subnet and participate in routing?
>>
>> Cheers,
>> Andrew
>>
>>
>> On 6/10/2010 10:13 p.m., Cédric Lemarchand wrote:
>>> Hi,
>>>
>>> I am not sure to understand what you mean with "joining" a
>>> subnet.
>>>
>>> But if your "local computer" need to reach the "remote
>>> subnet" served by tinc, you can set the local IP of the
>>> local tinc server as the default gateway, or add a route to
>>> the remote subnet via the local tinc IP. Of course, computer
>>> located on the remote subnet need the same thing.
>>>
>>> Cédric
>>>
>>> Le 06/10/10 09:37, Andrew Savinykh a écrit :
>>>> Hello all,
>>>>
>>>> I understand that each tinc daemon corresponds to one or
>>>> more subnets that it "owns" a subnet can be a single ip or
>>>> more.
>>>> Could you please tell me what do I need to do to join a
>>>> computer in local network (windows) to a subnet served by
>>>> tinc?
>>>>
>>>> Thank you in advance,
>>>> Andrew
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20101007/f8a730fb/attachment.htm>
More information about the tinc
mailing list