Windows subnets
Andrew Savinykh
andrews at brutsoft.com
Thu Oct 7 04:52:15 CEST 2010
Awesome! Now I think I finally understand how to do this. Thank you
very much. (Just to confirm, I need to assign the new additional IP on
physical adapter for each non tinc PC and on tap adapter for tinc
gateway PCs, right?)
Andrew.
> On 7/10/2010 2:14 p.m., Donald Pearson wrote:
>> Sure it's possible, you just need to assign each node a new IP in the
>> 10.30.1.0/24 <http://10.30.1.0/24> network. It's not part of the
>> Tinc configuration, it's part of the network configuration of each
>> computer.
>>
>> All Tinc is doing, is creating a layer 2 path for them to reach each
>> other. Yes broadcasts will traverse the VPN. It literally is
>> virtual ethernet over the internet. :)
>>
>> On Wed, Oct 6, 2010 at 9:04 PM, Andrew Savinykh <andrews at brutsoft.com
>> <mailto:andrews at brutsoft.com>> wrote:
>>
>> Donald, thank you for this.
>>
>> Do i read you right that to be able to receive broadcasts across
>> LANs I have to use the address space that I already have and make
>> sure that this space is the same for both LANs?
>>
>> What I'm trying to do is to define a *completely new subnet* that
>> will act as the common LAN foR both LAN A and LAN B.
>>
>> To re-iterate:
>> I have one router that is 10.1.1.1 and gives out DHCP 10.1.1.*
>> and the other router 192.168.0.1 that gives out DHCP 192.168.0.*.
>> I would like to leave these address spaces alone and define a new
>> on 10.30.1.* that computer from both networks can participate in
>> effectively forming a new virtual LAN.
>>
>> Is this possible with tinc? I know this possible with other
>> software, I'm just having hard time figuring out if this is
>> something I can configure tinc to do.
>>
>> Andrew
>>
>>
>>
>>
>> On 7/10/2010 1:13 p.m., Donald Pearson wrote:
>>> Sorry you're right. I was looking at the IP address schema
>>> where all nodes would use the 10.30.0.0/24 <http://10.30.0.0/24>
>>> network.
>>>
>>> There's no need to install tap adapters on the other devices.
>>> You have basically 2 realistic options if you want the LAN function
>>>
>>> You can specify multiple IP addresses for a single interface,
>>> even in Windows. You'll find this under the TCP/IP properties
>>> of the network adapter. And clicking on the Advanced button on
>>> the page where you can set a static IP or designate DHCP.
>>>
>>> A 2nd option would be to re-ip one of your locations so that
>>> they all use the same subnet natively.
>>>
>>> Bridging the tap adapter allows your network frames received by
>>> your physical interface to reach the TAP adapter and therefore
>>> traverse the VPN. This enables later 2 connectivity, the same
>>> way a real switch does. Virtual Ethernet over the Internet is
>>> how I like to describe it. This is how I have my VPN configured
>>> personally.
>>>
>>> Without the bridge, a frame that is received at the physical
>>> interface has the frame stripped off and the packet inspected.
>>> Now we're talking layer 3. If the packet is destined for a
>>> network on the other side of the VPN, your Tinc node frames the
>>> packet back up with a new frame, and sends it over the VPN.
>>> This act of stripping the frame, reading the packet for the
>>> network destination, and applying a new frame to get it there is
>>> what Routing is. Without the bridge in place, your Tinc node is
>>> literally routing between the physical interface and the tap
>>> interface. With the bridge, you're creating a layer 2 pathway
>>> so the frames can shoot across directly. Of course this means
>>> both sides need to be on the same subnet which you obviously
>>> already know.
>>>
>>> Be warned that this configuration comes with it's drawbacks.
>>> DHCP will traverse your VPN. I had location A computers getting
>>> addresses from location B which makes for some really
>>> inefficient internet traffic.
>>>
>>> Regards,
>>> Donald
>>> On Wed, Oct 6, 2010 at 7:57 PM, Andrew Savinykh
>>> <andrews at brutsoft.com <mailto:andrews at brutsoft.com>> wrote:
>>>
>>> Donald, thank you for the explanation.
>>>
>>> I understand the part about the switch mode and absence of
>>> subnet in tinc.config.
>>> However, could you please explain what bridging the tap
>>> adapter will achieve and what kind of ip address will be
>>> used on tinc nodes and in the rest of the network.
>>>
>>> In my example one household has local network addresses of
>>> 192.168.1.* and the other has 10.1.1.*
>>> If we don't install tap interfaces on other PC's this means
>>> that the other PCs won't have another ip address.
>>> I understand that bridging is going to solve this somehow,
>>> but I still don't see how broadcast from 10.1.1.7 can reach
>>> 192.168.1.5 in the other LAN.
>>>
>>> In short I don't understand how bridging to adapters work.
>>> I'll try to google this topic to get a better understanding,
>>> meanwhile, could you please explain
>>> how this applies to our tinc configuration case.
>>>
>>> Also can you briefly describe what we achieve by setting
>>> PMTUDiscovery = Yes. I read the description in manual but it
>>> didn't tell me much.
>>>
>>> Thank you again for all your help,
>>> Andrew
>>>
>>>
>>>
>>>
>>> On 7/10/2010 11:40 a.m., Donald Pearson wrote:
>>>> Oh okay. Yes you can make it appear as a single LAN. Your
>>>> Tinc nodes will behave as bridges instead of routers (or
>>>> gateways as you put it).
>>>>
>>>> Your tinc nodes will have the same subnet mask and default
>>>> router as all your other devices at that location.
>>>>
>>>> You will need to run the add-tap script only on the tinc
>>>> nodes on each side.
>>>>
>>>> You will then need to bridge the tap adapter to the local
>>>> area connection on the tinc nodes on each side.
>>>>
>>>> This will create a bridge network object under your network
>>>> connections. This bridge will have the IP configuration
>>>> you illustrated.
>>>>
>>>> You have the right idea in segregating the IP distribution
>>>> while still using the 255.255.255.0 subnet mask.
>>>>
>>>> One both nodes are up and connected, and the interfaces
>>>> have been bridged on the Tinc nodes for each location, you
>>>> will have a virtual LAN between the two locations.
>>>>
>>>> Your Tinc configuration will be Switch mode. This means
>>>> no Subnet configurations are required in your tinc.conf
>>>>
>>>> Your tinc.conf will be something like
>>>>
>>>> Name = NodeA
>>>> ConnectTo = NodeB
>>>> Interface = <something>
>>>> Mode = switch
>>>> PrivateKeyFile = <path to the rsa_key.priv>
>>>>
>>>> Host files will be something like
>>>> For the host file named "NodeA"
>>>>
>>>> Address = <host.dyndns.org <http://host.dyndns.org>>
>>>> PMTUDiscovery = Yes
>>>>
>>>> --Begin RSA etc. etc.--
>>>>
>>>>
>>>> On Wed, Oct 6, 2010 at 6:17 PM, Andrew Savinykh
>>>> <andrews at brutsoft.com <mailto:andrews at brutsoft.com>> wrote:
>>>>
>>>> Donald,
>>>>
>>>> thank you, while I still have some questions, your
>>>> answer is definitely a step in the right direction.
>>>> In the other reply I was asked what I'm trying to
>>>> achieve. Let's consider the following scenario (which
>>>> is quite similar to the one that described in the tinc
>>>> manual).
>>>>
>>>> Let's assume we have two households, each has 3-5
>>>> computers in it. Both house holds have similar network
>>>> configuration:
>>>> They are connected to internet with an ADSL line and a
>>>> router.
>>>> The computers in the local network access internet via
>>>> the router.
>>>> The router is configured so that one of the computers
>>>> have port 665 forwarded to be accessible outside.
>>>> The external IP is changed rarely and there is dynamic
>>>> DNS service (external) in use to accommodate for the
>>>> change of IP when it happens.
>>>>
>>>> One household has local network addresses of
>>>> 192.168.1.* and the other has 10.1.1.*
>>>> I'm installing tinc on one computer in each household.
>>>>
>>>> The goal is to let all computers in both house holds to
>>>> see each other by ip address. Also it is desired that
>>>> for computer games purposes
>>>> all computers appear to be on the same LAN (for
>>>> broadcasts). But this is not mandatory. (it appears
>>>> that it's not possible without installing tinc on every PC
>>>> as every tinc daemon serves a subnet and two tinc
>>>> daemons can't serve a part of subnet each)
>>>>
>>>> All computers run different flavours of Windows, most
>>>> being Windows 7.
>>>>
>>>> I have two ideas how to set this up, although I'm not
>>>> sure if any of these two works:
>>>>
>>>> IDEA1.
>>>> =====
>>>> Household A
>>>> Gateway IP: 10.30.0.1
>>>> Gateway Mask: 255.255.255.0
>>>> Gateway Default Gateway: ????
>>>>
>>>> Other PCs IP: 10.30.0.2,3,4 etc
>>>> Other PCs Mask: 255.255.255.0
>>>> Other PCs Deafult Gateway: 10.30.0.1
>>>>
>>>> Tinc Subnet: 10.30.0.0/25 <http://10.30.0.0/25>
>>>>
>>>> Household B
>>>> Gateway IP: 10.30.0.129
>>>> Gateway Mask: 255.255.255.0
>>>> Gateway Default Gateway: ????
>>>>
>>>> Other PCs IP: 10.30.0.130,131,132 etc
>>>> Other PCs Mask: 255.255.255.0
>>>> Other PCs Default Gateway: 10.30.0.129
>>>>
>>>> Tinc Subnet: 10.30.0.128/25 <http://10.30.0.128/25>
>>>>
>>>>
>>>> IDEA2.
>>>> =====
>>>> Household A
>>>> Gatway IP: 10.30.0.1
>>>> Gateway Mask: 255.255.255.0
>>>> Gateway Default Gateway: ????
>>>>
>>>> Other PCs IP: 10.30.0.2-255 etc
>>>> Other PCs Mask: 255.255.255.0
>>>> Other PCs Default Gateway: 10.30.0.1
>>>>
>>>> Tinc Subnet: 10.30.0.0/24 <http://10.30.0.0/24>
>>>>
>>>> Household B
>>>> Gateway IP: 10.30.1.1
>>>> Gateway Mask: 255.255.255.0
>>>> Gateway Default Gateway: ????
>>>>
>>>> Other PCs IP: 10.30.1.2-255 etc
>>>> Other PCs Mask: 255.255.255.0
>>>> Other PCs Default Gateway: 10.30.0.129
>>>>
>>>> Tinc Subnet: 10.30.1.0/24 <http://10.30.1.0/24>
>>>>
>>>>
>>>> So IDEA 1 probably won't work at all. Will it? And with
>>>> IDEA 2 the pc's won't appear on the same LAN and their
>>>> broadcasts won't reach each other.
>>>> As far as I understand I need to install TAP interface
>>>> on each of the participating windows PCs, correct?
>>>> What is specified in default gateway of the gateways?
>>>>
>>>>
>>>>
>>>> Thank you in advance,
>>>> Andrew
>>>>
>>>> On 7/10/2010 4:36 a.m., Donald Pearson wrote:
>>>>> The PCs that you want to participate need to have a
>>>>> route for the VPN subnet pointing to their local VPN
>>>>> gateway, which would be the local device with Tinc
>>>>> installed on it.
>>>>>
>>>>> Theoretical configuration example.
>>>>>
>>>>> VPN subnet is 10.10.10.0/24 <http://10.10.10.0/24>
>>>>>
>>>>> At a location, one computer 192.168.1.254/24
>>>>> <http://192.168.1.254/24> connects to the VPN and
>>>>> serves as the VPN gateway. This gateway needs to be
>>>>> configured for TCP/IP forwarding.
>>>>>
>>>>> http://support.microsoft.com/kb/315236 - windows
>>>>> http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ -
>>>>> linux
>>>>>
>>>>> Other computers local to the gateway need a route to
>>>>> the VPN network added so they know how to get there.
>>>>>
>>>>> In windows. route -p add 10.10.10.0 mask
>>>>> 255.255.255.0 192.168.1.254
>>>>> This will add the persistent route that remains after
>>>>> reboot.
>>>>>
>>>>> Does that answer your question?
>>>>>
>>>>> On Wed, Oct 6, 2010 at 6:41 AM, Andrew Savinykh
>>>>> <andrews at brutsoft.com <mailto:andrews at brutsoft.com>>
>>>>> wrote:
>>>>>
>>>>> Thank you for your reply. As far as I can see
>>>>> there is no point specifying subnet that consists
>>>>> of more than one PC in tinc config if you are
>>>>> going to install tinc on every PC in the subnet
>>>>> anyway. Correct me if I'm wrong.
>>>>> Now, assuming I'm right, there will be PCs in the
>>>>> subnet that don't have tinc installed on them. How
>>>>> to configure these PCs so they are a part of the
>>>>> subnet and participate in routing?
>>>>>
>>>>> Cheers,
>>>>> Andrew
>>>>>
>>>>>
>>>>> On 6/10/2010 10:13 p.m., Cédric Lemarchand wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am not sure to understand what you mean with
>>>>>> "joining" a subnet.
>>>>>>
>>>>>> But if your "local computer" need to reach the
>>>>>> "remote subnet" served by tinc, you can set the
>>>>>> local IP of the local tinc server as the default
>>>>>> gateway, or add a route to the remote subnet via
>>>>>> the local tinc IP. Of course, computer located on
>>>>>> the remote subnet need the same thing.
>>>>>>
>>>>>> Cédric
>>>>>>
>>>>>> Le 06/10/10 09:37, Andrew Savinykh a écrit :
>>>>>>> Hello all,
>>>>>>>
>>>>>>> I understand that each tinc daemon corresponds
>>>>>>> to one or more subnets that it "owns" a subnet
>>>>>>> can be a single ip or more.
>>>>>>> Could you please tell me what do I need to do to
>>>>>>> join a computer in local network (windows) to a
>>>>>>> subnet served by tinc?
>>>>>>>
>>>>>>> Thank you in advance,
>>>>>>> Andrew
>>>>>
>>>
>>>
>>> _______________________________________________
>>> tinc mailing list
>>> tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>>
>>>
>>>
>>> _______________________________________________
>>> tinc mailing list
>>> tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20101007/f1f743b9/attachment-0001.htm>
More information about the tinc
mailing list