VPN address of the remote host

Jean-Charles Andlauer andlauer at gmail.com
Wed Jun 18 10:37:13 CEST 2014 

Thank you for your answers...

2014-06-18 10:02 GMT+02:00 Guus Sliepen <guus at tinc-vpn.org>:
> On Wed, Jun 18, 2014 at 09:22:16AM +0200, Jean-Charles Andlauer wrote:
>
>> Some tinc configuration examples available on the Internet include a
>> statement like this:
>> "route add -net $subnet netmask $netmask gw $remote_ip", where
>> $remote_IP is the VPN address of the remote host.
>>
>> Q1:
>> Does this statement modify the behaviour of tinc (as compared to
>> "ifconfig $interface $local_ip netmask $netmask")?
>
> No, neither ifconfig nor "route add" modify the behaviour of tinc
> itself, it merely changes the way the kernel routes packets. You have to
> make sure that you give the right commands in the tinc-up script to have
> the kernel route packets that have to go via the VPN to the virtual
> network interface.
>
>> Q2:
>> If it does, is there a way to determine the VPN address of the remote
>> host, as this would simplify configuration of tinc a lot, i.e.
>> configuration could become automatic/dynamic rather than
>> manual/static?
>
> You can write a subnet-up script, which is called whenever an IP range
> becomes reachable on the VPN. An example script for Linux:
>
> #!/bin/sh
> ip route replace $SUBNET dev $INTERFACE
>
>> Q3:
>> Isn't setting up a routing daemon just to get that information (i.e.
>> the VPN address of the remote host) a bit overkill?
>
> You can make your VPN setup as simple or as complex as you want. Tinc
> does not enforce any particular way. The simplest way is to assign a
> single large subnet to the whole VPN, say 192.168.0.0/16, and have each node
> take a smaller piece of that large subnet. You tell tinc about the
> smaller pieces by adding statements like "Subnet = 192.168.1.2/32" or
> "Subnet = 192.168.3.0/24" to the host config file of the node that owns
> that piece. Then, in their tinc-up scripts you just have (respectively):
>
> #!/bin/sh
> ifconfig $INTERFACE 192.168.1.2 netmask 255.255.0.0 dev $INTERFACE
>
> or
>
> #!/bin/sh
> ifconfig $INTERFACE 192.168.3.1 netmask 255.255.0.0 dev $INTERFACE
>
> Note that the netmask in the tinc-up script is 255.255.0.0, so that the
> kernel will route all packets in the 192.168.0.0/16 range to the VPN
> interface. As long as you didn't use the whole /16, then you can add new
> nodes without having to change the tinc-up script on any of the existing
> nodes.
>
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>

More information about the tinc mailing list