Linux box as network gateway

Donald Pearson donaldwhpearson at gmail.com
Wed Mar 19 20:35:26 CET 2014 

A routing solution works at layer 3 and therefore won't use bridging which
is at layer 2.

For routing, all clients on the 172.16.254.0/24 (assuming /24) network
network will need to have a route added to use 172.16.253.102 as the next
hop to reach the remote 192.168.99.0/24 network.

Similarly, all clients on the 192.168.99.0/24 will need to have routes to
use 192.168.99.4 as the next hop to reach the 172.16.254.0/24 network.

Alternatively, on each side's gateway, you can add a route there to direct
the traffic.  If you do this, an example path your traffic would take would
be something like this

172.16.253.100 pings 192.168.99.100.
172.16.253.100 -> 172.16.253.1 (assuming default gw is .1) ->
172.16.253.102 (because you set the route in the gw to send all
192.168.99.0/24 traffic to .102) -> 10.10.10.103 (packet moves from lan to
vpn subnet and moves over vpn to remote tinc box) -> 192.168.99.100 (
remote tinc moves packet from vpn subnet to remote lan subnet).


On Wed, Mar 19, 2014 at 3:23 PM, Aaron Anderson <anderson.aaron at gmail.com>wrote:

> So we're all on the same page, here's what I want: (will need to be in
> fixed width font)
>
> -[client (10.10.10.102) and
> (172.16.253.102)]--[router]-[internet]-------[router]-[tincserver
> (10.10.10.103) and (192.168.99.4)]
>
>           -[other box (192.168.99.5)]
>
>           -[other box (192.168.99.6)]
>
>
>
> Where 192.168.99.x and 172.16.253.x are the local non-tinc subnets and
> 10.10.10.x are tinc addresses.
>
>
> From "client" i want to be about to access the "other boxes" through
> "tincserver" - I'm aware there will be routes for this, I'm fully
> capable of dealing with those.
>
> How should I set up the bridge on "tincserver" ?
>
> On Wed, Mar 19, 2014 at 3:09 PM, Donald Pearson
> <donaldwhpearson at gmail.com> wrote:
> > By the way, if you create a layer 2 vpn using bridging like this, I
> suggest
> > installing ebtables on your tinc box so that you can put in some layer 2
> > firewall rules.  An interesting result when you don't do this is DHCP
> > traversing the VPN.  Much to my surprise I've seen hosts on one site
> receive
> > DHCP from a site across the VPN, ultimately using the remote router as
> its
> > gateway.
> > You would think the local server would be faster and always win, but
> that's
> > not always the case.
> >
> >
> > On Wed, Mar 19, 2014 at 3:03 PM, Donald Pearson <
> donaldwhpearson at gmail.com>
> > wrote:
> >>
> >> Well you use brctl to bridge the virtual adapter (interface) to a real
> >> physical interface, and that's represented by an additional virtual
> >> interface which is the bridge itself.  That bridge is what you configure
> >> with an IP on your LAN statically or via DHCP.
> >>
> >> If you do all this ahead of time you don't even need a tinc-up script.
> >>
> >> If you want the bridge to be built up when tinc connects it would look
> >> something like this.  Do the inverse for a tinc-down
> >>
> >> tinc.conf
> >> Name = Alpha
> >> ConnectTo = Beta
> >> ConnectTo = Charlie
> >> Device = /dev/net/tun
> >> Mode = switch
> >> PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
> >> #
> >> #
> >>
> >> Tinc-up
> >> #!/bin/sh
> >> modprobe tun
> >> ifconfig vpn 0.0.0.0
> >> ifconfig vpn up
> >> ifconfig eth1 0.0.0.0
> >> ifconfig eth1 up
> >>
> >> brctl addbr bridge
> >> brctl addif bridge vpn
> >> brctl addif bridge eth1
> >> ifconfig bridge 10.10.0.1 netmask 255.255.0.0
> >> route add default gw 10.10.0.254 bridge
> >> ifconfig bridge up
> >>
> >>
> >>
> >>
> >> On Wed, Mar 19, 2014 at 2:44 PM, Aaron Anderson <
> anderson.aaron at gmail.com>
> >> wrote:
> >>>
> >>> Does connecting to that machine get you access to other machines on
> >>> the network? That's what I'm having trouble with. I want to connect to
> >>> machines that do not have tinc installed.
> >>>
> >>> On Wed, Mar 19, 2014 at 2:30 PM, vmlinux <vmlinux at charter.net> wrote:
> >>> > Aaron Anderson said  on 03/19/2014 01:23 PM:
> >>> >> I do already have those installed. I was really hoping for someone
> who
> >>> >> had some already working configs or examples.
> >>> >
> >>> > # /etc/tinc/myvpn/tinc.conf
> >>> > Name = mynode
> >>> > AddressFamily = ipv4
> >>> > interface = tinc0
> >>> >
> >>> > # /etc/tinc/myvpn/tinc-up
> >>> > #!/bin/bash
> >>> > ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0
> >>> >
> >>> > # /etc/tinc/myvpn/tinc-down
> >>> > #!/bin/bash
> >>> > ifconfig $INTERFACE down
> >>> >
> >>> > # tincd -n myvpn
> >>> >
> >>> > _______________________________________________
> >>> > tinc mailing list
> >>> > tinc at tinc-vpn.org
> >>> > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> >>> _______________________________________________
> >>> tinc mailing list
> >>> tinc at tinc-vpn.org
> >>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> >>
> >>
> >
> >
> > _______________________________________________
> > tinc mailing list
> > tinc at tinc-vpn.org
> > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> >
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20140319/0edfcaaf/attachment.html>

More information about the tinc mailing list