Linux box as network gateway

Håkon Struijk Holmen hawken at thehawken.org
Sat Mar 22 13:17:27 CET 2014 

Hi :)

An example on this could be the following (I'm using tinc 1.0, so these 
files may vary):
     Name = servera
     ConnectTo = serverb
     Device = /dev/net/tun
     Mode = switch
  (The inverse on serverb)

tinc-up
     #server a
     ifconfig $INTERFACE up
     ifconfig $INTERFACE 10.10.10.102 netmask 255.255.255.0
     route add -net 192.168.99.0/24 gw 10.10.10.103

     #server b
     ifconfig $INTERFACE up
     ifconfig $INTERFACE 10.10.10.103 netmask 255.255.255.0
     route add -net 172.16.253.0/24 gw 10.10.10.102
tinc-down is just the same as usual.

Given that you deal with pointing the traffic at these boxes, this 
should work.
This can still be improved by configuring tinc in routing mode (I think..)

On 19.03.2014 20:35, Donald Pearson wrote:
> A routing solution works at layer 3 and therefore won't use bridging 
> which is at layer 2.
>
> For routing, all clients on the 172.16.254.0/24 
> <http://172.16.254.0/24> (assuming /24) network network will need to 
> have a route added to use 172.16.253.102 as the next hop to reach the 
> remote 192.168.99.0/24 <http://192.168.99.0/24> network.
>
> Similarly, all clients on the 192.168.99.0/24 <http://192.168.99.0/24> 
> will need to have routes to use 192.168.99.4 as the next hop to reach 
> the 172.16.254.0/24 <http://172.16.254.0/24> network.
>
> Alternatively, on each side's gateway, you can add a route there to 
> direct the traffic.  If you do this, an example path your traffic 
> would take would be something like this
>
> 172.16.253.100 pings 192.168.99.100.
> 172.16.253.100 -> 172.16.253.1 (assuming default gw is .1) -> 
> 172.16.253.102 (because you set the route in the gw to send all 
> 192.168.99.0/24 <http://192.168.99.0/24> traffic to .102) -> 
> 10.10.10.103 (packet moves from lan to vpn subnet and moves over vpn 
> to remote tinc box) -> 192.168.99.100 ( remote tinc moves packet from 
> vpn subnet to remote lan subnet).
>
>
> On Wed, Mar 19, 2014 at 3:23 PM, Aaron Anderson 
> <anderson.aaron at gmail.com <mailto:anderson.aaron at gmail.com>> wrote:
>
>     So we're all on the same page, here's what I want: (will need to be in
>     fixed width font)
>
>     -[client (10.10.10.102) and
>     (172.16.253.102)]--[router]-[internet]-------[router]-[tincserver
>     (10.10.10.103) and (192.168.99.4)]
>
>               -[other box (192.168.99.5)]
>
>               -[other box (192.168.99.6)]
>
>
>
>     Where 192.168.99.x and 172.16.253.x are the local non-tinc subnets and
>     10.10.10.x are tinc addresses.
>
>
>     >From "client" i want to be about to access the "other boxes" through
>     "tincserver" - I'm aware there will be routes for this, I'm fully
>     capable of dealing with those.
>
>     How should I set up the bridge on "tincserver" ?
>
>     On Wed, Mar 19, 2014 at 3:09 PM, Donald Pearson
>     <donaldwhpearson at gmail.com <mailto:donaldwhpearson at gmail.com>> wrote:
>     > By the way, if you create a layer 2 vpn using bridging like
>     this, I suggest
>     > installing ebtables on your tinc box so that you can put in some
>     layer 2
>     > firewall rules.  An interesting result when you don't do this is
>     DHCP
>     > traversing the VPN.  Much to my surprise I've seen hosts on one
>     site receive
>     > DHCP from a site across the VPN, ultimately using the remote
>     router as its
>     > gateway.
>     > You would think the local server would be faster and always win,
>     but that's
>     > not always the case.
>     >
>     >
>     > On Wed, Mar 19, 2014 at 3:03 PM, Donald Pearson
>     <donaldwhpearson at gmail.com <mailto:donaldwhpearson at gmail.com>>
>     > wrote:
>     >>
>     >> Well you use brctl to bridge the virtual adapter (interface) to
>     a real
>     >> physical interface, and that's represented by an additional virtual
>     >> interface which is the bridge itself.  That bridge is what you
>     configure
>     >> with an IP on your LAN statically or via DHCP.
>     >>
>     >> If you do all this ahead of time you don't even need a tinc-up
>     script.
>     >>
>     >> If you want the bridge to be built up when tinc connects it
>     would look
>     >> something like this.  Do the inverse for a tinc-down
>     >>
>     >> tinc.conf
>     >> Name = Alpha
>     >> ConnectTo = Beta
>     >> ConnectTo = Charlie
>     >> Device = /dev/net/tun
>     >> Mode = switch
>     >> PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
>     >> #
>     >> #
>     >>
>     >> Tinc-up
>     >> #!/bin/sh
>     >> modprobe tun
>     >> ifconfig vpn 0.0.0.0
>     >> ifconfig vpn up
>     >> ifconfig eth1 0.0.0.0
>     >> ifconfig eth1 up
>     >>
>     >> brctl addbr bridge
>     >> brctl addif bridge vpn
>     >> brctl addif bridge eth1
>     >> ifconfig bridge 10.10.0.1 netmask 255.255.0.0
>     >> route add default gw 10.10.0.254 bridge
>     >> ifconfig bridge up
>     >>
>     >>
>     >>
>     >>
>     >> On Wed, Mar 19, 2014 at 2:44 PM, Aaron Anderson
>     <anderson.aaron at gmail.com <mailto:anderson.aaron at gmail.com>>
>     >> wrote:
>     >>>
>     >>> Does connecting to that machine get you access to other
>     machines on
>     >>> the network? That's what I'm having trouble with. I want to
>     connect to
>     >>> machines that do not have tinc installed.
>     >>>
>     >>> On Wed, Mar 19, 2014 at 2:30 PM, vmlinux <vmlinux at charter.net
>     <mailto:vmlinux at charter.net>> wrote:
>     >>> > Aaron Anderson said  on 03/19/2014 01:23 PM:
>     >>> >> I do already have those installed. I was really hoping for
>     someone who
>     >>> >> had some already working configs or examples.
>     >>> >
>     >>> > # /etc/tinc/myvpn/tinc.conf
>     >>> > Name = mynode
>     >>> > AddressFamily = ipv4
>     >>> > interface = tinc0
>     >>> >
>     >>> > # /etc/tinc/myvpn/tinc-up
>     >>> > #!/bin/bash
>     >>> > ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0
>     >>> >
>     >>> > # /etc/tinc/myvpn/tinc-down
>     >>> > #!/bin/bash
>     >>> > ifconfig $INTERFACE down
>     >>> >
>     >>> > # tincd -n myvpn
>     >>> >
>     >>> > _______________________________________________
>     >>> > tinc mailing list
>     >>> > tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>     >>> > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>     >>> _______________________________________________
>     >>> tinc mailing list
>     >>> tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>     >>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>     >>
>     >>
>     >
>     >
>     > _______________________________________________
>     > tinc mailing list
>     > tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>     > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>     >
>     _______________________________________________
>     tinc mailing list
>     tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>     http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20140322/01c85de8/attachment.html>

More information about the tinc mailing list