Switch mode tinc and masquerade

[hvjunk]

> On 03 Jun 2016, at 11:43 AM, Chris Clarke <chris at listerthrawn.co.uk> wrote:
> 
> Hi,
> 
> I've an existing tinc switch mode VPN set up with a few nodes.  I've now added a new node, but I want this node to route all its traffic through tinc and use one of the tinc nodes as its gateway to the rest of the internet.
> 
> I've got the device on the VPN and it participates nicely, but I can't talk to the internet at large.  When I tcpdump the external interface on the exit node, I see the packets leaving the network, but the source IP is still the tinc VPN IP address of the device, and it's not NAT'd the source as I expected.  I've checked that I've added an iptables rule to do this, but for some reason it's not hitting it. I’m not new to setting up NAT gateways with iptables so I'm pretty sure that bit is correct.

iptables’s MASQUERADE is done on the postrouting, which is done after tinc handed it to the kernel. 
The problems might be the matching you’ve setup that isn’t correct, as at the POSTROUTING phase you can’t really match the input interface, you have to match the output interface and you would need to match for that IP it originates from.


> Could this be something to do with it coming from tinc?

Shouldn’t be.