Route certain trafic via a tinc node that is not directly connected.

Guus Sliepen guus at tinc-vpn.org
Tue Apr 10 23:18:24 CEST 2018 

On Tue, Apr 10, 2018 at 03:36:08PM +0200, Hans de Groot wrote:

> hosta  <--> hostb  <-->  hostc
> 
> Hosta and hostc are not directly connected via tinc. But both are conncted
> via hostb (I called my network tincnet). This works fine I can ssh from
> hosta to hostc and vice versa without any problems.
> 
> hostc is in a whitelisted iprange at some service provider.
> 
> I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc.
> 
> I added the iptables mangle rule to mark all traffic to ipaddressx at port
> 700.
> 
> -A OUTPUT  -p 6 -m tcp -d ipaddressx/255.255.255.255 --dport 700 -j MARK
> --set-mark 0x1
> 
> I added:
>     ip route add default via iphostc dev tincnet table hostc
>     ip rule add from 0.0.0.0/0 fwmark 1 table hostc

If you are running tinc in router mode (which is the default), then the
"via iphostc" option does not have any effect. The packets will go to
dev tincnet, but there is nothing in the header of IP packets that
contains the address of the gateway.

Also, if you are using router mode, then you must inform tinc about
which peer to send packets with destination address ipaddressx to. So
you can add "Subnet = ipaddressx/" to hostc's hosts/hostc. But tinc only
routes on address, not on ports.

> Now when I try this:
> 
> traceroute -T -n ipaddressx -p 700
> 
> The route goes via the ip of hostb and not via the ip of hostc as I would
> have expected.

There are two possibilities for this: one is that tinc thinks the
packets with destination address ipaddressx should go to hostb (because
of what is in the Subnet statements), the other is that hosta and hostc
cannot directly communicate with each other, and traffic is routed via
hostb, and you have Forwarding = kernel in your tinc.conf. The latter
will force the packets to be sent to the tun interface on hostb, and if
you don't have any rules on hostb to send packets for ipaddressx port
700 to hostc, they will not be forwarded the way you want.

> A weird thing is when I try the add route with any ip in the tincnet subnet
> the route gets added even if that ip is not in use and all traffic still
> goes via the ip of hostb.
> ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet table
> hostc

Again, in router mode, the "via ..." option has no effect at all.

> Is it tincd at hostb that intercepts the traffic actually meant for hostc
> and thinks it's meant for hostb and rewrites stuff automaticaly?  Or am I
> missing something in the ip route / ip rules part?

Tinc itself does not rewrite anything.

> But I really would like to understand how to do this via mangle/fwmark and
> ip route  / ip rule way.

It would help if you could show us your tinc.conf from hostb, and all
hosts/* files, so we can check how you configured tinc exactly.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180410/1b4d8d26/attachment.sig>

More information about the tinc mailing list