Route certain trafic via a tinc node that is not directly connected.

Phang Mulianto braveh4rt at gmail.com
Wed Apr 11 06:42:49 CEST 2018 

Hi,

I had set this 2 hop vpn use tinc.

The thing is make sure you can reach the ip of host c from host a, seems it
works as you can ssh.

And the nat you have turn on in hostc and ip forward enabled in kernel of
hostb and hostc.

If your ipadreesx dest will be a http,  better use a proxy server,  set in
hostc. Not using routing or nat thing. It works for me and faster with
cache.



On Tue, 10 Apr 2018 21:56 Hans de Groot, <hansg at dandy.nl> wrote:

> Hello List,
>
> I have this setup:
>
> hosta  <--> hostb  <-->  hostc
>
> Hosta and hostc are not directly connected via tinc. But both are
> conncted via hostb (I called my network tincnet). This works fine I can
> ssh from hosta to hostc and vice versa without any problems.
>
> hostc is in a whitelisted iprange at some service provider.
>
> I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc.
>
> I added the iptables mangle rule to mark all traffic to ipaddressx at
> port 700.
>
> -A OUTPUT  -p 6 -m tcp -d ipaddressx/255.255.255.255 --dport 700 -j MARK
> --set-mark 0x1
>
> I added:
>      ip route add default via iphostc dev tincnet table hostc
>      ip rule add from 0.0.0.0/0 fwmark 1 table hostc
>
> Now when I try this:
>
> traceroute -T -n ipaddressx -p 700
>
> The route goes via the ip of hostb and not via the ip of hostc as I
> would have expected.
> If I remove the iptables rule the route goes directly via the ip of
> hosta. So the mangle rule and ip rule lines are okay I think.
> Of course I also checked this via telnet ipaddressx 700 and watched via
> tcpdump what happened on hostb and hostc.
>
> A weird thing is when I try the add route with any ip in the tincnet
> subnet the route gets added even if that ip is not in use and all
> traffic still goes via the ip of hostb.
> ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet
> table hostc
>
> Does any one know what is happening here?
>
> Is it tincd at hostb that intercepts the traffic actually meant for
> hostc and thinks it's meant for hostb and rewrites stuff automaticaly?
> Or am I missing something in the ip route / ip rules part?
>
> I am using tinc a lot but so far it was between tinc nodes that are also
> directly connected. and never had this problem before.
>
> If I just use iptables on hosta and hostc with nat en prerouting it
> works fine. I just tell iptables on hosta that all traffic to ipaddressx
> has to be dnatted to hostc and at hostc I just dnat this to the
> destination ip.
>
> But I really would like to understand how to do this via mangle/fwmark
> and ip route  / ip rule way.
>
> hosta is centos 7 tinc 1.0.31
> hostb is centos 5 tinc 1.0.25
> hostc is centos 5 tinc 1.0.13
>
> I hope someone can help me on my way.
>
> Thx
>
> Hans de Groot
>
>
>
>
>
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180411/8b92549e/attachment-0001.html>

More information about the tinc mailing list