Route certain trafic via a tinc node that is not directly connected.

Hans de Groot hansg at dandy.nl
Wed Apr 11 12:30:23 CEST 2018 

Hello again :)

Thank you all for your reply's. Below are the config files of the 3 hosts.
I use  tinc in router mode. I do not have a kernel mode config lines 
anywhere so tinc must be using the default settings here.

I added the ipaddressx to subnets on hostc and this works. Traffic to 
that ip is now routed via hostc.
But since this ipaddressx address changes often I need to resolve it 
automaticaly and change the iptable rules that mark the packets. I was 
really hoping to have to do this at one location (at hosta) and not 
update the subnets on hostc. (and I also would like to understand how 
this works with tinc)

If I use the old route command I can tell it to route traffic for a 
certain ip to a certain gateway. (without tinc)
ie: route add -host 192.168.0.16 gw 10.0.0.1 eth0
I always assumed packets were specifically send to 10.0.0.1 if packets 
with destination 192.168.0.16 arrived on this his host.
But Guus says the VIA option has no effect. So is there a way to send 
packets to a specific gateway ip using ip route?
I do have a subnet 0.0.0.0 at hostb so that is probably why traffic goes 
out via hostb when I do not have the specific subnet/ip at hostc

Regards

Hans de Groot


configs at hosta
tinc.conf
Name = hosta
Device =/dev/net/tun
Hostnames = No
connectto = hostb
Mode = Router
KeyExpire = 3600
PingInterval = 10
PingTimeout = 15
PrivateKeyFile = /etc/tinc/tincnet/rsa_key.priv
ProcessPriority = high
PMTUDiscovery = yes

tinc-up
#!/bin/bash
ifconfig $INTERFACE 192.168.230.21 netmask 255.255.255.0
route add -net 192.168.230.0 netmask 255.255.255.0 gw 192.168.230.1
ip route add default via 192.168.230.160 dev tincnet table hostc
ip rule add from 0.0.0.0/0 fwmark 1 table hostc


hosta
Address = x.x.x.x
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 110
Subnet = 192.168.230.21/32
TCPonly = yes

-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

hostb
Address = x.x.x.x
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 110
Subnet = 192.168.230.1/32
Subnet = 0.0.0.0/0
TCPonly = yes
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

-------------------------------------------------
configs at hostb
tinc.conf
AddressFamily = ipv4
Name = hostb
Device =/dev/net/tun
Hostnames = No
Mode = Router
KeyExpire = 3600
PingInterval = 30
PingTimeout = 60
PrivateKeyFile = /usr/local/etc/tinc/tincnet/rsa_key.priv
ProcessPriority = high
PMTUDiscovery = yes

tinc-up
#!/bin/bash
ifconfig $INTERFACE 192.168.230.1 netmask 255.255.255.0
route add -net 192.168.230.0 netmask 255.255.255.0 gw 192.168.230.1
ip route add default via 192.168.230.160 dev tincnet table hostc
ip rule add from 0.0.0.0/0 fwmark 1 table hostc

hostb
Address = x.x.x.x
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 110
Subnet = 192.168.230.1/32
Subnet = 0.0.0.0/0
TCPonly = No
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

hostc
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 655
Subnet = 192.168.230.160/32
Subnet = 10.100.1.241/32
TCPonly = Yes
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

-----------------------------------------------------------
config at hostc
tinc.conf
AddressFamily = ipv4
Name = hostc
ConnectTo = hostb
Interface = tincnet
Hostnames = No
Mode = Router
KeyExpire = 3600
PingInterval = 10
PingTimeout = 10

tinc-up
#!/bin/bash
ifconfig $INTERFACE 192.168.230.160 netmask 255.255.255.0

hostb
Address = x.x.x.x
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 110
Subnet = 192.168.230.1/32
Subnet = 0.0.0.0/0
TCPonly = Yes

-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----


hostc
Address = x.x.x.x
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 655
Subnet = 192.168.230.160/32
Subnet = 10.100.2.2/32
Subnet = 10.100.1.236/32
TCPonly = Yes
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----







On 4/10/2018 11:18 PM, Guus Sliepen wrote:
> On Tue, Apr 10, 2018 at 03:36:08PM +0200, Hans de Groot wrote:
>
>> hosta  <--> hostb  <-->  hostc
>>
>> Hosta and hostc are not directly connected via tinc. But both are conncted
>> via hostb (I called my network tincnet). This works fine I can ssh from
>> hosta to hostc and vice versa without any problems.
>>
>> hostc is in a whitelisted iprange at some service provider.
>>
>> I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc.
>>
>> I added the iptables mangle rule to mark all traffic to ipaddressx at port
>> 700.
>>
>> -A OUTPUT  -p 6 -m tcp -d ipaddressx/255.255.255.255 --dport 700 -j MARK
>> --set-mark 0x1
>>
>> I added:
>>      ip route add default via iphostc dev tincnet table hostc
>>      ip rule add from 0.0.0.0/0 fwmark 1 table hostc
> If you are running tinc in router mode (which is the default), then the
> "via iphostc" option does not have any effect. The packets will go to
> dev tincnet, but there is nothing in the header of IP packets that
> contains the address of the gateway.
>
> Also, if you are using router mode, then you must inform tinc about
> which peer to send packets with destination address ipaddressx to. So
> you can add "Subnet = ipaddressx/" to hostc's hosts/hostc. But tinc only
> routes on address, not on ports.
>
>> Now when I try this:
>>
>> traceroute -T -n ipaddressx -p 700
>>
>> The route goes via the ip of hostb and not via the ip of hostc as I would
>> have expected.
> There are two possibilities for this: one is that tinc thinks the
> packets with destination address ipaddressx should go to hostb (because
> of what is in the Subnet statements), the other is that hosta and hostc
> cannot directly communicate with each other, and traffic is routed via
> hostb, and you have Forwarding = kernel in your tinc.conf. The latter
> will force the packets to be sent to the tun interface on hostb, and if
> you don't have any rules on hostb to send packets for ipaddressx port
> 700 to hostc, they will not be forwarded the way you want.
>
>> A weird thing is when I try the add route with any ip in the tincnet subnet
>> the route gets added even if that ip is not in use and all traffic still
>> goes via the ip of hostb.
>> ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet table
>> hostc
> Again, in router mode, the "via ..." option has no effect at all.
>
>> Is it tincd at hostb that intercepts the traffic actually meant for hostc
>> and thinks it's meant for hostb and rewrites stuff automaticaly?  Or am I
>> missing something in the ip route / ip rules part?
> Tinc itself does not rewrite anything.
>
>> But I really would like to understand how to do this via mangle/fwmark and
>> ip route  / ip rule way.
> It would help if you could show us your tinc.conf from hostb, and all
> hosts/* files, so we can check how you configured tinc exactly.
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180411/75103bf5/attachment.html>

More information about the tinc mailing list