Route certain trafic via a tinc node that is not directly connected.

Hans de Groot hansg at dandy.nl
Thu Apr 12 14:27:10 CEST 2018 

Hello,

On 4/11/2018 9:20 PM, Etienne Dechamps wrote:
>
> No, the "via" option doesn't have any effect, because it only has 
> effect at layer 2, e.g. on an Ethernet network. tinc running in router 
> mode is a layer 3 (IP) network, not a layer 2 (Ethernet) network.
>
> When you use that option on a layer 2 network such as Ethernet, the 
> "via" option determines which layer 2 host (i.e. which MAC address, 
> after ARP resolution) the packet will go to. In "router mode" tinc 
> there are no MAC addresses, and tinc decides where to send packets 
> based on destination IP address, not the kernel.

Thank you for that info. I did not realize the part about the MAC 
address when using system/kernel routing. That makes a lot of sense. It 
explains other issues I had in the past with (for me) unexpected 
behaviour of tinc.

>     So is there a way to send packets to a specific gateway ip using
>     ip route?
>
>
> If you change the tinc mode to "switch", then your tinc VPN will 
> behave just like a physical Ethernet network, and the "via" option 
> will work just like it does on a real network. But note that setting 
> that option comes with a long list of consequences and is quite a 
> radical, breaking change. (Also keep in mind that all nodes on your 
> network need to use the same mode.)

No. I really do not want to use tinc in switch mode.

> An alternative solution to your problem, besides going one layer down, 
> would be to go one layer up: you could set up a "tunnel within the 
> tunnel", i.e. hosta could establish a tunnel to hostc *on top of* the 
> tinc VPN. Then, if you want certain packets to go through hostc, you 
> can just send them through that tunnel and you're done. I am actually 
> using such a solution for a special purpose on my own tinc network 
> right now. The simplest solution for the tunnel is to use IP/IP, which 
> has minimal overhead and is easy to understand and troubleshoot. I 
> contributed some code to tinc that provides better support for that 
> use case: https://github.com/gsliepen/tinc/pull/166 
> <https://github.com/gsliepen/tinc/pull/166>
Thanks for that suggestion.

I am using the ip/ip tunnel over tinc construction now and it works like 
a charm. Very easy to implement too.

Thank you all for helping me out and making me understand tinc a little 
better.

Regards

Hans






>
>
>     _______________________________________________
>     tinc mailing list
>     tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>     https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>     <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180412/66300ed8/attachment.html>

More information about the tinc mailing list