Help on a Nat To Nat soluction - tinc servers won't ping remote clients

John Radley (yahoo) jradxl at yahoo.com
Sat Mar 31 14:00:57 CEST 2018 

I have a three tinc server setup, similar to "4.3 How Connections Work" using the configuration mostly likehttp://ostolc.org/site-to-site-vpn-with-tinc.html

The clients (Ubuntus, Debians and Windows 10s) can all ping (and SSH) to each other remotely.
As far as that is concerned it's working great - thanks so much for some great software.

However, on each of the Tinc servers (A and C) neither of them can ping other remote clients.
Of course, A and C can ping each other.
If I use tcpdump -nni tun0 icmpI can see the echo packets leave the server, and on a remote client see the request received and the reply sent.
However the server never gets the reply.It seems that on each server there is no internal routing between enp1s0 and tun0 for IPs that are not server IPs
I guess I can live with such a limitation, but would still like to know why!!
Here's Server A config. Of course it's symmetrical so the other two will be similar.
B is a DigitalOcean Droplet
TINC.CONFName = AAddressFamily = ipv4ConnectTo = BDevice = /dev/net/tunLocalDiscovery = yes

TINC-UPip link set $INTERFACE upip addr add 192.168.20.3/24 dev $INTERFACEroute add -net 192.168.14.0/24 gw 192.168.20.3
route add -net 192.168.6.0/24  gw 192.168.4.99
HOST AAddress = A.dyndns.org
Port = 655
##Subnet on the virtual private network that is local for this host.Subnet = 192.168.4.0/24Subnet = 192.168.6.0/24Subnet = 192.168.20.3/32
# The public key generated by `tincd -n example -K' is stored here-----BEGIN RSA PUBLIC KEY----------END RSA PUBLIC KEY-----

ROUTE TABLE on AKernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Ifacedefault         192.168.4.1          0.0.0.0           UG    100    0        0 enp1s0link-local      *                           255.255.0.0     U     1000   0        0 enp1s0192.168.4.0     *                       255.255.255.0   U     100    0        0 enp1s0192.168.6.0     192.168.4.99    255.255.255.0   UG    0      0        0 enp1s0192.168.14.0    192.168.20.3   255.255.255.0   UG    0      0        0 tun0192.168.20.0    *                      255.255.255.0   U     0      0        0 tun0

The Net, 192.168.20.0 is one for TINC itself, where 192.168.20.3 is A, 192.168.20.2 is B and 192.168.20.1 is C
And I explicitly static route to it. (Doing it the way shown in other examples has same issue)Net 192.168.14.0 is the C local network
Net 192.168.4.0 is the A local network (Net 192.168.6.0 is via another router with WAN IP of 192.168.4.99
IP of A is 192.168.4.30, IP of C is 192.168.14.20
Only thing wrong is, for exampleOn A, ping 192.168.14.60 does not work
On C, ping 192.168.4.26 does not work
But on clients 192.168.14.60 and 192.168.4.26 can ping each other.

All firewalls are off, and iptables flushed

Very puzzling!!
John

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180331/6fbf9101/attachment.html>

More information about the tinc mailing list