For layer 3 routing this is all true.<br><br>For later 2 switching this isn't the case. With Tinc mode is set to switch, both sides sharing the same subnet, and the Tinc endpoints act similarly to a bridge, all nodes within the subnet on both sides of the VPN will effectively see each other as peers on the same LAN. No new routes are required. There is no special VPN subnet, there is no special network configuration on any devices unless you consider the bridge configuration on the Tinc nodes to be special.<br>
<br>Either way works for connectivity, but I think Andrew is looking for the layer 2 solution.<br><br><br><div class="gmail_quote">On Wed, Oct 6, 2010 at 6:52 PM, Alan S. Lawee <span dir="ltr"><<a href="mailto:info@polygration.com">info@polygration.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="white" link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">In order for you to configure this, you have to set up explicit
routes, and the computers in each location that are hosting the tinc
application must be able to route packets.</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">A little more explanation is in order. As you are referring to
the nodes as PC’s, I am assuming that you are using the MsWindows
operating system. Some versions (e.g. Windows 2000) are able to function as
routers out of the box, others cannot function as routers, and yet others
require some advanced configuration. (Linux or other x-based systems can all
function as routers).</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">Computers on LAN A are configured to use the broadband router as
a default gateway in order to access the Internet. However, in order to
accomplish the configuration you are looking for, you will have to set up a
manual route on each of the computers on LAN A which will instruct them to go
to the computer running tinc in order to reach the nodes on LAN B. The reverse
will be true for the computers on LAN B.</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">Your IDEA1 will not work because the subnet masks do not define
distinct networks. IDEA2 has the same problem because the tinc subnet is not
distinct from the other 2.</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">So, to follow your example IDEA2, we have in household A, LAN A:
10.30.1.x and 3 PC’s: PC-A.11, PC-A.12 & PC-A.13, plus a router: R-A.1;
in household B, LAN B: 10.30.2.x, we have a similar configuration, PC-B.11, PC-B.12,
PC-B.13 and R-B.1; the tinc application is hosted on each of PC-A.11 and PC-B.11
and will use the subnet 10.30.3.x.</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">As an example, the IP configurations are as follows:</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">PC-A.11: Default Gateway <a href="http://10.30.1.1/255.255.255.0" target="_blank">10.30.1.1/255.255.255.0</a></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> IP Address
<a href="http://10.30.1.11/255.255.255.0" target="_blank">10.30.1.11/255.255.255.0</a> on physical network interface</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> IP Address
<a href="http://10.30.3.1/255.255.255.0" target="_blank">10.30.3.1/255.255.255.0</a> on virtual tinc interface</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> Manual entry in
routing table to <a href="http://10.30.2.0/255.255.255.0" target="_blank">10.30.2.0/255.255.255.0</a> via 10.30.3.2</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">PC-A.12, PC-A.13: Default Gateway <a href="http://10.30.1.1/255.255.255.0" target="_blank">10.30.1.1/255.255.255.0</a></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> IP Address
<a href="http://10.30.1.12/255.255.255.0" target="_blank">10.30.1.12/255.255.255.0</a> and <a href="http://10.30.1.13/255.255.255.0" target="_blank">10.30.1.13/255.255.255.0</a></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> Manual entry in
routing table to <a href="http://10.30.2.0/255.255.255.0" target="_blank">10.30.2.0/255.255.255.0</a> via 10.30.1.11</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">PC-B.11: Default Gateway <a href="http://10.30.2.1/255.255.255.0" target="_blank">10.30.2.1/255.255.255.0</a></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> IP Address
<a href="http://10.30.2.11/255.255.255.0" target="_blank">10.30.2.11/255.255.255.0</a> on physical network interface</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> IP Address
<a href="http://10.30.3.2/255.255.255.0" target="_blank">10.30.3.2/255.255.255.0</a> on virtual tinc interface</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> Manual entry in
routing table to <a href="http://10.30.1.0/255.255.255.0" target="_blank">10.30.1.0/255.255.255.0</a> via 10.30.3.1</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">PC-B.12, PC-B.13: Default Gateway <a href="http://10.30.2.1/255.255.255.0" target="_blank">10.30.2.1/255.255.255.0</a></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> IP Address
<a href="http://10.30.2.12/255.255.255.0" target="_blank">10.30.2.12/255.255.255.0</a> and <a href="http://10.30.2.13/255.255.255.0" target="_blank">10.30.2.13/255.255.255.0</a></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> Manual entry in
routing table to <a href="http://10.30.1.0/255.255.255.0" target="_blank">10.30.1.0/255.255.255.0</a> via 10.30.2.11</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">Now every PC knows where to send packets destined for both the
Internet and the other household. The PC’s hosting tinc are acting as
the virtual routers between the two sites. Note once again that various
versions of Windows have this routing function disabled.</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">Hope this helps you,</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">Alan</span></p>
<div>
<div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span style="font-size: 10pt; color: windowtext;">From:</span></b><span style="font-size: 10pt; color: windowtext;"> <a href="mailto:tinc-bounces@tinc-vpn.org" target="_blank">tinc-bounces@tinc-vpn.org</a>
[mailto:<a href="mailto:tinc-bounces@tinc-vpn.org" target="_blank">tinc-bounces@tinc-vpn.org</a>] <b>On Behalf Of </b>Andrew Savinykh<br>
<b>Sent:</b> Wednesday, October 06, 2010 18:17<br>
<b>To:</b> <a href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a><br>
<b>Subject:</b> Re: Windows subnets</span></p>
</div>
</div><div><div></div><div class="h5">
<p class="MsoNormal"> </p>
<p class="MsoNormal">Donald,<br>
<br>
thank you, while I still have some questions, your answer is definitely a step
in the right direction.<br>
In the other reply I was asked what I'm trying to achieve. Let's consider the
following scenario (which is quite similar to the one that described in the
tinc manual).<br>
<br>
Let's assume we have two households, each has 3-5 computers in it. Both
house holds have similar network configuration:<br>
They are connected to internet with an ADSL line and a router.<br>
The computers in the local network access internet via the router.<br>
The router is configured so that one of the computers have port 665 forwarded
to be accessible outside.<br>
The external IP is changed rarely and there is dynamic DNS service (external)
in use to accommodate for the change of IP when it happens.<br>
<br>
One household has local network addresses of 192.168.1.* and the other has
10.1.1.*<br>
I'm installing tinc on one computer in each household. <br>
<br>
The goal is to let all computers in both house holds to see each other by ip
address. Also it is desired that for computer games purposes<br>
all computers appear to be on the same LAN (for broadcasts). But this is not
mandatory. (it appears that it's not possible without installing tinc on every
PC <br>
as every tinc daemon serves a subnet and two tinc daemons can't serve a part of
subnet each)<br>
<br>
All computers run different flavours of Windows, most being Windows 7.<br>
<br>
I have two ideas how to set this up, although I'm not sure if any of these two
works:<br>
<br>
IDEA1.<br>
=====<br>
Household A<br>
Gateway IP: 10.30.0.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.2,3,4 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Deafult Gateway: 10.30.0.1<br>
<br>
Tinc Subnet: <a href="http://10.30.0.0/25" target="_blank">10.30.0.0/25</a><br>
<br>
Household B<br>
Gateway IP: 10.30.0.129<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.130,131,132 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway: 10.30.0.129<br>
<br>
Tinc Subnet: <a href="http://10.30.0.128/25" target="_blank">10.30.0.128/25</a><br>
<br>
<br>
IDEA2.<br>
=====<br>
Household A<br>
Gatway IP: 10.30.0.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.2-255 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway: 10.30.0.1<br>
<br>
Tinc Subnet: <a href="http://10.30.0.0/24" target="_blank">10.30.0.0/24</a><br>
<br>
Household B<br>
Gateway IP: 10.30.1.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.1.2-255 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway: 10.30.0.129<br>
<br>
Tinc Subnet: <a href="http://10.30.1.0/24" target="_blank">10.30.1.0/24</a><br>
<br>
<br>
So IDEA 1 probably won't work at all. Will it? And with IDEA 2 the pc's won't
appear on the same LAN and their broadcasts won't reach each other.<br>
As far as I understand I need to install TAP interface on each of the
participating windows PCs, correct?<br>
What is specified in default gateway of the gateways?<br>
<br>
<br>
Thank you in advance,<br>
Andrew<br>
<br>
On 7/10/2010 4:36 a.m., Donald Pearson wrote: </p>
<p class="MsoNormal">The PCs that you want to participate need to have a route
for the VPN subnet pointing to their local VPN gateway, which would be the
local device with Tinc installed on it. </p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Theoretical configuration example.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">VPN subnet is <a href="http://10.10.10.0/24" target="_blank">10.10.10.0/24</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">At a location, one computer <a href="http://192.168.1.254/24" target="_blank">192.168.1.254/24</a>
connects to the VPN and serves as the VPN gateway. This gateway needs to
be configured for TCP/IP forwarding.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"><a href="http://support.microsoft.com/kb/315236" target="_blank">http://support.microsoft.com/kb/315236</a> -
windows</p>
</div>
<div>
<p class="MsoNormal"><a href="http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/" target="_blank">http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/</a> -
linux</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Other computers local to the gateway need a route to the VPN
network added so they know how to get there.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">In windows. route -p add 10.10.10.0 mask
255.255.255.0 192.168.1.254</p>
</div>
<div>
<p class="MsoNormal">This will add the persistent route that remains after
reboot.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Does that answer your question?</p>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On Wed, Oct 6, 2010 at 6:41 AM, Andrew Savinykh <<a href="mailto:andrews@brutsoft.com" target="_blank">andrews@brutsoft.com</a>> wrote:</p>
<div>
<p class="MsoNormal">Thank you for your reply. As far as I can see there is no
point specifying subnet that consists of more than one PC in tinc config if you
are going to install tinc on every PC in the subnet anyway. Correct me if I'm
wrong.<br>
Now, assuming I'm right, there will be PCs in the subnet that don't have tinc
installed on them. How to configure these PCs so they are a part of the subnet
and participate in routing?<br>
<br>
Cheers,<br>
Andrew </p>
<div>
<div>
<p class="MsoNormal"><br>
<br>
On 6/10/2010 10:13 p.m., Cédric Lemarchand wrote: </p>
</div>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<div>
<div>
<p class="MsoNormal">Hi,<br>
<br>
I am not sure to understand what you mean with "joining" a subnet.<br>
<br>
But if your "local computer" need to reach the "remote
subnet" served by tinc, you can set the local IP of the local tinc server
as the default gateway, or add a route to the remote subnet via the local tinc
IP. Of course, computer located on the remote subnet need the same thing.<br>
<br>
Cédric<br>
<br>
Le 06/10/10 09:37, Andrew Savinykh a écrit : </p>
<p class="MsoNormal"> Hello all, <br>
<br>
I understand that each tinc daemon corresponds to one or more subnets that it
"owns" a subnet can be a single ip or more. <br>
Could you please tell me what do I need to do to join a computer in local
network (windows) to a subnet served by tinc? <br>
<br>
Thank you in advance, <br>
Andrew <br>
<br>
_______________________________________________ <br>
tinc mailing list <br>
<a href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a> <br>
<a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</p>
<p class="MsoNormal" style="margin-bottom: 12pt;"> </p>
<div>
<p class="MsoNormal">-- </p>
<p style="margin-bottom: 0.0001pt;"><b><span style="font-size: 10pt;">Cédric
Lemarchand – iXSea SAS</span></b></p>
<p style="margin-bottom: 0.0001pt;"><span style="font-size: 10pt;">Administrateur
Système & Réseaux</span></p>
<p style="margin-bottom: 0.0001pt;"><span style="font-size: 10pt; color: rgb(35, 35, 220);"><a href="http://www.ixsea.com/" target="_blank">http://www.ixsea.com/</a> - <a href="mailto:cedric.lemarchand@ixsea.com" target="_blank"><cedric.lemarchand@ixsea.com></a></span></p>
<p style="margin-bottom: 0.0001pt;"><span style="font-size: 10pt;">Tel: +33 1 30 08 8888
– GSM: +33 6 37 23 40 93</span></p>
</div>
</div>
</div>
<pre> </pre><pre>_______________________________________________</pre><pre>tinc mailing list</pre>
<div><pre><a href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a></pre><pre><a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a></pre>
</div>
</blockquote>
<p class="MsoNormal"> </p>
</div>
<p class="MsoNormal" style="margin-bottom: 12pt;"><br>
_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a><br>
<a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a></p>
</div>
<p class="MsoNormal"> </p>
</div>
<pre> </pre><pre> </pre><pre>_______________________________________________</pre><pre>tinc mailing list</pre><pre><a href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a></pre><pre><a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a></pre>
<p class="MsoNormal"> </p>
</div></div></div>
</div>
<br>_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br></blockquote></div><br>