<div dir="ltr"><div><div><div><div><div><div>Hi, <br></div>Thank you Guus,<br></div>I think the /16 solution is the easier to apply so I modified my tinc-up in host A to be like<br><br>#!/bin/sh<br>ifconfig $INTERFACE 192.168.10.1 netmask 255.255.0.0<br><br></div>a route -a from HOST A shows:<br>Kernel IP routing table<br>Destination Gateway Genmask Flags Metric Ref Use Iface<br>0.0.0.0 178.62.128.1 0.0.0.0 UG 0 0 0 eth0<br>10.129.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1<br>178.62.128.0 0.0.0.0 255.255.192.0 U 0 0 0 eth0<br>192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0<br>192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0<br>192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0<br><br></div><div>a route from HOST B shows:<br>Kernel IP routing table<br>Destination Gateway Genmask Flags Metric Ref Use Iface<br>0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0<br>192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0<br>192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0<br>192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br><br></div><div>a route from HOST C shows:<br>Kernel IP routing table<br>Destination Gateway Genmask Flags Metric Ref Use Iface<br>0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0<br>192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0<br>192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br>192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0<br></div><div><br></div>(don't mind the eth1 iface in HOST A as is something I won't use)<br><br></div>For the HOST B and C I decided to not use a VPN IP but a eth0 IP with a bigger subnet as you suggested and it worked<br><br></div><div>So at the moment their tinc-up are set up like this:<br><br></div><div>HOST A:<br>#!/bin/sh<br>ifconfig $INTERFACE 192.168.10.1 netmask 255.255.0.0<br>route add -net <a href="http://192.168.1.0/24">192.168.1.0/24</a> dev $INTERFACE<br>route add -net <a href="http://192.168.2.0/24">192.168.2.0/24</a> dev $INTERFACE<br></div><div><br></div><div>HOST B:<br>#!/bin/sh<br>ifconfig $INTERFACE 192.168.2.10 netmask 255.255.0.0<br>route add -net <a href="http://192.168.1.0/24">192.168.1.0/24</a> dev $INTERFACE<br><br></div><div>HOST C:<br><br></div><div>#!/bin/sh<br>ifconfig $INTERFACE 192.168.1.101 netmask 255.255.0.0<br>route add -net <a href="http://192.168.2.0/24">192.168.2.0/24</a> dev $INTERFACE<br><br></div><div>The situation is:<br></div><div>From HOST A I can ping every IP of HOST B subnet<br></div><div>From HOST A I can ping only few IP on HOST C subnet 192.168.1.1 and 1.101 is Okay, but 1.200 is not. <br></div><div>From HOST B I can ping HOST A and HOST B<br></div><div><div>From HOST C I can ping only few IP on HOST B subnet 192.168.2.1, 2.8 and 2.10 are Okay but 2.2, 2.3 and 2.4 are not.<br><br></div><div>As you suggested I removed from every host file in every machine so it only contains its own Subnet so it's like<br></div><div>HOST B: Subnet = <a href="http://192.168.2.0/24">192.168.2.0/24</a><br></div><div>HOST C: Subnet = <a href="http://192.168.1.0/24">192.168.1.0/24</a><br><br></div><div>What am I doing wrong?<br></div><div>Thank for your tips<br><br></div><div>Marco<br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-01-23 12:00 GMT+01:00 <span dir="ltr"><<a href="mailto:tinc-request@tinc-vpn.org" target="_blank">tinc-request@tinc-vpn.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send tinc mailing list submissions to<br>
<a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:tinc-request@tinc-vpn.org">tinc-request@tinc-vpn.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:tinc-owner@tinc-vpn.org">tinc-owner@tinc-vpn.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of tinc digest..."<br>
<br>Today's Topics:<br>
<br>
1. Help linking subnets (Marco Avoledo)<br>
2. Re: Help linking subnets (Guus Sliepen)<br>
<br><br>---------- Messaggio inoltrato ----------<br>From: Marco Avoledo <<a href="mailto:mavoledo@gmail.com">mavoledo@gmail.com</a>><br>To: <a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>Cc: <br>Date: Thu, 22 Jan 2015 08:25:29 +0100<br>Subject: Help linking subnets<br><p dir="ltr">Hi, after trying for days I ended up with a working tinc configurazion of 2 subnets, now my goal is to add 2 more subnets and comunicate.<br>
I might seem dumb at this point but honestly I don't work in IT or Networking stuff, and so I dont have that deep knowledge.<br>
A little explanation of my configuration is</p>
<p dir="ltr">HOST A (VPN server)<br>
Public IP: 1.2.3.4<br>
tun0 Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
tun0 IP = 192.168.10.1</p>
<p dir="ltr">HOST B (VPN Client configured in a Raspberry Pi)<br>
eth0 NET = 192.168.2.10 255.255.255.0 gw 192.168.2.1<br>
tun0 Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
tun0 Subnet = <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a></p>
<p dir="ltr">HOST C (VPN Client configured in a Raspberry Pi)<br>
eth0 NET = 192.168.1.101 255.255.255.0 gw 192.168.1.1<br>
tun0 Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
tun0 Subnet = <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a></p>
<p dir="ltr">HOST D (VPN Client configured in Android device, just accessing VPN Network)<br></p>
<p dir="ltr">Every Host have its own tinc-up set up like:</p>
<p dir="ltr">HOST A: <br>
#!/bin/sh<br>
ifconfig $INTERFACE 192.168.10.1 netmask 255.255.255.0<br>
route add -net <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> dev $INTERFACE<br>
route add -net <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> dev $INTERFACE<br>
route add -net <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a> dev $INTERFACE</p>
<p dir="ltr">HOST B:<br>
#!/bin/sh<br>
ifconfig $INTERFACE 192.168.10.2 netmask 255.255.255.0</p>
<p dir="ltr">HOST C:<br>
#!/bin/sh<br>
ifconfig $INTERFACE 192.168.10.3 netmask 255.255.255.0</p>
<p dir="ltr">HOST D:<br>
#!/bin/sh<br>
ifconfig $INTERFACE 192.168.10.4 netmask 255.255.255.0<br></p>
<p dir="ltr">Every Host have its own tinc.conf set up to connect to HOST A (Except for HOST A itself obviously) VPN is using router mode.<br>
Every Host have each other's host file in proper directory, containing PUB KEY + VPN SUBNET + HOST SUBNET</p>
<p dir="ltr">For HOST A:<br>
Address = XXXX.XXXXX.XX<br>
Subnet = <a href="http://192.168.10.1/32" target="_blank">192.168.10.1/32</a></p>
<p dir="ltr">For HOST B:<br>
Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
Subnet = <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a></p>
<p dir="ltr">For HOST C:<br>
Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
Subnet = <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a></p>
<p dir="ltr">For HOST D:<br>
Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a></p>
<p dir="ltr">Every file is exactly the same on every HOST.</p>
<p dir="ltr">There are no problems when connecting, every host can connect to the server (HOST A) fine.<br>
>From HOST A I can ping Host A / Host B<br>
>From HOST B I can ping HOST A / Host B<br>
>From HOST C I can only ping myself<br>
>From HOST D I can only ping myself</p>
<p dir="ltr">After trying a lot of net add net remove and reading tons of replies to numerous questions online, after asking to irc I initially managed to work with 2 subnet seeing each others, but adding this two more definitely ruined the work.</p>
<p dir="ltr">My question is: what do I need to add in every conf/tinc-up file in order to let HOST A Access every single machine in every Subnet 192.168.1.* 192.168.2.* 192.168.3.* and eventually visa versa, what to add to every HOST B/C/D to be able to directly access every machine in every subnet as above.</p>
<p dir="ltr">HOST A route<br>
Kernel IP routing table<br>
Destination Gateway Genmask Flags Metric Ref Use Iface<br>
default 178.62.128.1 0.0.0.0 UG 0 0 0 eth0<br>
178.62.128.0 * 255.255.192.0 U 0 0 0 eth0<br>
192.168.1.0 * 255.255.255.0 U 0 0 0 tun0<br>
192.168.2.0 * 255.255.255.0 U 0 0 0 tun0<br>
192.168.3.0 * 255.255.255.0 U 0 0 0 tun0<br>
192.168.10.0 * 255.255.255.0 U 0 0 0 tun0</p>
<p dir="ltr">HOST B route<br>
Kernel IP routing table<br>
Destination Gateway Genmask Flags Metric Ref Use Iface<br>
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0<br>
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br>
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0</p>
<p dir="ltr">HOST C route<br>
Kernel IP routing table<br>
Destination Gateway Genmask Flags Metric Ref Use Iface<br>
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0<br>
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br>
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0</p>
<p dir="ltr">My bad I'm not that handy with networking stuff.<br>
Any hint is appreciated.<br>
Thanks in advance</p>
<p dir="ltr"><font color="#888888">Marco</font><br></p>
<br><br>---------- Messaggio inoltrato ----------<br>From: Guus Sliepen <<a href="mailto:guus@tinc-vpn.org">guus@tinc-vpn.org</a>><br>To: <a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>Cc: <br>Date: Thu, 22 Jan 2015 20:10:49 +0100<br>Subject: Re: Help linking subnets<br>On Thu, Jan 22, 2015 at 08:25:29AM +0100, Marco Avoledo wrote:<br>
<br>
> Hi, after trying for days I ended up with a working tinc configurazion of 2<br>
> subnets, now my goal is to add 2 more subnets and comunicate.<br>
[...]<br>
> HOST A (VPN server)<br>
> tun0 Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
> tun0 IP = 192.168.10.1<br>
<br>
Ok, this is fine.<br>
<br>
> HOST B (VPN Client configured in a Raspberry Pi)<br>
> eth0 NET = 192.168.2.10 255.255.255.0 gw 192.168.2.1<br>
> tun0 Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
> tun0 Subnet = <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a><br>
<br>
Ok, the problem here is the two Subnets. With a Subnet statement, you<br>
tell tinc which VPN address range(s) belong to this specific node. It<br>
looks like this node's range is just <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a>. So only put that<br>
Subnet in hosts/B.<br>
<br>
> HOST C (VPN Client configured in a Raspberry Pi)<br>
> eth0 NET = 192.168.1.101 255.255.255.0 gw 192.168.1.1<br>
> tun0 Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
> tun0 Subnet = <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a><br>
<br>
The same here.<br>
<br>
> Every Host have its own tinc-up set up like:<br>
><br>
> HOST A:<br>
> #!/bin/sh<br>
> ifconfig $INTERFACE 192.168.10.1 netmask 255.255.255.0<br>
> route add -net <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> dev $INTERFACE<br>
> route add -net <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> dev $INTERFACE<br>
> route add -net <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a> dev $INTERFACE<br>
<br>
This can work, but if you add a node you have to change your tinc-up<br>
script as well. There are two ways other ways to do this. The simplest<br>
way is to just use a /16 netmask on the VPN interface:<br>
<br>
#!/bin/sh<br>
ifconfig $INTERFACE 192.168.10.1 netmask 255.255.0.0<br>
<br>
This will also route traffic for <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> and so on to the VPN<br>
interface. If you don't want this for some reason, you can also create a<br>
subnet-up script in the same directory as tinc-up:<br>
<br>
#!/bin/sh<br>
route add -net $SUBNET dev $INTERFACE<br>
<br>
Whenever anothet node goes online, this script will be called for each<br>
of its Subnets and a corresponding route will be added.<br>
<br>
> HOST B:<br>
> #!/bin/sh<br>
> ifconfig $INTERFACE 192.168.10.2 netmask 255.255.255.0<br>
<br>
The problem here is that it is lacking a route for the other subnets,<br>
and you giving this node's VPN interface an address from host A's<br>
Subnet. You can reuse the address you already have from the<br>
<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> Subnet on your VPN interface, if you give it a larger<br>
netmask than the one on eth0. So I recommend you change this script to:<br>
<br>
#!/bin/sh<br>
ifconfig $INTERFACE 192.168.2.10 netmask 255.255.255.0<br>
<br>
> HOST C:<br>
> #!/bin/sh<br>
> ifconfig $INTERFACE 192.168.10.3 netmask 255.255.255.0<br>
><br>
> HOST D:<br>
> #!/bin/sh<br>
> ifconfig $INTERFACE 192.168.10.4 netmask 255.255.255.0<br>
<br>
The same goes for these nodes.<br>
<br>
> Every Host have its own tinc.conf set up to connect to HOST A (Except for<br>
> HOST A itself obviously) VPN is using router mode.<br>
> Every Host have each other's host file in proper directory, containing PUB<br>
> KEY + VPN SUBNET + HOST SUBNET<br>
<br>
That's great.<br>
<br>
> For HOST A:<br>
> Address = XXXX.XXXXX.XX<br>
> Subnet = <a href="http://192.168.10.1/32" target="_blank">192.168.10.1/32</a><br>
<br>
Using a /32 is fine here.<br>
<br>
> For HOST B:<br>
> Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
> Subnet = <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a><br>
<br>
I'd remove the Subnet = <a href="http://192.168.10./24" target="_blank">192.168.10./24</a> line and use the script<br>
suggested above. If you really want to give this node's VPN interface an<br>
address from the <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a> range, then change the Subnets to:<br>
<br>
Subnet = <a href="http://192.168.10.2/32" target="_blank">192.168.10.2/32</a><br>
Subnet = <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a><br>
<br>
And the tinc-up script to:<br>
<br>
#!/bin/sh<br>
ifconfig $INTERFACE 192.168.10.2 netmask 255.255.255.0<br>
route add -net <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> dev $INTERFACE<br>
route add -net <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a> dev $INTERFACE<br>
<br>
Note that I don't add <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> here. If you want to use a<br>
subnet-up script in stead of these route add commands in tinc-up, then<br>
it should be:<br>
<br>
#!/bin/sh<br>
[ "$NODE" != "$NAME" ] && route add -net $SUBNET dev $INTERFACE<br>
<br>
> For HOST C:<br>
> Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
> Subnet = <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a><br>
<br>
The same for this nodes.<br>
<br>
> For HOST D:<br>
> Subnet = <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
<br>
This should then be Subnet = <a href="http://192.168.10.4/32" target="_blank">192.168.10.4/32</a>.<br>
<br>
To recap, make sure that the routing table is such that all packets for<br>
VPN addresses go to dev $INTERFACE. That means tinc will get them. But<br>
then tinc needs to figure out which node to send them to. It uses the<br>
Subnet statements to figure that out. So don't give two or more nodes<br>
exactly the same Subnet, otherwise tinc does not know which to send it<br>
to.<br>
<br>
Let us know if this helps.<br>
<br>
--<br>
Met vriendelijke groet / with kind regards,<br>
Guus Sliepen <<a href="mailto:guus@tinc-vpn.org">guus@tinc-vpn.org</a>><br>
<br>_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br></blockquote></div><br></div>