<div dir="ltr">Thanks again Guus.<div><br></div><div>Will try your recommendations.</div></div><br><div class="gmail_quote"><div dir="ltr">El lun., 16 ene. 2017 a las 11:02, Guus Sliepen (<<a href="mailto:guus@tinc-vpn.org">guus@tinc-vpn.org</a>>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, Jan 16, 2017 at 12:29:59PM +0000, Guillermo Bisheimer wrote:<br class="gmail_msg">
<br class="gmail_msg">
> One more thing. I can run two tinc daemons one for each group, but I sill<br class="gmail_msg">
> need to communicate clients from one group to the other.<br class="gmail_msg">
><br class="gmail_msg">
> Clients from group 2 (admin group) need to reach clients from group 1<br class="gmail_msg">
> (remote server group), but clients from group 1 must not be able to reach<br class="gmail_msg">
> each other nor the server.<br class="gmail_msg">
><br class="gmail_msg">
> If I'm not using TunnelServer and Forwarding, How can I setup the routes<br class="gmail_msg">
> between the two Tinc daemons?<br class="gmail_msg">
<br class="gmail_msg">
For group 1, set TunnelServer = yes and Forwarding = off. This prevents<br class="gmail_msg">
clients from seeing and talking to each other. Also don't use<br class="gmail_msg">
DeviceType. Now that you have two VPN interfaces on the server, one for<br class="gmail_msg">
group 1 and one for group 2, you can use the routing table and/or<br class="gmail_msg">
firewall rules to control who can reach who.<br class="gmail_msg">
<br class="gmail_msg">
You still need to block traffic from the clients to the server itself.<br class="gmail_msg">
Instead of:<br class="gmail_msg">
<br class="gmail_msg">
> sudo iptables -A INPUT -s <a href="http://10.100.0.0/17" rel="noreferrer" class="gmail_msg" target="_blank">10.100.0.0/17</a> -d <a href="http://10.100.0.1/32" rel="noreferrer" class="gmail_msg" target="_blank">10.100.0.1/32</a> -j DROP<br class="gmail_msg">
<br class="gmail_msg">
Try:<br class="gmail_msg">
<br class="gmail_msg">
sudo iptables -A INPUT -i <group 1 interface> -j DROP<br class="gmail_msg">
<br class="gmail_msg">
This should drop all packets from the clients. Note that the INPUT chain<br class="gmail_msg">
only applies to packets destined for the server itself, packets that are<br class="gmail_msg">
to be forwarded between group 1 and 2 go via the FORWARD chain.<br class="gmail_msg">
<br class="gmail_msg">
--<br class="gmail_msg">
Met vriendelijke groet / with kind regards,<br class="gmail_msg">
     Guus Sliepen <<a href="mailto:guus@tinc-vpn.org" class="gmail_msg" target="_blank">guus@tinc-vpn.org</a>><br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
tinc mailing list<br class="gmail_msg">
<a href="mailto:tinc@tinc-vpn.org" class="gmail_msg" target="_blank">tinc@tinc-vpn.org</a><br class="gmail_msg">
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" class="gmail_msg" target="_blank">https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br class="gmail_msg">
</blockquote></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr"><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><b><i><span style="font-family:arial,sans-serif;color:rgb(31,73,125)">Ing. Guillermo Bisheimer</span></i></b><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><b><span style="font-family:arial,sans-serif;color:rgb(31,73,125)">B&S Sistemas de Control y Equipamientos</span></b><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(79,129,189)">Av. de los Constituyentes 1172</span><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(79,129,189)">(E3116CIX) Crespo, Entre Ríos</span><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="background-color:rgb(255,255,0)"><span style="font-family:arial,sans-serif;color:rgb(79,129,189)">Tel/Fax: (</span><font color="#4f81bd" face="Arial, sans-serif">0343) 407-8990 (Nuevo número)</font></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(79,129,189)">Cel: (0343) 154679052</span><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(31,73,125)">WEB: </span><span style="font-size:10pt;font-family:arial,sans-serif;color:rgb(31,73,125)"><a href="http://www.bys-control.com.ar/" target="_blank">www.bys-control.com.ar</a></span><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(31,73,125)">e-mail: <a href="mailto:gbisheimer@bys-control.com.ar" target="_blank">gbisheimer@bys-control.com.ar</a></span><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(31,73,125)">skype: guillermo.bisheimer</span></p></div></div>