<div dir="ltr"><div>Thank you for taking the time to respond to my email. As of now, it is all working. I have cleaned up my host files and configuration files as well. I did have one side to route through the box. Add the rules on the other side made it work like a charm. <br></div><div><br></div><div>Aloha!</div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jan 11, 2019 at 2:27 PM Naemr . <<a href="mailto:naemrr@gmail.com">naemrr@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="auto"><div>Try removing all MTU related settings from both sides. Allow tinc to learn on its own.</div><div><br></div><div>"
PMTU = 1436<br>ClampMSS = yes<br>PMTUDiscovery = yes"</div><div><br></div><div>in the config, "
Address Family = ipv4" is likely not necessary, i would recommend removing it.</div><div><br></div><div>"
Device = /dev/net/tun" should not be used, unless tinc is having issues locating the tun device.</div><div>however</div><div>" DeviceType = tun"</div><div>should be added, especialy as you have not declared an interface in the config</div><div>eg: "Interface = tun6"<br></div><div> <br></div><div><br></div><div dir="auto"><br></div><div dir="auto">Also <span style="font-family:sans-serif">Subnet = 192.168.0.10</span></div><div dir="auto"><font face="sans-serif">Is incomplete</font></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><span style="font-family:sans-serif">Subnet = <a href="http://192.168.0.10/32" target="_blank">192.168.0.10/32</a></span><br></div><div dir="auto"><span style="font-family:sans-serif"><br></span></div><div dir="auto"><font face="sans-serif">Same for the .15 host</font></div><div dir="auto"><font face="sans-serif"><br></font></div><div><font face="sans-serif">A working setup of mine:</font></div><div><font face="sans-serif">tinc.conf;</font></div><div><font face="sans-serif">Name = ov1thaboxnet<br>port = 655<br>Interface = tun6<br>DeviceType = tun<br>ConnectTo = ov2thaboxnet<br>Compression = 10<br></font></div><div><font face="sans-serif"><br></font></div><div><font face="sans-serif">
<font face="sans-serif">ov1thaboxnet </font>host file;</font></div><div><font face="sans-serif">Address = xxx.xxx.xxx.xxx 655<br>Subnet = <a href="http://192.168.66.1/32" target="_blank">192.168.66.1/32</a><br></font></div><div dir="auto"><font face="sans-serif"><br></font></div><div><font face="sans-serif">tinc.conf;</font></div><div><font face="sans-serif">Name = ov2thaboxnet<br>port = 655<br>
<font face="sans-serif">Interface = tun6<br>DeviceType = tun</font><br>Compression = 10<br><br></font></div><div dir="auto"><font face="sans-serif">
<font face="sans-serif">ov2thaboxnet</font> host file;</font></div><div dir="auto"><font face="sans-serif">Address = 107.161.30.244 655<br>Address = 107.161.30.244 443<br>Subnet = <a href="http://192.168.66.2/32" target="_blank">192.168.66.2/32</a><br></font></div><div dir="auto"><font face="sans-serif">
<font face="sans-serif">Subnet = <a href="http://10.111.42.0/24" target="_blank">10.111.42.0/24</a></font>
</font></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><font face="sans-serif">IP forwarding must be enabled as well</font></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><font face="sans-serif">sysctl -w net.ipv4.ip_forward=1</font></div><div dir="auto"><font face="sans-serif">echo 1 > /proc/sys/net/ipv4/ip_forward<br><br></font></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><font face="sans-serif">As it appears the tinc boxes are not the gateway machines for ether lan you may also need to nat lan traffic</font></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><font face="sans-serif">iptables -A FORWARD -i
$INTERFACE
-j ACCEPT<br></font></div><div dir="auto"><font face="sans-serif">iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT<br></font></div><div dir="auto"><font face="sans-serif">iptables -t nat -A POSTROUTING -o
eth0
-j MASQUERADE<br></font></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><br></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><div class="gmail_quote" dir="auto"><div dir="ltr">On Fri, Jan 11, 2019, 3:46 PM Aaron Savage <<a href="mailto:radiosavagelists@gmail.com" target="_blank">radiosavagelists@gmail.com</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Aloha!</div><div><br></div><div>I am new to tinc and I like to figure out my own issues before asking but I am not sure of my next step here. I am not sure if the problem is the VPN configuration or in my network. I will try to be as through as possible.</div><div><br></div><div>I have two computers that are CentOS with the latest tinc from their respective repositories.</div><div><br></div><div>Server A is behind a Sophos XG and Server B is behind a Ubiquiti Edge Router that I have no control over (Borrowing internet from colleague at remote site). I have the 655 port UDP/TCP open and mapped to Server A. I have added static rules for devices on the Server A network to talk to the devices on the Server B network. I can ping server to server with the tinc addresses. Server A 192.168.0.10 (tinc) 10.75.70.51 (eth0). Server B 192.168.0.15(tinc) 192.168.1.10 (eth0). I can also ping devices on the 10.75.70.0 network from Server B. I can ping from the Sophos XG and a Windows Server @ 10.75.70.50 as well to Server B at 192.168.0.15 and 192.168.10. I can also ping the device @ 192.168.1.15 which is on the network eth0 of Server B. So it seems the VPN connects and I can ping across all the devices. The problem is when I try to open a webpage across the vpn. It seem it will only let me open the webpage on 10.75.70.51(Server A) from Server B. I can also ssh to from Server B to Server A so I know that tinc is working. However, any device that I can ping on the 10.75.70.X network other than Server A will not allow me to open their webpages. When I try curl it will tell me "No Route to Host". Which makes little sense because I am pinging between sites...unless I am missing something bigger in all of this.<br></div><div><br></div><div>My inital reason for wanting this connection was allow my server A to web proxy a hardware device with a web interface on the remote 192.168.1x network. I can ping the device....I just can't open the web interface. I have looked the MTU and noticed that it fell apart anything above 1408. I did try setting some MTU setting but nothing has worked so I am here to ask the experts. However, I then looked at curl and realized the problem is probably not MTU related. I appreciate any thoughts and help.<br></div><div><br></div><div>Here are my current configs:</div><div><br></div><div>Server A Conf:</div><div>Name = serverA<br>Device = /dev/net/tun<br>Address Family = ipv4<br></div><div><br></div><div>Server A host:</div><div>Address = xx.xx.xx.xx<br>Subnet = 192.168.0.10<br>Subnet = <a href="http://10.75.70.0/24" rel="noreferrer" target="_blank">10.75.70.0/24</a><br>PMTU = 1436<br>ClampMSS = yes<br>PMTUDiscovery = yes</div><div><br></div><div>Server A TincUp:</div><div>ip link set $INTERFACE up <br>ip addr add 192.168.0.10 dev $INTERFACE<br>ip route add <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> dev $INTERFACE<br>ip route add <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> dev $INTERFACE<br><br></div><div>Server B Conf:</div><div>Name = khwisnmp<br>Device = /dev/net/tun<br>Address Family = ipv4<br>ConnectTo = librenms<br></div><div><br></div><div>Server B host:</div><div>ubnet = 192.168.0.15<br>Subnet = <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a><br>PMTU = 1436<br>ClampMSS = yes<br>PMTUDiscovery = yes</div><div><br></div><div>Server B TincUP:</div><div>ip link set $INTERFACE up<br>ip addr add 192.168.0.15 dev $INTERFACE<br>ip route add <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> dev $INTERFACE<br>ip route add <a href="http://10.75.70.0/24" rel="noreferrer" target="_blank">10.75.70.0/24</a> dev $INTERFACE</div><div><br></div><div>Aloha,</div><div>Aaron<br></div></div></div></div></div></div></div></div></div>
_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org" rel="noreferrer" target="_blank">tinc@tinc-vpn.org</a><br>
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer noreferrer" target="_blank">https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
</blockquote></div></div></div>
</div></div></div></div></div></div></div></div></div></div></div>
_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a><br>
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank">https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
</blockquote></div>