[[!meta title="tinc on a masquerading firewall"]] ## Example: tinc on a masquerading firewall This example shows a setup with tinc running on a masquerading firewall, allowing the private subnet behind the firewall to access the VPN. Example firewall rules are included in this example. They are written for iptables (Linux 2.4 firewall code), but commented so that you may apply the same kind of rules to other firewalls. [[!toc levels=2]] ### Overview [[!img examples/fig-on-firewall]] The network setup is as follows: * Internal network is 10.20.30.0/24 * Firewall IP is 123.234.123.1 on the outside, 10.20.30.1/24 on the inside. * VPN the host wants to connect to has address range 10.20.0.0/16. ### Configuration of the firewall running tinc firewall# ifconfig ppp0 Link encap:Point-to-Point Protocol inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 ... eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0 UP BROADCAST RUNNING MTU:1500 Metric:1 ... lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3856 Metric:1 ... vpn Link encap:Point-to-Point Protocol inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.0.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 ... firewall# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 10.20.0.0 * 255.255.0.0 U 0 0 0 vpn default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0 firewall# iptables -L -v Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 1234 packets, 123K bytes) pkts bytes target prot opt in out source destination 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere 1234 123K ACCEPT any -- vpn eth0 10.20.0.0/16 10.20.30.0/24 1234 123K ACCEPT any -- eth0 vpn 10.20.30.0/24 10.20.0.0/16 Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) pkts bytes target prot opt in out source destination firewall# iptables -L -v -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination firewall# cat /etc/init.d/firewall #!/bin/sh echo 1 >/proc/sys/net/ipv4/ip_forward iptables -P FORWARD DROP iptables -F FORWARD iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24 iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24 iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24 iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16 iptables -t nat -F POSTROUTING iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0 ### Configuration of tinc firewall# cat /etc/tinc/vpn/tinc.conf Name = office ConnectTo = branch Interface = vpn firewall# cat /etc/tinc/vpn/tinc-up #!/bin/sh ifconfig $INTERFACE 10.20.30.1 netmask 255.255.0.0 firewall# ls /etc/tinc/vpn/hosts office branch employee_smith employee_jones ... firewall# cat /etc/tinc/vpn/hosts/office Address = 123.234.123.1 Subnet = 10.20.30.0/24 -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- firewall# cat /etc/tinc/vpn/hosts/branch Address = 123.234.213.129 Subnet = 10.20.40.0/24 -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- firewall# cat /etc/tinc/vpn/hosts/employee_smith Address = 200.201.202.203 Subnet = 10.20.50.1/32 -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY-----