updated client side configuration with optional feature to connect an available clien...

[wiki] / examples / simple-bridging-with-dhcp-client-side.mdwn

>     [[!meta title="simple-bridging-with-dhcp-client-side"]]
>    
>     # Company:  PowerCraft Technology
>     # Author:   Copyright Jelle de Jong <jelledejong@powercraft.nl>
>     # Note:     Please send me an email if you enhanced the document
>     # Date:     2010-05-24 / 2010-07-04
>     # License:  CC-BY-SA
>     
>     # This document is free documentation; you can redistribute it and/or
>     # modify it under the terms of the Creative Commons Attribution Share
>     # Alike as published by the Creative Commons Foundation; either version
>     # 3.0 of the License, or (at your option) any later version.
>     #
>     # This document is distributed in the hope that it will be useful,
>     # but WITHOUT ANY WARRANTY; without even the implied warranty of
>     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>     # Creative Commons BY-SA License for more details.
>     #
>     # http://creativecommons.org/licenses/by-sa/
>     
>     #-----------------------------------------------------------------------
>     
>     # for commercial support contact me, part of the revenue go back to tinc
>     
>     #-----------------------------------------------------------------------
>     
>     # http://www.tinc-vpn.org/
>     # http://www.tinc-vpn.org/documentation/tinc_toc
>     
>     #-----------------------------------------------------------------------
>     
>     # this is the configuration of the roxy system
>     
>     #-----------------------------------------------------------------------
>     
>     unset LANG LANGUAGE LC_ALL
>     apt-get update; apt-get dist-upgrade
>     
>     apt-cache show tinc
>     apt-get install tinc/testing
>     
>     #-----------------------------------------------------------------------
>     
>     /etc/init.d/tinc stop
>     
>     #-----------------------------------------------------------------------
>     
>     # ls -hal /dev/net/tun
>     crw------- 1 root root 10, 200 May 24 15:53 /dev/net/tun
>     
>     # grep tinc /etc/services
>     tinc        655/tcp             # tinc control port
>     tinc        655/udp
>     
>     # getent services tinc/udp
>     tinc        655/udp
>     # getent services tinc/tcp
>     tinc        655/tcp
>     
>     cat /usr/share/doc/tinc/README.Debian
>     zcat /usr/share/doc/tinc/README.gz | less
>     zcat /usr/share/doc/tinc/NEWS.gz | less
>     cat /usr/share/doc/tinc/examples/tinc-up
>     w3m /usr/share/doc/tinc/tinc_0.html
>     
>     #-----------------------------------------------------------------------
>     
>     vim /etc/default/tinc
>     EXTRA="-d"
>     cat /etc/default/tinc
>     
>     # less /etc/init.d/tinc
>     
>     #-----------------------------------------------------------------------
>     
>     ifconfig -a
>     route -n
>     
>     #-----------------------------------------------------------------------
>     
>     # ifconfig -a
>     eth0      Link encap:Ethernet  HWaddr 00:0d:b9:1a:44:6c
>               inet addr:84.245.9.246  Bcast:84.245.9.255  Mask:255.255.255.0
>               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>               RX packets:4863 errors:0 dropped:0 overruns:0 frame:0
>               TX packets:2958 errors:0 dropped:0 overruns:0 carrier:0
>               collisions:0 txqueuelen:1000
>               RX bytes:4302418 (4.1 MiB)  TX bytes:303100 (295.9 KiB)
>               Interrupt:10 Base address:0x1000
>     
>     eth1      Link encap:Ethernet  HWaddr 00:0d:b9:1a:44:6d
>               UP BROADCAST MULTICAST  MTU:1500  Metric:1
>               RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>               TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>               collisions:0 txqueuelen:1000
>               RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>               Interrupt:11 Base address:0x1400
>     
>     eth2      Link encap:Ethernet  HWaddr 00:0d:b9:1a:44:6e
>               UP BROADCAST MULTICAST  MTU:1500  Metric:1
>               RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>               TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>               collisions:0 txqueuelen:1000
>               RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>               Interrupt:15 Base address:0x1800
>     
>     lo        Link encap:Local Loopback
>               inet addr:127.0.0.1  Mask:255.0.0.0
>               UP LOOPBACK RUNNING  MTU:16436  Metric:1
>               RX packets:1200 errors:0 dropped:0 overruns:0 frame:0
>               TX packets:1200 errors:0 dropped:0 overruns:0 carrier:0
>               collisions:0 txqueuelen:0
>               RX bytes:96572 (94.3 KiB)  TX bytes:96572 (94.3 KiB)
>     
>     # route -n
>     Kernel IP routing table
>     Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>     84.245.9.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
>     0.0.0.0         84.245.9.1      0.0.0.0         UG    0      0        0 eth0
>     
>     #-----------------------------------------------------------------------
>     
>     # client01 configuration
>     
>     cat /etc/tinc/nets.boot
>     echo 'powercraft01' | sudo tee --append /etc/tinc/nets.boot
>     cat /etc/tinc/nets.boot
>     
>     #-----------------------------------------------------------------------
>     
>     sudo mkdir --verbose /etc/tinc/powercraft01/
>     sudo mkdir --verbose /etc/tinc/powercraft01/hosts/
>     sudo touch /etc/tinc/powercraft01/tinc.conf
>     
>     #-----------------------------------------------------------------------
>     
>     # on server
>     cat /etc/tinc/powercraft01/hosts/server01
>     
>     # on client, copy cert data of server to client
>     sudo vim /etc/tinc/powercraft01/hosts/server01
>     
>     # on client, add on head of file
>     Address = powercraft.nl 656
>     Address = 84.245.3.195 656
>     Address = tinc-vpn.powercraft.nl 656
>     Address = powercraft.nl 655
>     Address = 84.245.3.195 655
>     Address = tinc-vpn.powercraft.nl 655
>     
>     #-----------------------------------------------------------------------
>     
>     echo 'ConnectTo = server01
>     Device = /dev/net/tun
>     Interface = tun1
>     Mode = switch
>     Name = client01' | sudo tee /etc/tinc/powercraft01/tinc.conf
>     
>     sudo cat /etc/tinc/powercraft01/tinc.conf
>     sudo chmod 644 /etc/tinc/powercraft01/tinc.conf
>     ls -hal /etc/tinc/powercraft01/tinc.conf
>     
>     echo '#!/bin/sh
>     ifconfig $INTERFACE 0.0.0.0' | tee /etc/tinc/powercraft01/tinc-up
>     
>     sudo cat /etc/tinc/powercraft01/tinc-up
>     sudo chmod 755 /etc/tinc/powercraft01/tinc-up
>     ls -hal /etc/tinc/powercraft01/tinc-up
>     
>     echo '#!/bin/sh
>     # ifconfig tun1 hw ether 00:ff:5d:ea:b4:ec
>     ifup $INTERFACE &' | sudo tee /etc/tinc/powercraft01/hosts/server01-up
>     
>     sudo cat /etc/tinc/powercraft01/hosts/server01-up
>     sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-up
>     ls -hal /etc/tinc/powercraft01/hosts/server01-up
>     
>     echo '#!/bin/sh
>     ifconfig $INTERFACE down' | sudo tee /etc/tinc/powercraft01/tinc-down
>     
>     sudo cat /etc/tinc/powercraft01/tinc-down
>     sudo chmod 755 /etc/tinc/powercraft01/tinc-down
>     ls -hal /etc/tinc/powercraft01/tinc-down
>     
>     echo '#!/bin/sh
>     ifdown $INTERFACE' | sudo tee /etc/tinc/powercraft01/hosts/server01-down
>     
>     sudo cat /etc/tinc/powercraft01/hosts/server01-down
>     sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-down
>     ls -hal /etc/tinc/powercraft01/hosts/server01-down
>     
>     #-----------------------------------------------------------------------
>     
>     sudo rm /etc/tinc/powercraft01/rsa_key.priv
>     sudo rm /etc/tinc/powercraft01/hosts/client10
>     sudo tincd -n powercraft01 -K
>     
>     #-----------------------------------------------------------------------
>     
>     # on client add on head of file
>     sudo vim /etc/tinc/powercraft01/hosts/client01
>     Compression = 9
>     PMTU = 1492
>     PMTUDiscovery = yes
>     Port = 656
>     # Cipher = aes-128-cbc
>     
>     # on client
>     sudo cat /etc/tinc/powercraft01/hosts/client01
>     
>     # on server, copy cert data of client to server
>     vim /etc/tinc/powercraft01/hosts/client01
>     
>     #-----------------------------------------------------------------------
>     
>     # watch out when using multiple dhcp clients there can be conflicts
>    
>     echo 'interface "tun1" {
>       request subnet-mask, broadcast-address, time-offset,
>         host-name, netbios-scope, interface-mtu, ntp-servers;
>     }' | tee --append /etc/dhcp3/dhclient.conf
>     
>     cat /etc/dhcp3/dhclient.conf
>     
>     #-----------------------------------------------------------------------
>     
>     vim /etc/network/interfaces
>     
>     iface tun1 inet dhcp
>       pre-up ifconfig tun1 down || true
>       pre-up ifconfig tun1 hw ether 9a:f6:50:3b:c0:48 || true
>       post-up route del default dev tun1 || true
>       # pre-down /etc/init.d/munin-node stop || true
>       # post-up /etc/init.d/munin-node restart || true
>       # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/tun1/proxy_arp || true
>       # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/vlan4/proxy_arp || true
>       # optional # post-up route add -net 192.168.2.0 netmask 255.255.255.0 tun1 || true
>       # optional # pre-down route del -net 192.168.2.0 netmask 255.255.255.0 tun1 || true
>     
>     #-----------------------------------------------------------------------
>     
>     ifdown tun1; ifdown tun1
>     
>     #-----------------------------------------------------------------------
>     
>     sudo /etc/init.d/tinc stop
>     fg
>     sudo /usr/sbin/tincd --net powercraft01 --no-detach --debug=5
>     
>     #-----------------------------------------------------------------------
>     
>     sudo /etc/init.d/tinc start
>     
>     #-----------------------------------------------------------------------
>     
>     # tincd --version
>     tinc version 1.0.13 (built Apr 13 2010 10:27:56, protocol 17)
>     
>     #-----------------------------------------------------------------------
>     
>     tincd -n powercraft01 -kUSR2
>     tail -n 100 /var/log/syslog
>     
>     #-----------------------------------------------------------------------
>     
>     May 24 19:43:59 roxy tinc.powercraft01[5104]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun:
>     May 24 19:43:59 roxy tinc.powercraft01[5104]:  total bytes in:         830
>     May 24 19:43:59 roxy tinc.powercraft01[5104]:  total bytes out:        914
>     May 24 19:43:59 roxy tinc.powercraft01[5104]: Nodes:
>     May 24 19:43:59 roxy tinc.powercraft01[5104]:  client01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop client01 via client01 pmtu 1518 (min 0 max 1518)
>     May 24 19:43:59 roxy tinc.powercraft01[5104]:  server01 at 84.245.3.195 port 656 cipher 91 digest 64 maclength 4 compression 9 options c status 001a nexthop server01 via server01 pmtu 1416 (min 1416 max 1416)
>     May 24 19:43:59 roxy tinc.powercraft01[5104]: End of nodes.
>     May 24 19:43:59 roxy tinc.powercraft01[5104]: Edges:
>     May 24 19:43:59 roxy tinc.powercraft01[5104]:  client01 to server01 at 84.245.3.195 port 656 options c weight 413
>     May 24 19:43:59 roxy tinc.powercraft01[5104]:  server01 to client01 at 84.245.9.246 port 655 options c weight 413
>     May 24 19:43:59 roxy tinc.powercraft01[5104]: End of edges.
>     May 24 19:43:59 roxy tinc.powercraft01[5104]: Subnet list:
>     May 24 19:43:59 roxy tinc.powercraft01[5104]:  0:1b:21:61:af:d7#10 owner server01
>     May 24 19:43:59 roxy tinc.powercraft01[5104]:  56:fc:c2:fd:69:10#10 owner server01
>     May 24 19:43:59 roxy tinc.powercraft01[5104]:  ea:3:e7:3d:46:20#10 owner client01
>     May 24 19:43:59 roxy tinc.powercraft01[5104]: End of subnet list.
>     
>     #-----------------------------------------------------------------------
>     
>     # ifconfig -a
>     ifconfig tun1
>     route -n
>     
>     #-----------------------------------------------------------------------
>     
>     # ifconfig tun1
>     tun1      Link encap:Ethernet  HWaddr ea:03:e7:3d:46:20
>               inet addr:192.168.3.201  Bcast:192.168.3.255  Mask:255.255.255.0
>               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>               RX packets:27 errors:0 dropped:0 overruns:0 frame:0
>               TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
>               collisions:0 txqueuelen:500
>               RX bytes:9342 (9.1 KiB)  TX bytes:9088 (8.8 KiB)
>     
>     # route -n
>     Kernel IP routing table
>     Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>     84.245.9.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
>     192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 tun1
>     0.0.0.0         84.245.9.1      0.0.0.0         UG    0      0        0 eth0
>     
>     #-----------------------------------------------------------------------
>     
>     ping -c 2 192.168.3.1
>     ping -c 2 -M dont -s 1500 192.168.3.1
>     
>     #-----------------------------------------------------------------------
>     
>     lsof -i :655
>     lsof -i :656
>     
>     #-----------------------------------------------------------------------
>     
>     # Accept new connections for fordwarding designated from our virtual private netwerk to the local network
>     /sbin/iptables --append FORWARD --in-interface ${VPN01} --out-interface ${LAN01} --jump ACCEPT
>     /sbin/iptables --append FORWARD --in-interface ${LAN01} --out-interface ${VPN01} --jump ACCEPT
>     
>     # Use masquerade so the outside world sees only one ip source for all outgoing trafic
>     /sbin/iptables --table nat --append POSTROUTING --out-interface ${VPN01} --jump MASQUERADE
>     
>     #-----------------------------------------------------------------------