> [[!meta title="simple-bridging-with-dhcp-client-side"]] > > # Company: PowerCraft Technology > # Author: Copyright Jelle de Jong > # Note: Please send me an email if you enhanced the document > # Date: 2010-05-24 / 2010-07-04 > # License: CC-BY-SA > > # This document is free documentation; you can redistribute it and/or > # modify it under the terms of the Creative Commons Attribution Share > # Alike as published by the Creative Commons Foundation; either version > # 3.0 of the License, or (at your option) any later version. > # > # This document is distributed in the hope that it will be useful, > # but WITHOUT ANY WARRANTY; without even the implied warranty of > # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > # Creative Commons BY-SA License for more details. > # > # http://creativecommons.org/licenses/by-sa/ > > #----------------------------------------------------------------------- > > # for commercial support contact me, part of the revenue go back to tinc > > #----------------------------------------------------------------------- > > # http://www.tinc-vpn.org/ > # http://www.tinc-vpn.org/documentation/tinc_toc > > #----------------------------------------------------------------------- > > # this is the configuration of the roxy system > > #----------------------------------------------------------------------- > > unset LANG LANGUAGE LC_ALL > apt-get update; apt-get dist-upgrade > > apt-cache show tinc > apt-get install tinc/testing > > #----------------------------------------------------------------------- > > /etc/init.d/tinc stop > > #----------------------------------------------------------------------- > > # ls -hal /dev/net/tun > crw------- 1 root root 10, 200 May 24 15:53 /dev/net/tun > > # grep tinc /etc/services > tinc 655/tcp # tinc control port > tinc 655/udp > > # getent services tinc/udp > tinc 655/udp > # getent services tinc/tcp > tinc 655/tcp > > cat /usr/share/doc/tinc/README.Debian > zcat /usr/share/doc/tinc/README.gz | less > zcat /usr/share/doc/tinc/NEWS.gz | less > cat /usr/share/doc/tinc/examples/tinc-up > w3m /usr/share/doc/tinc/tinc_0.html > > #----------------------------------------------------------------------- > > vim /etc/default/tinc > EXTRA="-d" > cat /etc/default/tinc > > # less /etc/init.d/tinc > > #----------------------------------------------------------------------- > > ifconfig -a > route -n > > #----------------------------------------------------------------------- > > # ifconfig -a > eth0 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6c > inet addr:84.245.9.246 Bcast:84.245.9.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:4863 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2958 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:4302418 (4.1 MiB) TX bytes:303100 (295.9 KiB) > Interrupt:10 Base address:0x1000 > > eth1 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6d > UP BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) > Interrupt:11 Base address:0x1400 > > eth2 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6e > UP BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) > Interrupt:15 Base address:0x1800 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:1200 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1200 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:96572 (94.3 KiB) TX bytes:96572 (94.3 KiB) > > # route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0 > > #----------------------------------------------------------------------- > > # client01 configuration > > cat /etc/tinc/nets.boot > echo 'powercraft01' | sudo tee --append /etc/tinc/nets.boot > cat /etc/tinc/nets.boot > > #----------------------------------------------------------------------- > > sudo mkdir --verbose /etc/tinc/powercraft01/ > sudo mkdir --verbose /etc/tinc/powercraft01/hosts/ > sudo touch /etc/tinc/powercraft01/tinc.conf > > #----------------------------------------------------------------------- > > # on server > cat /etc/tinc/powercraft01/hosts/server01 > > # on client, copy cert data of server to client > sudo vim /etc/tinc/powercraft01/hosts/server01 > > # on client, add on head of file > Address = powercraft.nl 656 > Address = 84.245.3.195 656 > Address = tinc-vpn.powercraft.nl 656 > Address = powercraft.nl 655 > Address = 84.245.3.195 655 > Address = tinc-vpn.powercraft.nl 655 > > #----------------------------------------------------------------------- > > echo 'ConnectTo = server01 > Device = /dev/net/tun > Interface = tun1 > Mode = switch > Name = client01' | sudo tee /etc/tinc/powercraft01/tinc.conf > > sudo cat /etc/tinc/powercraft01/tinc.conf > sudo chmod 644 /etc/tinc/powercraft01/tinc.conf > ls -hal /etc/tinc/powercraft01/tinc.conf > > echo '#!/bin/sh > ifconfig $INTERFACE 0.0.0.0' | tee /etc/tinc/powercraft01/tinc-up > > sudo cat /etc/tinc/powercraft01/tinc-up > sudo chmod 755 /etc/tinc/powercraft01/tinc-up > ls -hal /etc/tinc/powercraft01/tinc-up > > echo '#!/bin/sh > # ifconfig tun1 hw ether 00:ff:5d:ea:b4:ec > ifup $INTERFACE &' | sudo tee /etc/tinc/powercraft01/hosts/server01-up > > sudo cat /etc/tinc/powercraft01/hosts/server01-up > sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-up > ls -hal /etc/tinc/powercraft01/hosts/server01-up > > echo '#!/bin/sh > ifconfig $INTERFACE down' | sudo tee /etc/tinc/powercraft01/tinc-down > > sudo cat /etc/tinc/powercraft01/tinc-down > sudo chmod 755 /etc/tinc/powercraft01/tinc-down > ls -hal /etc/tinc/powercraft01/tinc-down > > echo '#!/bin/sh > ifdown $INTERFACE' | sudo tee /etc/tinc/powercraft01/hosts/server01-down > > sudo cat /etc/tinc/powercraft01/hosts/server01-down > sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-down > ls -hal /etc/tinc/powercraft01/hosts/server01-down > > #----------------------------------------------------------------------- > > sudo rm /etc/tinc/powercraft01/rsa_key.priv > sudo rm /etc/tinc/powercraft01/hosts/client10 > sudo tincd -n powercraft01 -K > > #----------------------------------------------------------------------- > > # on client add on head of file > sudo vim /etc/tinc/powercraft01/hosts/client01 > Compression = 9 > PMTU = 1492 > PMTUDiscovery = yes > Port = 656 > # Cipher = aes-128-cbc > > # on client > sudo cat /etc/tinc/powercraft01/hosts/client01 > > # on server, copy cert data of client to server > vim /etc/tinc/powercraft01/hosts/client01 > > #----------------------------------------------------------------------- > > # watch out when using multiple dhcp clients there can be conflicts > > echo 'interface "tun1" { > request subnet-mask, broadcast-address, time-offset, > host-name, netbios-scope, interface-mtu, ntp-servers; > }' | tee --append /etc/dhcp3/dhclient.conf > > cat /etc/dhcp3/dhclient.conf > > #----------------------------------------------------------------------- > > vim /etc/network/interfaces > > iface tun1 inet dhcp > pre-up ifconfig tun1 down || true > pre-up ifconfig tun1 hw ether 9a:f6:50:3b:c0:48 || true > post-up route del default dev tun1 || true > # pre-down /etc/init.d/munin-node stop || true > # post-up /etc/init.d/munin-node restart || true > # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/tun1/proxy_arp || true > # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/vlan4/proxy_arp || true > # optional # post-up route add -net 192.168.2.0 netmask 255.255.255.0 tun1 || true > # optional # pre-down route del -net 192.168.2.0 netmask 255.255.255.0 tun1 || true > > #----------------------------------------------------------------------- > > ifdown tun1; ifdown tun1 > > #----------------------------------------------------------------------- > > sudo /etc/init.d/tinc stop > fg > sudo /usr/sbin/tincd --net powercraft01 --no-detach --debug=5 > > #----------------------------------------------------------------------- > > sudo /etc/init.d/tinc start > > #----------------------------------------------------------------------- > > # tincd --version > tinc version 1.0.13 (built Apr 13 2010 10:27:56, protocol 17) > > #----------------------------------------------------------------------- > > tincd -n powercraft01 -kUSR2 > tail -n 100 /var/log/syslog > > #----------------------------------------------------------------------- > > May 24 19:43:59 roxy tinc.powercraft01[5104]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun: > May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes in: 830 > May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes out: 914 > May 24 19:43:59 roxy tinc.powercraft01[5104]: Nodes: > May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop client01 via client01 pmtu 1518 (min 0 max 1518) > May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 at 84.245.3.195 port 656 cipher 91 digest 64 maclength 4 compression 9 options c status 001a nexthop server01 via server01 pmtu 1416 (min 1416 max 1416) > May 24 19:43:59 roxy tinc.powercraft01[5104]: End of nodes. > May 24 19:43:59 roxy tinc.powercraft01[5104]: Edges: > May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 to server01 at 84.245.3.195 port 656 options c weight 413 > May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 to client01 at 84.245.9.246 port 655 options c weight 413 > May 24 19:43:59 roxy tinc.powercraft01[5104]: End of edges. > May 24 19:43:59 roxy tinc.powercraft01[5104]: Subnet list: > May 24 19:43:59 roxy tinc.powercraft01[5104]: 0:1b:21:61:af:d7#10 owner server01 > May 24 19:43:59 roxy tinc.powercraft01[5104]: 56:fc:c2:fd:69:10#10 owner server01 > May 24 19:43:59 roxy tinc.powercraft01[5104]: ea:3:e7:3d:46:20#10 owner client01 > May 24 19:43:59 roxy tinc.powercraft01[5104]: End of subnet list. > > #----------------------------------------------------------------------- > > # ifconfig -a > ifconfig tun1 > route -n > > #----------------------------------------------------------------------- > > # ifconfig tun1 > tun1 Link encap:Ethernet HWaddr ea:03:e7:3d:46:20 > inet addr:192.168.3.201 Bcast:192.168.3.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:27 errors:0 dropped:0 overruns:0 frame:0 > TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:500 > RX bytes:9342 (9.1 KiB) TX bytes:9088 (8.8 KiB) > > # route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1 > 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0 > > #----------------------------------------------------------------------- > > ping -c 2 192.168.3.1 > ping -c 2 -M dont -s 1500 192.168.3.1 > > #----------------------------------------------------------------------- > > lsof -i :655 > lsof -i :656 > > #----------------------------------------------------------------------- > > # Accept new connections for fordwarding designated from our virtual private netwerk to the local network > /sbin/iptables --append FORWARD --in-interface ${VPN01} --out-interface ${LAN01} --jump ACCEPT > /sbin/iptables --append FORWARD --in-interface ${LAN01} --out-interface ${VPN01} --jump ACCEPT > > # Use masquerade so the outside world sees only one ip source for all outgoing trafic > /sbin/iptables --table nat --append POSTROUTING --out-interface ${VPN01} --jump MASQUERADE > > #-----------------------------------------------------------------------