Tinc on OsX, partial success

Tincer tincer at btconnect.com
Mon Nov 22 16:07:09 CET 2004 


I have now got the tinc demons (on network OFFICES) on BranchB and 
BranchA talking to each other, see below for log from BranchB. For 
some trouble shouting issues relating to OsX see at the end of my 
e-mail.

However, I have not yet achieved the network connectivity/routing 
that I would like.

The aim is:
BranchB is a laptop
I would like to connect it (via tinc) to my office network, so that 
the laptop appears to be a genuine member of the Office network, like 
an extension of the office network.

I am happy if ALL traffic from and to the laptop goes through the 
tinc connection (i.e. no split routing is required, at least not for 
the moment).


Thus at the moment I am unclear which configuration to add / change. 
For specific questions see below.


Any help is appreciated.








-------------------------------------

My current configuration


BranchB
The laptop, with fixed IP, 222.222.222.3, (configured from OsX GUI 
System Preference:Network)

tinc.conf
Name = BranchB
ConnectTo = BranchA
Device = /dev/tun0

Host file
Subnet = 192.168.2.1/32
Address = 222.222.222.203
TCPOnly = yes
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

tinc-up
#!/bin/sh
ifconfig $INTERFACE 192.168.2.1 192.168.2.1 netmask 255.255.0.0





BrancA
The CPU with the tinc demon on the office network.
The office network is behind a mascarading firewall with public IP 
123.123.123.7
The tinc host has a static IP of 10.20.30.1 (configured from OsX GUI 
System Preference:Network)
The firewall is setup to forward all traffic to 123.123.123.7 to 
10.20.30.1, on port 655
Furthermore, the preexisting office network is 192.168.3.0/24
The tinc host is physically connected to this network, one physical 
ethernet interface


tinc.conf
Name = BranchA
Device = /dev/tun0

Host file
Subnet = 192.168.0.0/16
Address = 123.123.123.7
TCPOnly = yes
-----BEGIN RSA PUBLIC KEY-----
.....
-----END RSA PUBLIC KEY-----


tinc-up
#!/bin/sh
ifconfig $INTERFACE 192.168.3.1 192.168.3.1 netmask 255.255.0.0


-------------------------------------
Specific questions:


The tinc demon is running of the laptop (BranchB), and has connected 
to the demon in the office (BranchA)

- As the laptop should route only itself through the vpn (and not 
other CPUs on 222.222.222.x is it correct to configure subnet in the 
BranchB hostfile as Subnet = 192.168.2.1/32, i.e. with a /32 mask


- Despite the running demons if I open an Browser on the laptop the 
browser connects though the public IP 222.222.222.3, and not through 
the vpn.
Which routing info is missing and how do I add this under OsX?


- How do I configure BranchB so that in the remote laptop is part of 
the preexisting net?






-------------------------------------
Log of Branch B (the laptop)
1101125071 tinc.OFFICES[922]: tincd 1.0.3 (Nov 11 2004 05:07:05) 
starting, debug level 3
1101125071 tinc.OFFICES[922]: /dev/tun0 is a Generic BSD tun device
1101125071 tinc.OFFICES[922]: Executing script tinc-up
1101125071 tinc.OFFICES[922]: Script tinc-up exited with non-zero status 126
1101125071 tinc.OFFICES[922]: Listening on :: port 655
1101125071 tinc.OFFICES[922]: Listening on 0.0.0.0 port 655
1101125071 tinc.OFFICES[922]: Ready
1101125071 tinc.OFFICES[922]: Trying to connect to BranchA 
(123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Connected to BranchA (123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Sending ID to BranchA (123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Got ID from BranchA (123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Sending METAKEY to BranchA 
(123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Got METAKEY from BranchA (123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Sending CHALLENGE to BranchA 
(123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Got CHALLENGE from BranchA 
(123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Sending CHAL_REPLY to BranchA 
(123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Got CHAL_REPLY from BranchA 
(123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Sending ACK to BranchA (123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Got ACK from BranchA (123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Connection with BranchA (123.123.123.7 
port 655) activated
1101125071 tinc.OFFICES[922]: Sending ADD_SUBNET to BranchA 
(123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Sending ADD_EDGE to everyone (BROADCAST)
1101125071 tinc.OFFICES[922]: Got ADD_SUBNET from BranchA 
(123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Forwarding ADD_SUBNET from BranchA 
(123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Got ADD_EDGE from BranchA 
(123.123.123.7 port 655)
1101125071 tinc.OFFICES[922]: Forwarding ADD_EDGE from BranchA 
(123.123.123.7 port 655)
1101125133 tinc.OFFICES[922]: Sending PING to BranchA (123.123.123.7 port 655)
1101125133 tinc.OFFICES[922]: Got PONG from BranchA (123.123.123.7 port 655)
1101125224 tinc.OFFICES[922]: Got PING from BranchA (123.123.123.7 port 655)
1101125224 tinc.OFFICES[922]: Sending PONG to BranchA (123.123.123.7 port 655)
1101125316 tinc.OFFICES[922]: Sending PING to BranchA (123.123.123.7 port 655)



-------------------------------------
Hints for running the tinc binary on OsX

Attempts of running tinc 1.0.3 returns "can't open library: 
/sw/lib/libdl.0.dylib  (No such file or directory, errno = 2)"

To solve this install Fink.

On the laptop (iBook G4, OsX 10.3.5) I installed version 0.7.1
Then using FinkCommander installed the binary
dlcompat-shlibs	20030629-15


On the Branch A CPU (beige G3 OsX 10.2.8) I install 0.6.3
Then using FinkCommander installed the binaries
dlcompat	20030629-5
dlcompat-dev	20030629-5
dlcompat-shlibs	20030629-5

More information about the tinc mailing list