Windows Routing issue

Guus Sliepen guus at tinc-vpn.org
Tue Nov 17 20:01:46 CET 2009 

On Tue, Nov 17, 2009 at 10:13:33AM -0800, Robert Spraggs wrote:

> I took a break from trying to get Tinc working and have come back to it
> now with the release of 1.0.11. I have 2 Windows computers connected
> behind firewalls and everything seems to be correct, except I cannot
> seem to get any data past the server TAP interface. I can ping the
> Server TAP interface from the client, but no data will move through the
> TAP interface to the Internet. I have put my information below in hopes
> that someone can help find the answer. I know it has to be something
> simple, but I can't figure it out.

Ok, you can ping the server via the VPN, so tinc is probably working fine.

> Routing table:
> Network Destination        Netmask          Gateway       Interface  Metric
>          0.0.0.0          0.0.0.0        10.2.54.1       10.2.1.12      3
>          0.0.0.0          0.0.0.0      192.168.1.2   192.168.1.108      10
>         10.2.0.0      255.255.0.0        10.2.1.12       10.2.1.12      3
>   10.255.255.255  255.255.255.255        10.2.1.12       10.2.1.12      3
>      192.168.1.0    255.255.255.0    192.168.1.108   192.168.1.108      10
>    192.168.1.255  255.255.255.255    192.168.1.108   192.168.1.108      10
> Default Gateway:         10.2.54.1

Hmm, your default gateway is via the VPN, but I don't see a route that tells
Windows to use the real network for tinc's own connections... but since you can
connect to the server, it works somehow.

> Server:
> Firewall Internet Interface: 96.50.224.241
> Firewall LAN Interface: 192.168.2.2
> LAN: 192.168.2.115 netmask 255.255.255.0 gw 192.168.2.2
> TAP: 10.2.54.1 netmask 255.255.0.0
> 
> Address=96.50.224.241
> Subnet=10.2.54.1/32
> Subnet=0.0.0.0/0

That is all OK. The routing table is also OK. But, I think the problem is that
packet from the client, with source IP address 10.2.1.12 are forwarded by the
server to the firewall fine, and maybe the firewall even properly masquerades
the packets and sends them on to the Internet, but when a reply comes back, the
firewall does not know how to send it back to 10.2.1.12, because the firewall
itself does not know about the 10.2.0.0/16 subnet, it only knows about
192.168.2.0/24.

There are three solutions I see:

1. You configure the server to masquerade packets from the VPN that are going
   to the LAN.

2. You add a route to the firewall telling it to forward packets for
   10.2.0.0/16 to 192.168.2.155.

3. You can bridge the LAN and TAP interfaces together on the server, and let
   the client use DHCP on its TAP interface, so it gets an address in the
   192.168.2.0/24 range and sets its default gateway directly to the firewall.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20091117/ef36e42f/attachment.pgp>

More information about the tinc mailing list