Only reaching one machine at network

M.Farghaly m at farghaly.com
Mon Feb 8 00:43:31 CET 2010 

Hello Donald,

thank you very much for your very fast reply.

This makes sense. So until now I am only connecting to the
tun-interface on the home server. And I somehow need to bridge the
un-interface and eth0.

Another question, is this :

> IndirectData = Yes
> PMTUDiscovery = Yes

needed for this to work ?

What about the client (ConnectTo) tinc-up, what is still in there ?

Otherwise I will look into linux bridging to understand exactly the
command sequence you gave me for tinc-up.

Then I will give this a try.

Mansour Farghaly

On Sun, Feb 7, 2010 at 11:46 PM, Donald Pearson
<donaldwhpearson at gmail.com> wrote:
> I'm doing exactly what I think you're trying to do.
>
> You are using switched mode, so you can remove the Subnet statements.
> Otherwise, if you mean to have your VPN routed instead of switched, you need
> to remove the mode=switch statements.
>
> I recommend keeping switch mode, and removing the un-necessary Subnet
> statements.
>
> Now, you need to bridge your tun interface with your physical interface at
> home.  This will open the rest of your home network to your VPN provided all
> hosts use the same network and netmask.
>
> You say you are using Ubuntu, so you can do "apt-get install bridge utils"
>
> You will need your tinc-up script to be something like this;
>
> #!/bin/sh
> modprobe tun
> ifconfig vpn 0.0.0.0
> ifconfig vpn up
> ifconfig eth0 0.0.0.0
> ifconfig eth0 up
>
> brctl addbr bridge
> brctl addif bridge vpn
> brctl addif bridge eth0
> ifconfig bridge 10.10.0.30 netmask 255.255.255.0
> route add default gw 10.10.0.254 bridge
> ifconfig bridge up
>
> Here's my tinc.conf.  it's *very* simple.
>
> donald at DonaldTincVM:/etc/tinc/vpn$ cat tinc.conf
> Name = Donald
> ConnectTo = Pat
> Device = /dev/net/tun
> Mode = switch
> PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
>
>
> And here's my host files.
>
> donald at DonaldTincVM:/etc/tinc/vpn/hosts$ cat Donald
> Address = xxxx
> Port = 8002
> IndirectData = Yes
> Compression = 0
> PMTUDiscovery = Yes
> RSA stuff.
>
> donald at DonaldTincVM:/etc/tinc/vpn/hosts$ cat Pat
> Address = nixon.endoftheinternet.org
> Port = 8003
> IndirectData = Yes
> Compression = 0
> PMTUDiscovery = Yes
> RSA stuff.
>
> On Sun, Feb 7, 2010 at 5:26 PM, M.Farghaly <m at farghaly.com> wrote:
>>
>> Hi there,
>>
>> I am using tinc since some monthes. I think the basic idea of
>> extending vpn to a mesh of systems via tun/tap is great. And I think
>> it is one of the useable developments compared to the much more
>> complex vpn solutions I had used in the past. Great work.
>>
>> Setting up tinc I have fought with the configuration (and with the
>> concepts) for a while as I have found no example that covers my
>> special setup until I reached this fairly minimal config below.
>>
>> The setup is as follows:
>> Home network is 10.10.0.x/24, Ubuntu Unix Server has internal IP
>> 10.10.0.30, Gateway is 10.10.0.254
>> I have a dynamic ip on this network and a masquerading firewall router.
>>
>> I am accessing home network via Ubuntu linux laptop via UMTS which
>> means dynamic IP-Address, normally also in the 10.x.y.z Range (can
>> this be a problem ?).
>>
>> From the forum answers I think I can delete the entries
>> "PrivateKeyFile" as this is default, otherwise configuration is quite
>> minimal.
>>
>>
>> ======= Configuration =========
>>
>> Server Side
>> ===========
>> # cat tinc.conf
>> Name = fsvpns3f30
>> Mode = switch
>> Device = /dev/net/tun
>> AddressFamily = ipv4
>> PingInterval = 30
>> PrivateKeyFile = /etc/tinc/fsvpn/rsa_key.priv
>>
>> # cat tinc-up
>> #!/bin/sh
>> ifconfig $INTERFACE 10.10.100.30 netmask 255.255.0.0
>>
>> # cat hosts/fsvpns3f30
>> Address = xyz.dyndns.org
>> Port=655
>> Compression=9
>> Subnet=10.10.0.0/16
>> TCPonly=yes
>> -----BEGIN RSA PUBLIC KEY-----
>> ...
>> -----END RSA PUBLIC KEY-----
>>
>> Client Side
>> ========
>> # cat tinc.conf
>> Name = fsvpnmf
>> Mode = switch
>> Device = /dev/net/tun
>> AddressFamily = ipv4
>> PingInterval = 30
>> ConnectTo = fsvpns3f30
>> PrivateKeyFile=/etc/tinc/fsvpn/rsa_key.priv
>>
>> # cat tinc-up
>> #!/bin/sh
>> ifconfig $INTERFACE 10.10.101.1 netmask 255.255.0.0
>>
>> # cat fsvpnmf
>> Port = tinc
>> Compression = 9
>> Subnet = 10.10.101.1/32
>> TCPonly=yes
>> ConnectTo = xyz.dyndns.org
>> -----BEGIN RSA PUBLIC KEY-----
>> ...
>> -----END RSA PUBLIC KEY-----
>>
>> This setup works now for a while with the restriction that I can
>> directly only reach one machine on my network. I can ssh through it to
>> reach the other machines in the network, but this is not ideal (e.g.
>> if  I want to directly reach windows machines). That means from my
>> laptop I can only directly reach the 10.10.0.30/10.10.100/30 machine.
>> It looks like a routing problem. I guess I will have to add on tinc-up
>> script on both sides but in combination with the vpn device I need
>> some guidance.
>>
>> Can you see how the configuration can be enhanced to reach the whole
>> network of machines on the home network from laptops directly ?
>>
>> Any suggestions are welcome.
>>
>> Mansour Farghaly
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>

More information about the tinc mailing list