Only reaching one machine at network

Donald Pearson donaldwhpearson at gmail.com
Mon Feb 8 05:41:02 CET 2010 

IndirectData = Yes  is I think a legacy statement for versions prior to
1.0.10 that allowed Tinc to function in UDP mode behind NAT.  I don't
actually think it's needed any more, but I have not scrubbed my host
configuration files yet for anything not necessary.  Guss could speak with
more authority on that.

PMTUDiscovery = Yes  is I believe still best practice to use in Switch Mode,
enabling Tinc to identify the largest Frame or Packet that can traverse
across the VPN without fragmenting.

The ConnectTo statement is in the tinc.conf file.  So you would want your
tinc.conf file on your Client host to point to the host file of your Server.

tinc-up is a script that will be executed when Tinc is launched, if it
exists.  It's not actually necessary, but it makes things a bit simpler.

If you want your Tinc server to act as a gateway for it's LAN, you'll need
to bridge it's Tun adapter, which talks on the VPN, with it's LAN adapter.

On Sun, Feb 7, 2010 at 6:43 PM, M.Farghaly <m at farghaly.com> wrote:

> Hello Donald,
>
> thank you very much for your very fast reply.
>
> This makes sense. So until now I am only connecting to the
> tun-interface on the home server. And I somehow need to bridge the
> un-interface and eth0.
>
> Another question, is this :
>
> > IndirectData = Yes
> > PMTUDiscovery = Yes
>
> needed for this to work ?
>
> What about the client (ConnectTo) tinc-up, what is still in there ?
>
> Otherwise I will look into linux bridging to understand exactly the
> command sequence you gave me for tinc-up.
>
> Then I will give this a try.
>
> Mansour Farghaly
>
> On Sun, Feb 7, 2010 at 11:46 PM, Donald Pearson
> <donaldwhpearson at gmail.com> wrote:
> > I'm doing exactly what I think you're trying to do.
> >
> > You are using switched mode, so you can remove the Subnet statements.
> > Otherwise, if you mean to have your VPN routed instead of switched, you
> need
> > to remove the mode=switch statements.
> >
> > I recommend keeping switch mode, and removing the un-necessary Subnet
> > statements.
> >
> > Now, you need to bridge your tun interface with your physical interface
> at
> > home.  This will open the rest of your home network to your VPN provided
> all
> > hosts use the same network and netmask.
> >
> > You say you are using Ubuntu, so you can do "apt-get install bridge
> utils"
> >
> > You will need your tinc-up script to be something like this;
> >
> > #!/bin/sh
> > modprobe tun
> > ifconfig vpn 0.0.0.0
> > ifconfig vpn up
> > ifconfig eth0 0.0.0.0
> > ifconfig eth0 up
> >
> > brctl addbr bridge
> > brctl addif bridge vpn
> > brctl addif bridge eth0
> > ifconfig bridge 10.10.0.30 netmask 255.255.255.0
> > route add default gw 10.10.0.254 bridge
> > ifconfig bridge up
> >
> > Here's my tinc.conf.  it's *very* simple.
> >
> > donald at DonaldTincVM:/etc/tinc/vpn$ cat tinc.conf
> > Name = Donald
> > ConnectTo = Pat
> > Device = /dev/net/tun
> > Mode = switch
> > PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
> >
> >
> > And here's my host files.
> >
> > donald at DonaldTincVM:/etc/tinc/vpn/hosts$ cat Donald
> > Address = xxxx
> > Port = 8002
> > IndirectData = Yes
> > Compression = 0
> > PMTUDiscovery = Yes
> > RSA stuff.
> >
> > donald at DonaldTincVM:/etc/tinc/vpn/hosts$ cat Pat
> > Address = nixon.endoftheinternet.org
> > Port = 8003
> > IndirectData = Yes
> > Compression = 0
> > PMTUDiscovery = Yes
> > RSA stuff.
> >
> > On Sun, Feb 7, 2010 at 5:26 PM, M.Farghaly <m at farghaly.com> wrote:
> >>
> >> Hi there,
> >>
> >> I am using tinc since some monthes. I think the basic idea of
> >> extending vpn to a mesh of systems via tun/tap is great. And I think
> >> it is one of the useable developments compared to the much more
> >> complex vpn solutions I had used in the past. Great work.
> >>
> >> Setting up tinc I have fought with the configuration (and with the
> >> concepts) for a while as I have found no example that covers my
> >> special setup until I reached this fairly minimal config below.
> >>
> >> The setup is as follows:
> >> Home network is 10.10.0.x/24, Ubuntu Unix Server has internal IP
> >> 10.10.0.30, Gateway is 10.10.0.254
> >> I have a dynamic ip on this network and a masquerading firewall router.
> >>
> >> I am accessing home network via Ubuntu linux laptop via UMTS which
> >> means dynamic IP-Address, normally also in the 10.x.y.z Range (can
> >> this be a problem ?).
> >>
> >> From the forum answers I think I can delete the entries
> >> "PrivateKeyFile" as this is default, otherwise configuration is quite
> >> minimal.
> >>
> >>
> >> ======= Configuration =========
> >>
> >> Server Side
> >> ===========
> >> # cat tinc.conf
> >> Name = fsvpns3f30
> >> Mode = switch
> >> Device = /dev/net/tun
> >> AddressFamily = ipv4
> >> PingInterval = 30
> >> PrivateKeyFile = /etc/tinc/fsvpn/rsa_key.priv
> >>
> >> # cat tinc-up
> >> #!/bin/sh
> >> ifconfig $INTERFACE 10.10.100.30 netmask 255.255.0.0
> >>
> >> # cat hosts/fsvpns3f30
> >> Address = xyz.dyndns.org
> >> Port=655
> >> Compression=9
> >> Subnet=10.10.0.0/16
> >> TCPonly=yes
> >> -----BEGIN RSA PUBLIC KEY-----
> >> ...
> >> -----END RSA PUBLIC KEY-----
> >>
> >> Client Side
> >> ========
> >> # cat tinc.conf
> >> Name = fsvpnmf
> >> Mode = switch
> >> Device = /dev/net/tun
> >> AddressFamily = ipv4
> >> PingInterval = 30
> >> ConnectTo = fsvpns3f30
> >> PrivateKeyFile=/etc/tinc/fsvpn/rsa_key.priv
> >>
> >> # cat tinc-up
> >> #!/bin/sh
> >> ifconfig $INTERFACE 10.10.101.1 netmask 255.255.0.0
> >>
> >> # cat fsvpnmf
> >> Port = tinc
> >> Compression = 9
> >> Subnet = 10.10.101.1/32
> >> TCPonly=yes
> >> ConnectTo = xyz.dyndns.org
> >> -----BEGIN RSA PUBLIC KEY-----
> >> ...
> >> -----END RSA PUBLIC KEY-----
> >>
> >> This setup works now for a while with the restriction that I can
> >> directly only reach one machine on my network. I can ssh through it to
> >> reach the other machines in the network, but this is not ideal (e.g.
> >> if  I want to directly reach windows machines). That means from my
> >> laptop I can only directly reach the 10.10.0.30/10.10.100/30 machine.
> >> It looks like a routing problem. I guess I will have to add on tinc-up
> >> script on both sides but in combination with the vpn device I need
> >> some guidance.
> >>
> >> Can you see how the configuration can be enhanced to reach the whole
> >> network of machines on the home network from laptops directly ?
> >>
> >> Any suggestions are welcome.
> >>
> >> Mansour Farghaly
> >> _______________________________________________
> >> tinc mailing list
> >> tinc at tinc-vpn.org
> >> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> >
> >
> > _______________________________________________
> > tinc mailing list
> > tinc at tinc-vpn.org
> > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> >
> >
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100207/8eafc6f4/attachment-0001.htm>

More information about the tinc mailing list