Basic configuration problem
Ryan Rustong
ryan.rustong at gmail.com
Sat Sep 15 00:37:28 CEST 2012
Hello,
I have been reading through the documentation and trying to set up a very
small VPN as a test for a larger rollout that I would like to complete in
the future but cannot get this working. The configuration seems like it
should be relatively simple, so I'm most likely missing something basic but
I just cannot see what I'm doing wrong. At the moment I am trying to get
this working between 2 CentOS servers, but will eventually scale to many
more (and using IPv6). I am setting it up in a "client/server" mode as my
clients will not be opening firewall rules to allow incoming connections,
they will all connect back to my "server."
Both sides of the tunnel are behind a NAT'd address, the public IP of each
server is what I have added as the "Address" variable in the host files.
After starting tinc, I am able to see that the tun0 interface comes up and
the 192.168.0.0/16 route is added to both route tables. I added
10.18.73.0/24 to my "client" route table pointing to the tun0 interface as
a route is not being created for that (which to my understanding is my
responsibility as tinc does not take care of that). With the daemon
running attached in debug mode, I see that they two devices see each other
and immediately establish the tunnel, but I am unable to ping any of the
addresses on the remote end of the tunnel.
If I try to ping the remote tun0 interface, I receive the following output:
[root at tinc-server tinc]# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
>From 192.168.1.2 icmp_seq=1 Destination Net Unknown
>From 192.168.1.2 icmp_seq=2 Destination Net Unknown
Using tcpdump on the remote server, I do not see any packets making it to
my tun0 interface.
However, if I try to ping the eth1 interface of the remote server I do not
get any output on the local server, but do see the following in a tcpdump
on the remote server:
[root at localhost tinc]# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
22:25:11.660009 IP 192.168.1.1 > 192.168.56.101: ICMP echo request, id
34573, seq 14, length 64
22:25:11.660125 IP 192.168.56.101 > 192.168.1.1: ICMP echo reply, id 34573,
seq 14, length 64
22:25:11.660167 IP 192.168.1.1 > 192.168.56.101: ICMP net 192.168.1.1
unreachable - unknown, length 92
22:25:12.658727 IP 192.168.1.1 > 192.168.56.101: ICMP echo request, id
34573, seq 15, length 64
22:25:12.658907 IP 192.168.56.101 > 192.168.1.1: ICMP echo reply, id 34573,
seq 15, length 64
22:25:12.659493 IP 192.168.1.1 > 192.168.56.101: ICMP net 192.168.1.1
unreachable - unknown, length 92
22:25:13.657558 IP 192.168.1.1 > 192.168.56.101: ICMP echo request, id
34573, seq 16, length 64
22:25:13.657679 IP 192.168.56.101 > 192.168.1.1: ICMP echo reply, id 34573,
seq 16, length 64
Here is some output from the "server" upon starting the daemon:
[root at localhost hosts]# tincd -D -d3
tincd 1.0.19 (Jul 31 2012 18:48:38) starting, debug level 3
/dev/net/tun is a Linux tun/tap device (tun mode)
Executing script tinc-up
Listening on 0.0.0.0 port 655
Listening on :: port 655
Ready
Connection from 2.2.2.2 port 35031
Sending ID to <unknown> (2.2.2.2 port 35031)
Got ID from <unknown> (2.2.2.2 port 35031)
Sending METAKEY to client1 (2.2.2.2 port 35031)
Got METAKEY from client1 (2.2.2.2 port 35031)
Sending CHALLENGE to client1 (2.2.2.2 port 35031)
Got CHALLENGE from client1 (2.2.2.2 port 35031)
Sending CHAL_REPLY to client1 (2.2.2.2 port 35031)
Got CHAL_REPLY from client1 (2.2.2.2 port 35031)
Sending ACK to client1 (2.2.2.2 port 35031)
Got ACK from client1 (2.2.2.2 port 35031)
Connection with client1 (2.2.2.2 port 35031) activated
Sending ADD_SUBNET to client1 (2.2.2.2 port 35031)
Sending ADD_EDGE to everyone (BROADCAST)
Got ADD_SUBNET from client1 (2.2.2.2 port 35031)
Forwarding ADD_SUBNET from client1 (2.2.2.2 port 35031)
Got ADD_SUBNET from client1 (2.2.2.2 port 35031)
Forwarding ADD_SUBNET from client1 (2.2.2.2 port 35031)
Got ADD_EDGE from client1 (2.2.2.2 port 35031)
Forwarding ADD_EDGE from client1 (2.2.2.2 port 35031)
UDP address of client1 set to 2.2.2.2 port 655
Sending ANS_KEY to client1 (2.2.2.2 port 35031)
UDP address of client1 set to 2.2.2.2 port 19446
Sending REQ_KEY to client1 (2.2.2.2 port 35031)
Sending PACKET to client1 (2.2.2.2 port 35031)
Sending PACKET to client1 (2.2.2.2 port 35031)
Got ANS_KEY from client1 (2.2.2.2 port 35031)
Got ANS_KEY from client1 (2.2.2.2 port 35031)
Got PING from client1 (2.2.2.2 port 35031)
Sending PONG to client1 (2.2.2.2 port 35031)
Sending PING to client1 (2.2.2.2 port 35031)
And the same output from the "client":
[root at localhost tinc]# tincd -D -d3
tincd 1.0.19 (Jul 31 2012 18:48:38) starting, debug level 3
/dev/net/tun is a Linux tun/tap device (tun mode)
Executing script tinc-up
Listening on 0.0.0.0 port 655
Listening on :: port 655
Ready
Trying to connect to server1 (1.1.1.1 port 655)
Connected to server1 (1.1.1.1 port 655)
Sending ID to server1 (1.1.1.1 port 655)
Got ID from server1 (1.1.1.1 port 655)
Sending METAKEY to server1 (1.1.1.1 port 655)
Got METAKEY from server1 (1.1.1.1 port 655)
Sending CHALLENGE to server1 (1.1.1.1 port 655)
Got CHALLENGE from server1 (1.1.1.1 port 655)
Sending CHAL_REPLY to server1 (1.1.1.1 port 655)
Got CHAL_REPLY from server1 (1.1.1.1 port 655)
Sending ACK to server1 (1.1.1.1 port 655)
Got ACK from server1 (1.1.1.1 port 655)
Connection with server1 (1.1.1.1 port 655) activated
Sending ADD_SUBNET to server1 (1.1.1.1 port 655)
Sending ADD_SUBNET to server1 (1.1.1.1 port 655)
Sending ADD_EDGE to everyone (BROADCAST)
Got ADD_SUBNET from server1 (1.1.1.1 port 655)
Forwarding ADD_SUBNET from server1 (1.1.1.1 port 655)
Got ADD_EDGE from server1 (1.1.1.1 port 655)
Forwarding ADD_EDGE from server1 (1.1.1.1 port 655)
UDP address of server1 set to 1.1.1.1 port 655
Sending ANS_KEY to server1 (1.1.1.1 port 655)
Got ANS_KEY from server1 (1.1.1.1 port 655)
Got REQ_KEY from server1 (1.1.1.1 port 655)
Sending ANS_KEY to server1 (1.1.1.1 port 655)
Got PACKET from server1 (1.1.1.1 port 655)
Got PACKET from server1 (1.1.1.1 port 655)
Sending PING to server1 (1.1.1.1 port 655)
Got PONG from server1 (1.1.1.1 port 655)
Got PING from server1 (1.1.1.1 port 655)
Sending PONG to server1 (1.1.1.1 port 655)
Got PING from server1 (1.1.1.1 port 655)
Sending PONG to server1 (1.1.1.1 port 655)
So obviously at least some of my traffic is getting through the tunnel, but
it appears that it doesn't know how to get back. Is there something that I
am missing or not understanding about how tinc works?
Below is my setup and relavant configs:
"Server" configs:
tinc.conf (CentOS 6.2):
Name = server1
Device = /dev/net/tun
tinc-up:
ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:0C:29:8C:FB:F4
inet addr:10.18.73.23 Bcast:10.18.73.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe8c:fbf4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26352 errors:0 dropped:0 overruns:0 frame:0
TX packets:18080 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10267976 (9.7 MiB) TX bytes:3116783 (2.9 MiB)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.1.1 P-t-P:192.168.1.1 Mask:255.255.0.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:13 errors:0 dropped:0 overruns:0 frame:0
TX packets:473 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:1456 (1.4 KiB) TX bytes:39732 (38.8 KiB)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.18.73.0 * 255.255.255.0 U 1 0 0 eth0
192.168.0.0 * 255.255.0.0 U 0 0 0 tun0
default 10.18.73.1 0.0.0.0 UG 0 0 0 eth0
"Client" configs (CentOS 6.3):
tinc.conf:
Name = client1
ConnectTo = server1
Device = /dev/net/tun
tinc-up:
ifconfig $INTERFACE 192.168.1.2 netmask 255.255.0.0
ifconfig:
eth0 Link encap:Ethernet HWaddr 08:00:27:D9:9E:5F
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fed9:9e5f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11199 errors:0 dropped:0 overruns:0 frame:0
TX packets:7632 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12593716 (12.0 MiB) TX bytes:2086945 (1.9 MiB)
eth1 Link encap:Ethernet HWaddr 08:00:27:7C:40:5D
inet addr:192.168.56.101 Bcast:192.168.56.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe7c:405d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15975 errors:0 dropped:0 overruns:0 frame:0
TX packets:8828 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1517895 (1.4 MiB) TX bytes:880057 (859.4 KiB)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.1.2 P-t-P:192.168.1.2 Mask:255.255.0.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:916 errors:0 dropped:0 overruns:0 frame:0
TX packets:458 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:89768 (87.6 KiB) TX bytes:38472 (37.5 KiB)
.Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.2.0 * 255.255.255.0 U 1 0 0 eth0
192.168.56.0 * 255.255.255.0 U 1 0 0 eth1
192.168.0.0 * 255.255.0.0 U 0 0 0 tun0
default 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
Common files on both hosts:
hosts/server1:
Address = 1.1.1.1
Port = 655
Subnet = 10.18.73.23/32
-----BEGIN RSA PUBLIC KEY-----
blahblahblah
-----END RSA PUBLIC KEY-----
hosts/client1:
Address = 2.2.2.2
Port = 655
Subnet = 192.168.56.101/32
Subnet = 10.0.2.15/32
-----BEGIN RSA PUBLIC KEY-----
blahblah
-----END RSA PUBLIC KEY-----
Thanks in advance for your help!
-Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120914/190a76b7/attachment-0001.html>
More information about the tinc
mailing list