Help linking subnets

Guus Sliepen guus at tinc-vpn.org
Thu Jan 22 20:10:49 CET 2015 

On Thu, Jan 22, 2015 at 08:25:29AM +0100, Marco Avoledo wrote:

> Hi, after trying for days I ended up with a working tinc configurazion of 2
> subnets, now my goal is to add 2 more subnets and comunicate.
[...]
> HOST A (VPN server)
> tun0 Subnet = 192.168.10.0/24
> tun0 IP    = 192.168.10.1

Ok, this is fine.

> HOST B (VPN Client configured in a Raspberry Pi)
> eth0 NET = 192.168.2.10 255.255.255.0 gw 192.168.2.1
> tun0 Subnet = 192.168.10.0/24
> tun0 Subnet = 192.168.2.0/24

Ok, the problem here is the two Subnets. With a Subnet statement, you
tell tinc which VPN address range(s) belong to this specific node. It
looks like this node's range is just 192.168.2.0/24. So only put that
Subnet in hosts/B.

> HOST C (VPN Client configured in a Raspberry Pi)
> eth0 NET = 192.168.1.101 255.255.255.0 gw 192.168.1.1
> tun0 Subnet = 192.168.10.0/24
> tun0 Subnet = 192.168.1.0/24

The same here.

> Every Host have its own tinc-up set up like:
> 
> HOST A:
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.1 netmask 255.255.255.0
> route add -net 192.168.1.0/24 dev $INTERFACE
> route add -net 192.168.2.0/24 dev $INTERFACE
> route add -net 192.168.3.0/24 dev $INTERFACE

This can work, but if you add a node you have to change your tinc-up
script as well. There are two ways other ways to do this. The simplest
way is to just use a /16 netmask on the VPN interface:

#!/bin/sh
ifconfig $INTERFACE 192.168.10.1 netmask 255.255.0.0

This will also route traffic for 192.168.1.0/24 and so on to the VPN
interface. If you don't want this for some reason, you can also create a
subnet-up script in the same directory as tinc-up:

#!/bin/sh
route add -net $SUBNET dev $INTERFACE

Whenever anothet node goes online, this script will be called for each
of its Subnets and a corresponding route will be added.

> HOST B:
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.2 netmask 255.255.255.0

The problem here is that it is lacking a route for the other subnets,
and you giving this node's VPN interface an address from host A's
Subnet. You can reuse the address you already have from the
192.168.2.0/24 Subnet on your VPN interface, if you give it a larger
netmask than the one on eth0. So I recommend you change this script to:

#!/bin/sh
ifconfig $INTERFACE 192.168.2.10 netmask 255.255.255.0

> HOST C:
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.3 netmask 255.255.255.0
> 
> HOST D:
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.4 netmask 255.255.255.0

The same goes for these nodes.

> Every Host have its own tinc.conf set up to connect to HOST A (Except for
> HOST A itself obviously) VPN is using router mode.
> Every Host have each other's host file in proper directory, containing PUB
> KEY + VPN SUBNET + HOST SUBNET

That's great.

> For HOST A:
> Address = XXXX.XXXXX.XX
> Subnet = 192.168.10.1/32

Using a /32 is fine here.

> For HOST B:
> Subnet = 192.168.10.0/24
> Subnet = 192.168.2.0/24

I'd remove the Subnet = 192.168.10./24 line and use the script
suggested above. If you really want to give this node's VPN interface an
address from the 192.168.10.0/24 range, then change the Subnets to:

Subnet = 192.168.10.2/32
Subnet = 192.168.2.0/24

And the tinc-up script to:

#!/bin/sh
ifconfig $INTERFACE 192.168.10.2 netmask 255.255.255.0
route add -net 192.168.1.0/24 dev $INTERFACE
route add -net 192.168.3.0/24 dev $INTERFACE

Note that I don't add 192.168.2.0/24 here. If you want to use a
subnet-up script in stead of these route add commands in tinc-up, then
it should be:

#!/bin/sh
[ "$NODE" != "$NAME" ] && route add -net $SUBNET dev $INTERFACE

> For HOST C:
> Subnet = 192.168.10.0/24
> Subnet = 192.168.1.0/24

The same for this nodes.

> For HOST D:
> Subnet = 192.168.10.0/24

This should then be Subnet = 192.168.10.4/32.

To recap, make sure that the routing table is such that all packets for
VPN addresses go to dev $INTERFACE. That means tinc will get them. But
then tinc needs to figure out which node to send them to. It uses the
Subnet statements to figure that out. So don't give two or more nodes
exactly the same Subnet, otherwise tinc does not know which to send it
to.

Let us know if this helps.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150122/bdfe7830/attachment.sig>

More information about the tinc mailing list