tinc Digest, Vol 123, Issue 11
Marco Avoledo
mavoledo at gmail.com
Sat Jan 24 16:11:24 CET 2015
Hi,
Thank you Guus,
I think the /16 solution is the easier to apply so I modified my tinc-up in
host A to be like
#!/bin/sh
ifconfig $INTERFACE 192.168.10.1 netmask 255.255.0.0
a route -a from HOST A shows:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 178.62.128.1 0.0.0.0 UG 0 0 0 eth0
10.129.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
178.62.128.0 0.0.0.0 255.255.192.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
a route from HOST B shows:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
a route from HOST C shows:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
(don't mind the eth1 iface in HOST A as is something I won't use)
For the HOST B and C I decided to not use a VPN IP but a eth0 IP with a
bigger subnet as you suggested and it worked
So at the moment their tinc-up are set up like this:
HOST A:
#!/bin/sh
ifconfig $INTERFACE 192.168.10.1 netmask 255.255.0.0
route add -net 192.168.1.0/24 dev $INTERFACE
route add -net 192.168.2.0/24 dev $INTERFACE
HOST B:
#!/bin/sh
ifconfig $INTERFACE 192.168.2.10 netmask 255.255.0.0
route add -net 192.168.1.0/24 dev $INTERFACE
HOST C:
#!/bin/sh
ifconfig $INTERFACE 192.168.1.101 netmask 255.255.0.0
route add -net 192.168.2.0/24 dev $INTERFACE
The situation is:
>From HOST A I can ping every IP of HOST B subnet
>From HOST A I can ping only few IP on HOST C subnet 192.168.1.1 and 1.101
is Okay, but 1.200 is not.
>From HOST B I can ping HOST A and HOST B
>From HOST C I can ping only few IP on HOST B subnet 192.168.2.1, 2.8 and
2.10 are Okay but 2.2, 2.3 and 2.4 are not.
As you suggested I removed from every host file in every machine so it only
contains its own Subnet so it's like
HOST B: Subnet = 192.168.2.0/24
HOST C: Subnet = 192.168.1.0/24
What am I doing wrong?
Thank for your tips
Marco
2015-01-23 12:00 GMT+01:00 <tinc-request a tinc-vpn.org>:
> Send tinc mailing list submissions to
> tinc a tinc-vpn.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> or, via email, send a message with subject or body 'help' to
> tinc-request a tinc-vpn.org
>
> You can reach the person managing the list at
> tinc-owner a tinc-vpn.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tinc digest..."
>
> Today's Topics:
>
> 1. Help linking subnets (Marco Avoledo)
> 2. Re: Help linking subnets (Guus Sliepen)
>
>
> ---------- Messaggio inoltrato ----------
> From: Marco Avoledo <mavoledo a gmail.com>
> To: tinc a tinc-vpn.org
> Cc:
> Date: Thu, 22 Jan 2015 08:25:29 +0100
> Subject: Help linking subnets
>
> Hi, after trying for days I ended up with a working tinc configurazion of
> 2 subnets, now my goal is to add 2 more subnets and comunicate.
> I might seem dumb at this point but honestly I don't work in IT or
> Networking stuff, and so I dont have that deep knowledge.
> A little explanation of my configuration is
>
> HOST A (VPN server)
> Public IP: 1.2.3.4
> tun0 Subnet = 192.168.10.0/24
> tun0 IP = 192.168.10.1
>
> HOST B (VPN Client configured in a Raspberry Pi)
> eth0 NET = 192.168.2.10 255.255.255.0 gw 192.168.2.1
> tun0 Subnet = 192.168.10.0/24
> tun0 Subnet = 192.168.2.0/24
>
> HOST C (VPN Client configured in a Raspberry Pi)
> eth0 NET = 192.168.1.101 255.255.255.0 gw 192.168.1.1
> tun0 Subnet = 192.168.10.0/24
> tun0 Subnet = 192.168.1.0/24
>
> HOST D (VPN Client configured in Android device, just accessing VPN
> Network)
>
> Every Host have its own tinc-up set up like:
>
> HOST A:
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.1 netmask 255.255.255.0
> route add -net 192.168.1.0/24 dev $INTERFACE
> route add -net 192.168.2.0/24 dev $INTERFACE
> route add -net 192.168.3.0/24 dev $INTERFACE
>
> HOST B:
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.2 netmask 255.255.255.0
>
> HOST C:
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.3 netmask 255.255.255.0
>
> HOST D:
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.4 netmask 255.255.255.0
>
> Every Host have its own tinc.conf set up to connect to HOST A (Except for
> HOST A itself obviously) VPN is using router mode.
> Every Host have each other's host file in proper directory, containing PUB
> KEY + VPN SUBNET + HOST SUBNET
>
> For HOST A:
> Address = XXXX.XXXXX.XX
> Subnet = 192.168.10.1/32
>
> For HOST B:
> Subnet = 192.168.10.0/24
> Subnet = 192.168.2.0/24
>
> For HOST C:
> Subnet = 192.168.10.0/24
> Subnet = 192.168.1.0/24
>
> For HOST D:
> Subnet = 192.168.10.0/24
>
> Every file is exactly the same on every HOST.
>
> There are no problems when connecting, every host can connect to the
> server (HOST A) fine.
> >From HOST A I can ping Host A / Host B
> >From HOST B I can ping HOST A / Host B
> >From HOST C I can only ping myself
> >From HOST D I can only ping myself
>
> After trying a lot of net add net remove and reading tons of replies to
> numerous questions online, after asking to irc I initially managed to work
> with 2 subnet seeing each others, but adding this two more definitely
> ruined the work.
>
> My question is: what do I need to add in every conf/tinc-up file in order
> to let HOST A Access every single machine in every Subnet 192.168.1.*
> 192.168.2.* 192.168.3.* and eventually visa versa, what to add to every
> HOST B/C/D to be able to directly access every machine in every subnet as
> above.
>
> HOST A route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> default 178.62.128.1 0.0.0.0 UG 0 0 0
> eth0
> 178.62.128.0 * 255.255.192.0 U 0 0 0
> eth0
> 192.168.1.0 * 255.255.255.0 U 0 0 0
> tun0
> 192.168.2.0 * 255.255.255.0 U 0 0 0
> tun0
> 192.168.3.0 * 255.255.255.0 U 0 0 0
> tun0
> 192.168.10.0 * 255.255.255.0 U 0 0 0
> tun0
>
> HOST B route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0
> eth0
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0
> tun0
>
> HOST C route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0
> eth0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0
> tun0
>
> My bad I'm not that handy with networking stuff.
> Any hint is appreciated.
> Thanks in advance
>
> Marco
>
>
> ---------- Messaggio inoltrato ----------
> From: Guus Sliepen <guus a tinc-vpn.org>
> To: tinc a tinc-vpn.org
> Cc:
> Date: Thu, 22 Jan 2015 20:10:49 +0100
> Subject: Re: Help linking subnets
> On Thu, Jan 22, 2015 at 08:25:29AM +0100, Marco Avoledo wrote:
>
> > Hi, after trying for days I ended up with a working tinc configurazion
> of 2
> > subnets, now my goal is to add 2 more subnets and comunicate.
> [...]
> > HOST A (VPN server)
> > tun0 Subnet = 192.168.10.0/24
> > tun0 IP = 192.168.10.1
>
> Ok, this is fine.
>
> > HOST B (VPN Client configured in a Raspberry Pi)
> > eth0 NET = 192.168.2.10 255.255.255.0 gw 192.168.2.1
> > tun0 Subnet = 192.168.10.0/24
> > tun0 Subnet = 192.168.2.0/24
>
> Ok, the problem here is the two Subnets. With a Subnet statement, you
> tell tinc which VPN address range(s) belong to this specific node. It
> looks like this node's range is just 192.168.2.0/24. So only put that
> Subnet in hosts/B.
>
> > HOST C (VPN Client configured in a Raspberry Pi)
> > eth0 NET = 192.168.1.101 255.255.255.0 gw 192.168.1.1
> > tun0 Subnet = 192.168.10.0/24
> > tun0 Subnet = 192.168.1.0/24
>
> The same here.
>
> > Every Host have its own tinc-up set up like:
> >
> > HOST A:
> > #!/bin/sh
> > ifconfig $INTERFACE 192.168.10.1 netmask 255.255.255.0
> > route add -net 192.168.1.0/24 dev $INTERFACE
> > route add -net 192.168.2.0/24 dev $INTERFACE
> > route add -net 192.168.3.0/24 dev $INTERFACE
>
> This can work, but if you add a node you have to change your tinc-up
> script as well. There are two ways other ways to do this. The simplest
> way is to just use a /16 netmask on the VPN interface:
>
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.1 netmask 255.255.0.0
>
> This will also route traffic for 192.168.1.0/24 and so on to the VPN
> interface. If you don't want this for some reason, you can also create a
> subnet-up script in the same directory as tinc-up:
>
> #!/bin/sh
> route add -net $SUBNET dev $INTERFACE
>
> Whenever anothet node goes online, this script will be called for each
> of its Subnets and a corresponding route will be added.
>
> > HOST B:
> > #!/bin/sh
> > ifconfig $INTERFACE 192.168.10.2 netmask 255.255.255.0
>
> The problem here is that it is lacking a route for the other subnets,
> and you giving this node's VPN interface an address from host A's
> Subnet. You can reuse the address you already have from the
> 192.168.2.0/24 Subnet on your VPN interface, if you give it a larger
> netmask than the one on eth0. So I recommend you change this script to:
>
> #!/bin/sh
> ifconfig $INTERFACE 192.168.2.10 netmask 255.255.255.0
>
> > HOST C:
> > #!/bin/sh
> > ifconfig $INTERFACE 192.168.10.3 netmask 255.255.255.0
> >
> > HOST D:
> > #!/bin/sh
> > ifconfig $INTERFACE 192.168.10.4 netmask 255.255.255.0
>
> The same goes for these nodes.
>
> > Every Host have its own tinc.conf set up to connect to HOST A (Except for
> > HOST A itself obviously) VPN is using router mode.
> > Every Host have each other's host file in proper directory, containing
> PUB
> > KEY + VPN SUBNET + HOST SUBNET
>
> That's great.
>
> > For HOST A:
> > Address = XXXX.XXXXX.XX
> > Subnet = 192.168.10.1/32
>
> Using a /32 is fine here.
>
> > For HOST B:
> > Subnet = 192.168.10.0/24
> > Subnet = 192.168.2.0/24
>
> I'd remove the Subnet = 192.168.10./24 line and use the script
> suggested above. If you really want to give this node's VPN interface an
> address from the 192.168.10.0/24 range, then change the Subnets to:
>
> Subnet = 192.168.10.2/32
> Subnet = 192.168.2.0/24
>
> And the tinc-up script to:
>
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.2 netmask 255.255.255.0
> route add -net 192.168.1.0/24 dev $INTERFACE
> route add -net 192.168.3.0/24 dev $INTERFACE
>
> Note that I don't add 192.168.2.0/24 here. If you want to use a
> subnet-up script in stead of these route add commands in tinc-up, then
> it should be:
>
> #!/bin/sh
> [ "$NODE" != "$NAME" ] && route add -net $SUBNET dev $INTERFACE
>
> > For HOST C:
> > Subnet = 192.168.10.0/24
> > Subnet = 192.168.1.0/24
>
> The same for this nodes.
>
> > For HOST D:
> > Subnet = 192.168.10.0/24
>
> This should then be Subnet = 192.168.10.4/32.
>
> To recap, make sure that the routing table is such that all packets for
> VPN addresses go to dev $INTERFACE. That means tinc will get them. But
> then tinc needs to figure out which node to send them to. It uses the
> Subnet statements to figure that out. So don't give two or more nodes
> exactly the same Subnet, otherwise tinc does not know which to send it
> to.
>
> Let us know if this helps.
>
> --
> Met vriendelijke groet / with kind regards,
> Guus Sliepen <guus a tinc-vpn.org>
>
> _______________________________________________
> tinc mailing list
> tinc a tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- parte successiva --------------
Un allegato HTML � stato rimosso...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150124/aad9a5b6/attachment-0001.html>
More information about the tinc
mailing list