tinc Digest, Vol 123, Issue 11

Guus Sliepen guus at tinc-vpn.org
Sat Jan 24 16:51:44 CET 2015 

On Sat, Jan 24, 2015 at 04:11:24PM +0100, Marco Avoledo wrote:

> I think the /16 solution is the easier to apply so I modified my tinc-up in
> host A to be like
> 
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.1 netmask 255.255.0.0

Ok.

> So at the moment their tinc-up are set up like this:
> 
> HOST A:
> #!/bin/sh
> ifconfig $INTERFACE 192.168.10.1 netmask 255.255.0.0
> route add -net 192.168.1.0/24 dev $INTERFACE
> route add -net 192.168.2.0/24 dev $INTERFACE

You don't need those route add -net ... statements anymore, since the
ifconfig with netmask 255.255.0.0 will already have added a route to the
kernel's routing table that covers those /24 subnets.

> The situation is:
> From HOST A I can ping every IP of HOST B subnet
> From HOST A I can ping only few IP on HOST C subnet 192.168.1.1 and 1.101
> is Okay, but 1.200 is not.
> From HOST B I can ping HOST A and HOST B
> From HOST C I can ping only few IP on HOST B subnet 192.168.2.1, 2.8 and
> 2.10 are Okay but 2.2, 2.3 and 2.4 are not.

I suspect packets from host A and B will be sent to other hosts one C's
LAN just fine, it's the return packets that are the problem. You have to
ensure that hosts on C's LAN know that they should send packets for host
A or B to host C. There are several ways to do this:

1) Add routes to every node on C's LAN to send packets for the VPN
address range to C.

2) Add a route on the gateway of C's LAN to redirect packets for the VPN
address range to C.

3) Run tinc on C's gateway instead.

4) Set up NAT on host C such that packets from the VPN to its LAN are
masqueraded.

Options 1 and 2 require you to change settings on other hosts on C's
LAN. Option 3 is the nicest option, but this assumes you can actually
install tinc on the gateway device. Option 4 only requires changes on
host C, but the drawback is that this only allows VPN hosts to initiate
connections to hosts on C's LAN, not the other way around.

I assume there is a similar problem on host B. But it's also strange
that you can in fact reach 192.168.1.1, 192.168.2.1 and 192.168.2.8...

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150124/1881f6c5/attachment.sig>

More information about the tinc mailing list