Example: proxy ARP as an alternative to bridging
If one wants to have a remote node appear to be on a local LAN (i.e., having an IP address inside the local LAN’s subnet), one can set up a bridge at the local node, as described in the bridging example. However, setting up a bridge is rather complex, and if one only needs unicast IP traffic to work, and broadcast or non-IP traffic is not a requirement, one can use the proxy ARP features of the operating system instead.
Since we only use unicast IP traffic, proxy ARP works with both router and switch mode.
The network setup is as follows:
- Office LAN, the LAN on interface eth0 uses the range 192.168.1.0/24. The office node uses the address 192.168.1.2.
- Road warrior, using the address 192.168.1.123.
Configuration of tinc at the office
host# cat /etc/tinc/vpn/tinc.conf Name = office #Optional: #Mode = switch host# cat /etc/tinc/vpn/tinc-up #!/bin/sh ifconfig $INTERFACE 192.168.1.2 netmask 255.255.255.255 route add 192.168.1.123 dev $INTERFACE echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp echo 1 >/proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp host# ls /etc/tinc/vpn/hosts office roadwarrior ... host# cat /etc/tinc/vpn/hosts/office Address = 220.127.116.11 Subnet = 192.168.1.0/24 -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- host# cat /etc/tinc/vpn/hosts/roadwarrior Subnet = 192.168.1.123 -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY-----
Configuration of tinc at the road warrior
host# cat /etc/tinc/vpn/tinc.conf Name = roadwarrior #Optional: #Mode = switch host# cat /etc/tinc/vpn/tinc-up #!/bin/sh ifconfig $INTERFACE 192.168.1.123 netmask 255.255.255.0
The host config files are, of course, identical to those on the office node.
Automatically adding routes
In the above configuration, the
tinc-up script of
the office node has a route to the roadwarrior’s address hardcoded.
To have tinc automatically add the necessary routes, remove the
route add command from the
script, and instead add this
host# cat /etc/tinc/vpn/subnet-up #!/bin/sh [ "$NAME" = "$NODE" ] && exit 0 ip route replace $SUBNET dev $INTERFACE