1 > [[!meta title="simple-bridging-with-dhcp-client-side"]]
3 > # Company: PowerCraft Technology
4 > # Author: Copyright Jelle de Jong <jelledejong@powercraft.nl>
5 > # Note: Please send me an email if you enhanced the document
6 > # Date: 2010-05-24 / 2010-07-04
9 > # This document is free documentation; you can redistribute it and/or
10 > # modify it under the terms of the Creative Commons Attribution Share
11 > # Alike as published by the Creative Commons Foundation; either version
12 > # 3.0 of the License, or (at your option) any later version.
14 > # This document is distributed in the hope that it will be useful,
15 > # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 > # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 > # Creative Commons BY-SA License for more details.
19 > # http://creativecommons.org/licenses/by-sa/
21 > #-----------------------------------------------------------------------
23 > # for commercial support contact me, part of the revenue go back to tinc
25 > #-----------------------------------------------------------------------
27 > # http://www.tinc-vpn.org/
28 > # http://www.tinc-vpn.org/documentation/tinc_toc
30 > #-----------------------------------------------------------------------
32 > # this is the configuration of the roxy system
34 > #-----------------------------------------------------------------------
36 > unset LANG LANGUAGE LC_ALL
37 > apt-get update; apt-get dist-upgrade
40 > apt-get install tinc/testing
42 > #-----------------------------------------------------------------------
44 > /etc/init.d/tinc stop
46 > #-----------------------------------------------------------------------
48 > # ls -hal /dev/net/tun
49 > crw------- 1 root root 10, 200 May 24 15:53 /dev/net/tun
51 > # grep tinc /etc/services
52 > tinc 655/tcp # tinc control port
55 > # getent services tinc/udp
57 > # getent services tinc/tcp
60 > cat /usr/share/doc/tinc/README.Debian
61 > zcat /usr/share/doc/tinc/README.gz | less
62 > zcat /usr/share/doc/tinc/NEWS.gz | less
63 > cat /usr/share/doc/tinc/examples/tinc-up
64 > w3m /usr/share/doc/tinc/tinc_0.html
66 > #-----------------------------------------------------------------------
68 > vim /etc/default/tinc
70 > cat /etc/default/tinc
72 > # less /etc/init.d/tinc
74 > #-----------------------------------------------------------------------
79 > #-----------------------------------------------------------------------
82 > eth0 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6c
83 > inet addr:84.245.9.246 Bcast:84.245.9.255 Mask:255.255.255.0
84 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
85 > RX packets:4863 errors:0 dropped:0 overruns:0 frame:0
86 > TX packets:2958 errors:0 dropped:0 overruns:0 carrier:0
87 > collisions:0 txqueuelen:1000
88 > RX bytes:4302418 (4.1 MiB) TX bytes:303100 (295.9 KiB)
89 > Interrupt:10 Base address:0x1000
91 > eth1 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6d
92 > UP BROADCAST MULTICAST MTU:1500 Metric:1
93 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
94 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
95 > collisions:0 txqueuelen:1000
96 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
97 > Interrupt:11 Base address:0x1400
99 > eth2 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6e
100 > UP BROADCAST MULTICAST MTU:1500 Metric:1
101 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
102 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
103 > collisions:0 txqueuelen:1000
104 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
105 > Interrupt:15 Base address:0x1800
107 > lo Link encap:Local Loopback
108 > inet addr:127.0.0.1 Mask:255.0.0.0
109 > UP LOOPBACK RUNNING MTU:16436 Metric:1
110 > RX packets:1200 errors:0 dropped:0 overruns:0 frame:0
111 > TX packets:1200 errors:0 dropped:0 overruns:0 carrier:0
112 > collisions:0 txqueuelen:0
113 > RX bytes:96572 (94.3 KiB) TX bytes:96572 (94.3 KiB)
116 > Kernel IP routing table
117 > Destination Gateway Genmask Flags Metric Ref Use Iface
118 > 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
119 > 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0
121 > #-----------------------------------------------------------------------
123 > # client01 configuration
125 > cat /etc/tinc/nets.boot
126 > echo 'powercraft01' | sudo tee --append /etc/tinc/nets.boot
127 > cat /etc/tinc/nets.boot
129 > #-----------------------------------------------------------------------
131 > sudo mkdir --verbose /etc/tinc/powercraft01/
132 > sudo mkdir --verbose /etc/tinc/powercraft01/hosts/
133 > sudo touch /etc/tinc/powercraft01/tinc.conf
135 > #-----------------------------------------------------------------------
138 > cat /etc/tinc/powercraft01/hosts/server01
140 > # on client, copy cert data of server to client
141 > sudo vim /etc/tinc/powercraft01/hosts/server01
143 > # on client, add on head of file
144 > Address = powercraft.nl 656
145 > Address = 84.245.3.195 656
146 > Address = tinc-vpn.powercraft.nl 656
147 > Address = powercraft.nl 655
148 > Address = 84.245.3.195 655
149 > Address = tinc-vpn.powercraft.nl 655
151 > #-----------------------------------------------------------------------
153 > echo 'ConnectTo = server01
154 > Device = /dev/net/tun
157 > Name = client01' | sudo tee /etc/tinc/powercraft01/tinc.conf
159 > sudo cat /etc/tinc/powercraft01/tinc.conf
160 > sudo chmod 644 /etc/tinc/powercraft01/tinc.conf
161 > ls -hal /etc/tinc/powercraft01/tinc.conf
164 > ifconfig $INTERFACE 0.0.0.0' | tee /etc/tinc/powercraft01/tinc-up
166 > sudo cat /etc/tinc/powercraft01/tinc-up
167 > sudo chmod 755 /etc/tinc/powercraft01/tinc-up
168 > ls -hal /etc/tinc/powercraft01/tinc-up
171 > # ifconfig tun1 hw ether 00:ff:5d:ea:b4:ec
172 > ifup $INTERFACE &' | sudo tee /etc/tinc/powercraft01/hosts/server01-up
174 > sudo cat /etc/tinc/powercraft01/hosts/server01-up
175 > sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-up
176 > ls -hal /etc/tinc/powercraft01/hosts/server01-up
179 > ifconfig $INTERFACE down' | sudo tee /etc/tinc/powercraft01/tinc-down
181 > sudo cat /etc/tinc/powercraft01/tinc-down
182 > sudo chmod 755 /etc/tinc/powercraft01/tinc-down
183 > ls -hal /etc/tinc/powercraft01/tinc-down
186 > ifdown $INTERFACE' | sudo tee /etc/tinc/powercraft01/hosts/server01-down
188 > sudo cat /etc/tinc/powercraft01/hosts/server01-down
189 > sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-down
190 > ls -hal /etc/tinc/powercraft01/hosts/server01-down
192 > #-----------------------------------------------------------------------
194 > sudo rm /etc/tinc/powercraft01/rsa_key.priv
195 > sudo rm /etc/tinc/powercraft01/hosts/client10
196 > sudo tincd -n powercraft01 -K
198 > #-----------------------------------------------------------------------
200 > # on client add on head of file
201 > sudo vim /etc/tinc/powercraft01/hosts/client01
204 > PMTUDiscovery = yes
206 > # Cipher = aes-128-cbc
209 > sudo cat /etc/tinc/powercraft01/hosts/client01
211 > # on server, copy cert data of client to server
212 > vim /etc/tinc/powercraft01/hosts/client01
214 > #-----------------------------------------------------------------------
216 > # watch out when using multiple dhcp clients there can be conflicts
218 > echo 'interface "tun1" {
219 > request subnet-mask, broadcast-address, time-offset,
220 > host-name, netbios-scope, interface-mtu, ntp-servers;
221 > }' | tee --append /etc/dhcp3/dhclient.conf
223 > cat /etc/dhcp3/dhclient.conf
225 > #-----------------------------------------------------------------------
227 > vim /etc/network/interfaces
229 > iface tun1 inet dhcp
230 > pre-up ifconfig tun1 down || true
231 > pre-up ifconfig tun1 hw ether 9a:f6:50:3b:c0:48 || true
232 > post-up route del default dev tun1 || true
233 > # pre-down /etc/init.d/munin-node stop || true
234 > # post-up /etc/init.d/munin-node restart || true
235 > # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/tun1/proxy_arp || true
236 > # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/vlan4/proxy_arp || true
237 > # optional # post-up route add -net 192.168.2.0 netmask 255.255.255.0 tun1 || true
238 > # optional # pre-down route del -net 192.168.2.0 netmask 255.255.255.0 tun1 || true
240 > #-----------------------------------------------------------------------
242 > ifdown tun1; ifdown tun1
244 > #-----------------------------------------------------------------------
246 > sudo /etc/init.d/tinc stop
248 > sudo /usr/sbin/tincd --net powercraft01 --no-detach --debug=5
250 > #-----------------------------------------------------------------------
252 > sudo /etc/init.d/tinc start
254 > #-----------------------------------------------------------------------
257 > tinc version 1.0.13 (built Apr 13 2010 10:27:56, protocol 17)
259 > #-----------------------------------------------------------------------
261 > tincd -n powercraft01 -kUSR2
262 > tail -n 100 /var/log/syslog
264 > #-----------------------------------------------------------------------
266 > May 24 19:43:59 roxy tinc.powercraft01[5104]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun:
267 > May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes in: 830
268 > May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes out: 914
269 > May 24 19:43:59 roxy tinc.powercraft01[5104]: Nodes:
270 > May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop client01 via client01 pmtu 1518 (min 0 max 1518)
271 > May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 at 84.245.3.195 port 656 cipher 91 digest 64 maclength 4 compression 9 options c status 001a nexthop server01 via server01 pmtu 1416 (min 1416 max 1416)
272 > May 24 19:43:59 roxy tinc.powercraft01[5104]: End of nodes.
273 > May 24 19:43:59 roxy tinc.powercraft01[5104]: Edges:
274 > May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 to server01 at 84.245.3.195 port 656 options c weight 413
275 > May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 to client01 at 84.245.9.246 port 655 options c weight 413
276 > May 24 19:43:59 roxy tinc.powercraft01[5104]: End of edges.
277 > May 24 19:43:59 roxy tinc.powercraft01[5104]: Subnet list:
278 > May 24 19:43:59 roxy tinc.powercraft01[5104]: 0:1b:21:61:af:d7#10 owner server01
279 > May 24 19:43:59 roxy tinc.powercraft01[5104]: 56:fc:c2:fd:69:10#10 owner server01
280 > May 24 19:43:59 roxy tinc.powercraft01[5104]: ea:3:e7:3d:46:20#10 owner client01
281 > May 24 19:43:59 roxy tinc.powercraft01[5104]: End of subnet list.
283 > #-----------------------------------------------------------------------
289 > #-----------------------------------------------------------------------
292 > tun1 Link encap:Ethernet HWaddr ea:03:e7:3d:46:20
293 > inet addr:192.168.3.201 Bcast:192.168.3.255 Mask:255.255.255.0
294 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
295 > RX packets:27 errors:0 dropped:0 overruns:0 frame:0
296 > TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
297 > collisions:0 txqueuelen:500
298 > RX bytes:9342 (9.1 KiB) TX bytes:9088 (8.8 KiB)
301 > Kernel IP routing table
302 > Destination Gateway Genmask Flags Metric Ref Use Iface
303 > 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
304 > 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
305 > 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0
307 > #-----------------------------------------------------------------------
309 > ping -c 2 192.168.3.1
310 > ping -c 2 -M dont -s 1500 192.168.3.1
312 > #-----------------------------------------------------------------------
317 > #-----------------------------------------------------------------------
319 > # Accept new connections for fordwarding designated from our virtual private netwerk to the local network
320 > /sbin/iptables --append FORWARD --in-interface ${VPN01} --out-interface ${LAN01} --jump ACCEPT
321 > /sbin/iptables --append FORWARD --in-interface ${LAN01} --out-interface ${VPN01} --jump ACCEPT
323 > # Use masquerade so the outside world sees only one ip source for all outgoing trafic
324 > /sbin/iptables --table nat --append POSTROUTING --out-interface ${VPN01} --jump MASQUERADE
326 > #-----------------------------------------------------------------------