in order to route packets. With these mode tinc can be used to act as a bridge
between two or more Ethernet segments.
+Bridging allows all nodes in the VPN to share the same subnet. However, if
+this is the only reason for bridging, and you do not need to tunnel broadcast
+or non-IP packets, you can alternatively use [[proxy ARP|examples/proxy-arp]]
+instead of bridging.
+
### Overview
The network setup is as follows:
192.168.0.0/16). This is no different from the configuration that would be
required if tinc was replaced with an actual switch or hub.
-> host# brctl addbr bridge
-> host# ifconfig bridge 192.168.10.20 netmask 255.255.0.0
->
-> host# ifconfig eth1 0.0.0.0
-> host# brctl addif bridge eth1
-> host# ifconfig eth1 up
->
-> After starting tinc:
->
-> host# brctl show
-> bridge name bridge id STP enabled interfaces
-> bridge 8000.005004003002 yes eth1
-> vpn
->
-> host# ifconfig
-> eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
-> inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0
-> UP BROADCAST RUNNING MTU:1500 Metric:1
-> ...
->
-> eth1 Link encap:Ethernet HWaddr 00:11:22:33:44:55
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> ...
->
-> lo Link encap:Local Loopback
-> inet addr:127.0.0.1 Mask:255.0.0.0
-> UP LOOPBACK RUNNING MTU:3856 Metric:1
-> ...
->
-> bridge Link encap:Ethernet HWaddr 00:11:22:33:44:55
-> inet addr:192.168.10.20 Bcast:192.168.255.255 Mask:255.255.0.0
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
->
-> vpn Link encap:Ethernet HWaddr 00:11:22:33:44:55
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> ...
->
-> host# route
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
-> 192.168.0.0 * 255.255.0.0 U 0 0 0 bridge
-> default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0
+ host# brctl addbr bridge
+ host# ifconfig bridge 192.168.10.20 netmask 255.255.0.0
+
+ host# ifconfig eth1 0.0.0.0
+ host# brctl addif bridge eth1
+ host# ifconfig eth1 up
+
+ After starting tinc:
+
+ host# brctl show
+ bridge name bridge id STP enabled interfaces
+ bridge 8000.005004003002 yes eth1
+ vpn
+
+ host# ifconfig
+ eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
+ inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MTU:1500 Metric:1
+ ...
+
+ eth1 Link encap:Ethernet HWaddr 00:11:22:33:44:55
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ ...
+
+ lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ UP LOOPBACK RUNNING MTU:3856 Metric:1
+ ...
+
+ bridge Link encap:Ethernet HWaddr 00:11:22:33:44:55
+ inet addr:192.168.10.20 Bcast:192.168.255.255 Mask:255.255.0.0
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+
+ vpn Link encap:Ethernet HWaddr 00:11:22:33:44:55
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ ...
+
+ host# route
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
+ 192.168.0.0 * 255.255.0.0 U 0 0 0 bridge
+ default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0
### Configuration of tinc
tinc maintains an ARP cache to determine whether any received packet should be
forwarded to the remote tinc instance.
-> host# cat /etc/tinc/vpn/tinc.conf
-> Name = segment1
-> Mode = switch
-> ConnectTo = segment2
->
-> host# cat /etc/tinc/vpn/tinc-up
-> #!/bin/sh
->
-> ifconfig $INTERFACE 0.0.0.0
-> brctl addif bridge $INTERFACE
-> ifconfig $INTERFACE up
->
-> host# ls /etc/tinc/vpn/hosts
-> segment1 segment2 ...
->
-> host# cat /etc/tinc/vpn/hosts/segment1
-> Address = 123.234.123.42
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
->
-> host# cat /etc/tinc/vpn/hosts/segment2
-> Address = 200.201.202.203
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
+ host# cat /etc/tinc/vpn/tinc.conf
+ Name = segment1
+ Mode = switch
+ ConnectTo = segment2
+
+ host# cat /etc/tinc/vpn/tinc-up
+ #!/bin/sh
+
+ ifconfig $INTERFACE 0.0.0.0
+ brctl addif bridge $INTERFACE
+ ifconfig $INTERFACE up
+
+ host# ls /etc/tinc/vpn/hosts
+ segment1 segment2 ...
+
+ host# cat /etc/tinc/vpn/hosts/segment1
+ Address = 123.234.123.42
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
+
+ host# cat /etc/tinc/vpn/hosts/segment2
+ Address = 200.201.202.203
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
### Additional Configuration
If you want to be able to filter packets on your bridge interface, you will
need to a kernel with [ebtables](http://ebtables.sourceforge.net/) support.
More information For more information on Linux bridging, see the [bridge-utils
-homepage](http://www.linuxfoundation.org/en/Net:Bridge).
+homepage](http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge).