in order to route packets. With these mode tinc can be used to act as a bridge
between two or more Ethernet segments.
+Bridging allows all nodes in the VPN to share the same subnet. However, if
+this is the only reason for bridging, and you do not need to tunnel broadcast
+or non-IP packets, you can alternatively use [[proxy ARP|examples/proxy-arp]]
+instead of bridging.
+
### Overview
The network setup is as follows:
192.168.0.0/16). This is no different from the configuration that would be
required if tinc was replaced with an actual switch or hub.
-> host# brctl addbr bridge
-> host# ifconfig bridge 192.168.10.20 netmask 255.255.0.0
->
-> host# ifconfig eth1 0.0.0.0
-> host# brctl addif bridge eth1
-> host# ifconfig eth1 up
->
-> After starting tinc:
->
-> host# brctl show
-> bridge name bridge id STP enabled interfaces
-> bridge 8000.005004003002 yes eth1
-> vpn
->
-> host# ifconfig
-> eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
-> inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0
-> UP BROADCAST RUNNING MTU:1500 Metric:1
-> ...
->
-> eth1 Link encap:Ethernet HWaddr 00:11:22:33:44:55
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> ...
->
-> lo Link encap:Local Loopback
-> inet addr:127.0.0.1 Mask:255.0.0.0
-> UP LOOPBACK RUNNING MTU:3856 Metric:1
-> ...
->
-> bridge Link encap:Ethernet HWaddr 00:11:22:33:44:55
-> inet addr:192.168.10.20 Bcast:192.168.255.255 Mask:255.255.0.0
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
->
-> vpn Link encap:Ethernet HWaddr 00:11:22:33:44:55
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> ...
->
-> host# route
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
-> 192.168.0.0 * 255.255.0.0 U 0 0 0 bridge
-> default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0
+ host# brctl addbr bridge
+ host# ifconfig bridge 192.168.10.20 netmask 255.255.0.0
+
+ host# ifconfig eth1 0.0.0.0
+ host# brctl addif bridge eth1
+ host# ifconfig eth1 up
+
+ After starting tinc:
+
+ host# brctl show
+ bridge name bridge id STP enabled interfaces
+ bridge 8000.005004003002 yes eth1
+ vpn
+
+ host# ifconfig
+ eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
+ inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MTU:1500 Metric:1
+ ...
+
+ eth1 Link encap:Ethernet HWaddr 00:11:22:33:44:55
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ ...
+
+ lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ UP LOOPBACK RUNNING MTU:3856 Metric:1
+ ...
+
+ bridge Link encap:Ethernet HWaddr 00:11:22:33:44:55
+ inet addr:192.168.10.20 Bcast:192.168.255.255 Mask:255.255.0.0
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+
+ vpn Link encap:Ethernet HWaddr 00:11:22:33:44:55
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ ...
+
+ host# route
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
+ 192.168.0.0 * 255.255.0.0 U 0 0 0 bridge
+ default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0
### Configuration of tinc
-Note that switch' and hub' mode do not utilize the Subnet variable in the host
+Note that switch and hub mode do not utilize the Subnet variable in the host
files. Instead, any packet received by the bridge interface will be passed to
the TUN/TAP device for processing. If your tinc instance is running in hub
mode, all packets are forwarded to the remote tinc instance. In switch mode,
tinc maintains an ARP cache to determine whether any received packet should be
forwarded to the remote tinc instance.
-> host# cat /etc/tinc/vpn/tinc.conf
-> Name = segment1
-> Device = /dev/tun
-> Mode = switch
-> ConnectTo = segment2
->
-> host# cat /etc/tinc/vpn/tinc-up
-> #!/bin/sh
->
-> ifconfig vpn 0.0.0.0
-> brctl addif bridge vpn
-> ifconfig vpn up
->
-> host# ls /etc/tinc/vpn/hosts
-> segment1 segment2 ...
->
-> host# cat /etc/tinc/vpn/hosts/segment1
-> Address = 123.234.123.42
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
->
-> host# cat /etc/tinc/vpn/hosts/segment2
-> Address = 200.201.202.203
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
+ host# cat /etc/tinc/vpn/tinc.conf
+ Name = segment1
+ Mode = switch
+ ConnectTo = segment2
+
+ host# cat /etc/tinc/vpn/tinc-up
+ #!/bin/sh
+
+ ifconfig $INTERFACE 0.0.0.0
+ brctl addif bridge $INTERFACE
+ ifconfig $INTERFACE up
+
+ host# ls /etc/tinc/vpn/hosts
+ segment1 segment2 ...
+
+ host# cat /etc/tinc/vpn/hosts/segment1
+ Address = 123.234.123.42
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
+
+ host# cat /etc/tinc/vpn/hosts/segment2
+ Address = 200.201.202.203
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
### Additional Configuration
If you want to be able to filter packets on your bridge interface, you will
need to a kernel with [ebtables](http://ebtables.sourceforge.net/) support.
More information For more information on Linux bridging, see the [bridge-utils
-homepage](http://www.linuxfoundation.org/en/Net:Bridge).
+homepage](http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge).