tinc vs. ipchains masquerading

Lars Kellogg-Stedman lars at larsshack.org
Sun Mar 3 19:25:08 CET 2002


Howdy,

I tried tackling this on irc with Ivo, but I suspect that irc may really
not be the best medium for technical discussions, so I'll reprise it here.

I am trying to duplicate the "tinc from behind a masquerading firewall"
example from the tinc web site:

  (home)       <--> (masquerading firewall) <--> (office)
  192.168.1.21      192.168.1.1/1.2.3.4          4.3.2.1

I've encountered some sticky bits to which I was hoping someone here could
offer a solution..  The symptom is messages similar to the following in the
logs on the "office" side of the connection:

  Received UDP packet on port 655 from unknown source 1.2.3.4:63791

Which is, of course, true.  One end of the vpn is behind a masquerading
firewall, so outbound packets from my house get rewritten at the firewall.
I haven't yet figured out a way around this problem.

The example (and Ivo) suggests the use of the ipmasqadm 'portfw' module,
but this would appear to only help for inbound connections -- e.g.,
forwarding connections to 1.2.3.4:655 to 192.168.1.21:655.  In fact, if I
were to initiate the connection from (home), this would appear to be
completely unnecessary, but for the sake of matching the online example
I'll leave it for now.

I may be missing something terribly obvious here, but I'm not sure how to
fix the source port of outbound packets while still allowing the firewall
to masquerade connections.

In the hope that someone on this list can set me straight I've included
details of my configuration below:

(1) The firewall is currently running a very permissive configuration
    that boils down to:

      ipchains -A forward -s 192.168.1.0/24 -j MASQ
      ipmasqadm portfw -a -P tcp -L 1.2.3.4 655 -R 192.168.1.21 655
      ipmasqadm portfw -a -P udp -L 1.2.3.4 655 -R 192.168.1.21 655

    Where 1.2.3.4 is the externally visible address of the firewall.

(2) I am initiating the connection from the "office" side of things (which
    for this example has the ip address 4.3.2.1).  That
    is, /etc/tinc/vpn/tinc.conf contains:

      At the office:

	tinc.conf:

	Device = /dev/net/tun
	Name = atwork
	PrivateKeyFile = /etc/tinc/LARSSHACK/rsa_key.priv
	ConnectTo = athome

	tinc-up:

	ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
	ifconfig $INTERFACE inet 10.0.0.1 netmask 255.0.0.0 -arp

      At my house:

        tinc.conf:

	Device = /dev/misc/net/tun
	Name = athome
	PrivateKeyFile = /etc/tinc/LARSSHACK/rsa_key.priv

        tinc-up:

	ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
	ifconfig $INTERFACE inet 10.1.0.1 netmask 255.0.0.0 -arp

    hosts/athome contains:

      address = 1.2.3.4
      subnet = 10.1.0.0/16

    hosts/atwork contains:

      Address = 4.3.2.1
      Subnet = 10.0.0.1/32

Thanks in advance,

-- Lars

-- 
Lars Kellogg-Stedman <lars at larsshack.org>


Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://tinc.nl.linux.org/




More information about the Tinc mailing list