tinc vs. ipchains masquerading
Lars Kellogg-Stedman
lars at larsshack.org
Sun Mar 3 19:25:08 CET 2002
Howdy,
I tried tackling this on irc with Ivo, but I suspect that irc may really
not be the best medium for technical discussions, so I'll reprise it here.
I am trying to duplicate the "tinc from behind a masquerading firewall"
example from the tinc web site:
(home) <--> (masquerading firewall) <--> (office)
192.168.1.21 192.168.1.1/1.2.3.4 4.3.2.1
I've encountered some sticky bits to which I was hoping someone here could
offer a solution.. The symptom is messages similar to the following in the
logs on the "office" side of the connection:
Received UDP packet on port 655 from unknown source 1.2.3.4:63791
Which is, of course, true. One end of the vpn is behind a masquerading
firewall, so outbound packets from my house get rewritten at the firewall.
I haven't yet figured out a way around this problem.
The example (and Ivo) suggests the use of the ipmasqadm 'portfw' module,
but this would appear to only help for inbound connections -- e.g.,
forwarding connections to 1.2.3.4:655 to 192.168.1.21:655. In fact, if I
were to initiate the connection from (home), this would appear to be
completely unnecessary, but for the sake of matching the online example
I'll leave it for now.
I may be missing something terribly obvious here, but I'm not sure how to
fix the source port of outbound packets while still allowing the firewall
to masquerade connections.
In the hope that someone on this list can set me straight I've included
details of my configuration below:
(1) The firewall is currently running a very permissive configuration
that boils down to:
ipchains -A forward -s 192.168.1.0/24 -j MASQ
ipmasqadm portfw -a -P tcp -L 1.2.3.4 655 -R 192.168.1.21 655
ipmasqadm portfw -a -P udp -L 1.2.3.4 655 -R 192.168.1.21 655
Where 1.2.3.4 is the externally visible address of the firewall.
(2) I am initiating the connection from the "office" side of things (which
for this example has the ip address 4.3.2.1). That
is, /etc/tinc/vpn/tinc.conf contains:
At the office:
tinc.conf:
Device = /dev/net/tun
Name = atwork
PrivateKeyFile = /etc/tinc/LARSSHACK/rsa_key.priv
ConnectTo = athome
tinc-up:
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
ifconfig $INTERFACE inet 10.0.0.1 netmask 255.0.0.0 -arp
At my house:
tinc.conf:
Device = /dev/misc/net/tun
Name = athome
PrivateKeyFile = /etc/tinc/LARSSHACK/rsa_key.priv
tinc-up:
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
ifconfig $INTERFACE inet 10.1.0.1 netmask 255.0.0.0 -arp
hosts/athome contains:
address = 1.2.3.4
subnet = 10.1.0.0/16
hosts/atwork contains:
Address = 4.3.2.1
Subnet = 10.0.0.1/32
Thanks in advance,
-- Lars
--
Lars Kellogg-Stedman <lars at larsshack.org>
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/
More information about the Tinc
mailing list