Problems getting tinc running
Jason
jason+tinclist at truedesign.com
Tue Feb 17 00:18:05 CET 2004
On Mon, 16 Feb 2004, Russell Horn wrote:
> So, my question (if I still have any question points left) is given my
> network configurations, how should I be configuring tinc to connect the
> two and get data to flow?
>
> Do I make a new subnet altogether for the VPN? If so, can anyone point
> me in the direction of how to get data to flow between the networks?
>
> The office is 10.0.0.3 on network 10.0.0.0/24 with an external IP of
> 1.2.3.4
> Home is 192.168.0.1 on network 192.168.0.0/24 with an external IP of
> 5.6.7.8
>
> Both external IPs are boxes running tinc and also running NAT for the
> internal networks.
My answer will probably differ a little from Guus's answer since he
generally prefers router mode over switch mode, but I prefer to setup a new
subnet, say a /24, that all of the vpn servers share. I use tinc's switch
mode so that I don't have to tell tinc about all of the various ips and
subnets that i will be sending through the VPN. So basically it works just
like if you had a big ethernet switch in the sky with an extra ethernet card
in each "vpn server" and a really really long cat5 cable going from each
server box to the switch in the sky. Then do your ip routing normally.
So in your situation, this vpn switched subnet might be 10.100.0.0/24 with
the office router being 10.100.0.1 on that subnet and the home router being
10.100.0.2 on that subnet. now just setup normal routing: enable ip
forwarding in the kernels and use route add to tell the kernels how to reach
the other subnets. if you have a larger network, you could even use routing
protocols to auto-update all of the kernel routing tables. but in your
case with just 2 networks, do something like this:
on home box:
# route add -net 10.0.0.0/24 gw 10.100.0.1
on work box:
# route add -net 192.168.0.0/24 gw 10.100.0.2
(tinc-up would be a good place for those)
note that in switch mode, each interface in ur network needs its own mac
addr. for my linux tinc boxes, i use the convention fe:fd:0:0:0:n where n is
the same as the last digit of the ip of that box on the vpn subnet. on my
windows boxes, i let the tun driver use the pseudorandom mac addr that it
comes up with automatically.
this also lets you do interesting things like if you want your connections
from your home boxes to a particular ip on the internet to go out to the
internet from your work's ISP instead of your home ISP, just route that ip
to 10.100.0.1 on your home box and it will get NATted by your work router
instead of your home router. also, since your vpn is at the ethernet mac
level, you can also use other routable protocols other than IP if you ever
need to (IPX/SPX for example).
Have fun. tinc and vpns in general can be really fun.
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/
More information about the Tinc
mailing list