internal & external networks
Guus Sliepen
guus at sliepen.eu.org
Wed Oct 20 15:18:29 CEST 2004
On Wed, Oct 20, 2004 at 07:51:57AM -0500, Lonnie Cumberland wrote:
> I have been reading over the documentation and need to find out how Tinc
> behaves regarding the VPN and hosts as I will have to distinct
> situtations to address in our system.
>
> 1. Which is a web server for example that will service both the VPN
> connections and also standard Internet connections.
> 2. Servers that will only service VPN connections.
>
> What I mean is this. In a few other solutions that I have been
> investigating, you can handle #2 above because the vpn software will
> allow you to route ALL packets on all ports on a host through the VPN.
> This way, that machine is not even seen by the rest of the world while
> it is connected to the VPN.
This can be done with tinc in the following way: have a tinc "server"
with a known IP address that type #2 machines can connect to. Those #2
machines should have something like this in their tinc-up script:
#!/bin/sh
route add <IP address of tinc server> gw <default gateway> via <outgoing interface>
route del default
ifconfig $INTERFACE <VPN IP address and netmask>
The first route command makes sure that the server can still be reached
via the Internet, the second route command removes the route that tells
the machine that normally all packets should go straight via the Internet.
This way, machines are connected to the VPN and cannot contact or be
contacted by hosts outside the VPN.
If you want to allow type #2 machines to contact hosts on the Internet
via the VPN (for example, you let the server NAT traffic from the VPN to
the Internet), you can do that by adding "Subnet = 0.0.0.0/0" to the
servers host config file, and add this line to the other machines'
tinc-up script:
route add default dev $INTERFACE
> On the other hand, you can also set up a host to handle #1 above by not
> forcing all ports and packets from a host into the vpn by changing the
> configuration a little on this type of host.
This is the easy case, no route commands in tinc-up.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20041020/52797a75/attachment.pgp
More information about the tinc
mailing list