A VPN is switched mode
Marijn Vriens
marijn at metronomo.cl
Sun Jun 26 18:40:43 CEST 2005
Hi all,
I have been using tinc successfully for a while now.
However, I need to do something different from my normal setup, and i am
getting the feeling I am doing something obvious wrong.
What I want to do is hookup 5 distant linux routers into one bigger
network, Since I need to transmit both unicast and multicast traffic,
the VPN network has to be in "Mode = switch" [Assumption 1]
I would like to use a logical dedicated sub-net where each host on the
VPN is a router for it's own network, like so:
(ASCII diagrams forever! :D )
A \
B - VPN - D
C / \ E
The VPN network has IP 192.168.20.0/24 . This way, since I can think of
the VPN as a virtual switch where each of the routers is plugged into.
Lets reduce the number of networks to 2, for brevity's sake.
And for example the private network behind router A is 192.168.10.0/24
and B is 192.168.12.0/24
etc.
--- NETWORK A : router Koe
# cat /etc/tinc/secnet/tinc.conf
Name = koe
Device = /dev/tun
ConnectTo = jupiter
ConnectTo = proto3
PrivateKeyFile = /etc/tinc/secnet/rsa_key.priv
AddressFamily = ipv4
Mode = switch
# cat /etc/tinc/secnet/tinc-up
#!/bin/sh
ifconfig $INTERFACE 192.168.20.1 netmask 255.255.255.0
--- NETWORK B : router Jupiter
$ cat /etc/tinc/secnet/tinc.conf
Name = jupiter
Device = /dev/tun
PrivateKeyFile = /etc/tinc/secnet/rsa_key.priv
ConnectTo = proto3
ConnectTo = koe
Mode = switch
$ cat /etc/tinc/secnet/tinc-up
#!/bin/sh
ifconfig $INTERFACE 192.168.20.2 netmask 255.255.255.0
The public keys of all the points are on all the routers and setup
like:
# cat /etc/tinc/secnet/hosts/jupiter
Address = some.public.host
Subnet = 192.168.20.2/32
TCPOnly = yes
-----BEGIN RSA PUBLIC KEY-----
# cat /etc/tinc/secnet/hosts/koe
Address = someother.public.host
subnet = 192.168.20.1/32
TCPOnly = yes
-----BEGIN RSA PUBLIC KEY-----
As commented, I need to put the network in switched mode (need to run
multicast protocols over the VPN), and when I do that, some of the hosts
stop talking to each other. And some other connections only work when
the other host first pings. As far as I can see, it's a problem of the
arp-table not getting setup correctly. Notice that it is /some/ of the
hosts.. others have no problems.
This is the reason I have TCPOnly, since it was my hope that somehow the
firewalling rules were dumping incoming UDP packets that contain the ARP
since they are the first contact between 2 servers. But it seems to make
little difference.
I'm sort of at a loss what could be causing these problems. Doing
TCPdumps on the external interfaces and "tincd -d5" shows that the
traffic is really hitting the tincd's but the VPN interface doesn't pass
it on.
What i think I am doing wrong is setting the "Subnet = 192.168.20.2/32".
However changing it to 192.168.20.0/24 doesn't solve the problem.
Can anybody give me a hint about what the correct setup should be?
Kind Regards,
Marijn.
More information about the tinc
mailing list