tinc and wireless mesh

Szili Dávid tileo at sch.bme.hu
Wed Jul 30 08:49:57 CEST 2008


Hello!

I'm trying to make a wireless mesh network with b.a.t.m.a.n. protocol, 
and I would like to secure the wireless links with tinc. My test network 
is 2 wireless routers with OpenWRT Kamikaze firmware, and the network 
topology is the following:

|CLIENT|eth0: 192.168.180| <--> |eth0: 192.168.1.1|MESH-NODE|ath0: 
192.168.5.54| <~~> |ath0: 192.168.5.51|GW|eth1: 192.168.1.51| <--> 
|INTERNET|
                                                                         
                                                                      
                         |eth0: 192.168.2.50|
                                                                         
                                                                      
                                       |
                                                                         
                                                                      
                                       ˇ
                                                                         
                                                                      
                         |eth0: 192.168.2.135|
                                                                         
                                                                      
                                |SERVER|
My aim is to protect only the wireless links (the tow router) and the 
server with the VPN, but not the client node wich connects to the 
mesh-node by UTP. So far, I've made aVPN link with the 2 touters and the 
server, and at the mesh-node's tinc-up script, every traffic is goning 
through the VPN from the mesh-node, but the client can't reach the 
internet (as I saw from the tinc's logs, the traffinc goes to the 
gateway, but then stops).

I'm attaching my configuration, please, take a look at it, and tell me 
what's missing.

Regards,
David

PS: ifconfig and route was make before tinc VPN was up.

Konfiguration:

-------
server:
-------

root at server:/etc/tinc/vpn# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1d:7d:71:45:bd 
          inet addr:192.168.2.135  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::21d:7dff:fe71:45bd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:94657 errors:0 dropped:202613106 overruns:0 frame:0
          TX packets:84621 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:28777000 (27.4 MB)  TX bytes:10903255 (10.3 MB)
          Interrupt:221 Base address:0x6000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2710 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2710 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:106545 (104.0 KB)  TX bytes:106545 (104.0 KB)

root at server:/etc/tinc/vpn/hosts# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.2.1     0.0.0.0         UG    0      0        0 eth0

root at server:/etc/tinc/vpn# cat tinc.conf
Name = server
AddressFamily = ipv4
Device = /dev/net/tun
Interface = tap0
Mode = switch
#Mode = router
PrivateKeyFile = /etc/tinc/vpn/server_priv.key
#ConnectTo = gw

root at server:/etc/tinc/vpn# cat tinc-up
#!/bin/sh

ifconfig $INTERFACE 192.168.11.1 netmask 255.255.255.0

----
gw:
----

root at GW:/etc/tinc/vpn# ifconfig
ath0      Link encap:Ethernet  HWaddr 00:1D:0F:B1:73:38 
          inet addr:192.168.5.51  Bcast:192.168.5.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2251862 errors:0 dropped:0 overruns:0 frame:0
          TX packets:573308 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2644318856 (2.4 GiB)  TX bytes:55110670 (52.5 MiB)

eth0      Link encap:Ethernet  HWaddr 00:0D:B9:13:A7:FC 
          inet addr:192.168.1.51  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:10 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 00:0D:B9:13:A7:FD 
          inet addr:192.168.2.50  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4219579 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4378485 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2363009463 (2.2 GiB)  TX bytes:1904172856 (1.7 GiB)
          Interrupt:12 Base address:0x6000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4494 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4494 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:323618 (316.0 KiB)  TX bytes:323618 (316.0 KiB)

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:104.255.255.254  P-t-P:104.255.255.254  
Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1472  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wifi0     Link encap:UNSPEC  HWaddr 
00-1D-0F-B1-73-38-00-00-00-00-00-00-00-00-00-00 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:52168663 errors:0 dropped:14124 overruns:0 frame:966104
          TX packets:20197711 errors:5370 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:395
          RX bytes:574939056 (548.3 MiB)  TX bytes:3661444004 (3.4 GiB)
          Interrupt:9

root at GW:/etc/tinc/vpn# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
192.168.5.54    0.0.0.0         255.255.255.255 UH    0      0        0 ath0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 ath0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.2.1     0.0.0.0         UG    0      0        0 eth1

root at GW:/etc/tinc/vpn# cat tinc.conf
Name = gw
AddressFamily = ipv4
Device = /dev/net/tun
Interface = tap0
Mode = switch
#Mode = router
PrivateKeyFile = /etc/tinc/vpn/gw_priv.key
ConnectTo = server

root at GW:/etc/tinc/vpn# cat tinc-up
#!/bin/sh

ifconfig $INTERFACE 192.168.11.2 netmask 255.255.255.0

-----------
meshnode:
-----------

root at meshnode:/etc/tinc/vpn# ifconfig
ath0      Link encap:Ethernet  HWaddr 00:1D:0F:B1:91:1F 
          inet addr:192.168.5.54  Bcast:192.168.5.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:71752 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9708 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3364524 (3.2 MiB)  TX bytes:723743 (706.7 KiB)

eth0      Link encap:Ethernet  HWaddr 00:0D:B9:13:86:68 
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:287 errors:0 dropped:0 overruns:0 frame:0
          TX packets:181 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:85004 (83.0 KiB)  TX bytes:47965 (46.8 KiB)
          Interrupt:10 Base address:0x6000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wifi0     Link encap:UNSPEC  HWaddr 
00-1D-0F-B1-91-1F-0A-00-00-00-00-00-00-00-00-00 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48680 errors:0 dropped:0 overruns:0 frame:876
          TX packets:9973 errors:33 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:195
          RX bytes:3991092 (3.8 MiB)  TX bytes:963341 (940.7 KiB)
          Interrupt:9

root at meshnode:/etc/tinc/vpn# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
192.168.5.51    0.0.0.0         255.255.255.255 UH    0      0        0 ath0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 ath0
192.168.1.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.5.51    0.0.0.0         UG    0      0        0 ath0

root at meshnode:/etc/tinc/vpn# cat tinc.conf
Name = meshnode
AddressFamily = ipv4
Device = /dev/net/tun
Interface = tap0
Mode = switch
#Mode = router
PrivateKeyFile = /etc/tinc/vpn/meshnode_priv.key
ConnectTo = gw

root at meshnode:/etc/tinc/vpn# cat tinc-up
#!/bin/sh

ifconfig $INTERFACE 192.168.11.3 netmask 255.255.255.0
route add default gw 192.168.11.2 $INTERFACE
route del default gw 192.168.5.51 ath0

------
client:
------

OS: Windows XP
IP: 192.168.1.180
Gateway: 192.168.1.1
Netmask: 255.255.255.0

-------------
/hosts files:
-------------

root at server:/etc/tinc/vpn/hosts# cat server
Address = 192.168.2.135

Subnet = 192.168.11.1/32

Compression = 9

IndirectData = yes

-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

root at server:/etc/tinc/vpn/hosts# cat gw
Address = 192.168.5.51

Subnet = 192.168.11.2/32

Compression = 9

IndirectData = yes

-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

root at server:/etc/tinc/vpn/hosts# cat meshnode
Address = 192.168.5.54

Subnet = 192.168.11.3/32

Compression = 9

IndirectData = yes

-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----


More information about the tinc mailing list