Windows subnets

Alan S. Lawee info at polygration.com
Thu Oct 7 00:52:07 CEST 2010


In order for you to configure this, you have to set up explicit routes, and
the computers in each location that are hosting the tinc application must be
able to route packets.

 

A little more explanation is in order. As you are referring to the nodes as
PC’s, I am assuming that you are using the MsWindows operating system.  Some
versions (e.g. Windows 2000) are able to function as routers out of the box,
others cannot function as routers, and yet others require some advanced
configuration. (Linux or other x-based systems can all function as routers).

 

Computers on LAN A are configured to use the broadband router as a default
gateway in order to access the Internet.  However, in order to accomplish
the configuration you are looking for, you will have to set up a manual
route on each of the computers on LAN A which will instruct them to go to
the computer running tinc in order to reach the nodes on LAN B.  The reverse
will be true for the computers on LAN B.

 

Your IDEA1 will not work because the subnet masks do not define distinct
networks.  IDEA2 has the same problem because the tinc subnet is not
distinct from the other 2.

 

So, to follow your example IDEA2, we have in household A, LAN A: 10.30.1.x
and 3 PC’s: PC-A.11, PC-A.12 & PC-A.13, plus a router: R-A.1;  in household
B, LAN B: 10.30.2.x, we have a similar configuration, PC-B.11, PC-B.12,
PC-B.13 and R-B.1;  the tinc application is hosted on each of PC-A.11 and
PC-B.11 and will use the subnet 10.30.3.x.

 

As an example, the IP configurations are as follows:

 

PC-A.11:                               Default Gateway
10.30.1.1/255.255.255.0

                                                IP Address
10.30.1.11/255.255.255.0 on physical network interface

                                                IP Address
10.30.3.1/255.255.255.0 on virtual tinc interface

                                                Manual entry in routing
table to 10.30.2.0/255.255.255.0 via 10.30.3.2

 

PC-A.12, PC-A.13:            Default Gateway 10.30.1.1/255.255.255.0

                                                IP Address
10.30.1.12/255.255.255.0 and 10.30.1.13/255.255.255.0

                                                Manual entry in routing
table to 10.30.2.0/255.255.255.0 via 10.30.1.11

 

PC-B.11:                               Default Gateway
10.30.2.1/255.255.255.0

                                                IP Address
10.30.2.11/255.255.255.0 on physical network interface

                                                IP Address
10.30.3.2/255.255.255.0 on virtual tinc interface

                                                Manual entry in routing
table to 10.30.1.0/255.255.255.0 via 10.30.3.1

 

PC-B.12, PC-B.13:             Default Gateway 10.30.2.1/255.255.255.0

                                                IP Address
10.30.2.12/255.255.255.0 and 10.30.2.13/255.255.255.0

                                                Manual entry in routing
table to 10.30.1.0/255.255.255.0 via 10.30.2.11

 

Now every PC knows where to send packets destined for both the Internet and
the other household.  The PC’s hosting tinc are acting as the virtual
routers between the two sites.  Note once again that various versions of
Windows have this routing function disabled.

 

Hope this helps you,

Alan

From: tinc-bounces at tinc-vpn.org [mailto:tinc-bounces at tinc-vpn.org] On Behalf
Of Andrew Savinykh
Sent: Wednesday, October 06, 2010 18:17
To: tinc at tinc-vpn.org
Subject: Re: Windows subnets

 

Donald,

thank you, while I still have some questions, your answer is definitely a
step in the right direction.
In the other reply I was asked what I'm trying to achieve. Let's consider
the following scenario (which is quite similar to the one that described in
the tinc manual).

Let's assume we have two households, each has 3-5 computers in it.  Both
house holds have similar network configuration:
They are connected to internet with an ADSL line and a router.
The computers in the local network access internet via the router.
The router is configured so that one of the computers have port 665
forwarded to be accessible outside.
The external IP is changed rarely and there is dynamic DNS service
(external) in use to accommodate for the change of IP when it happens.

One household has local network addresses of 192.168.1.* and the other has
10.1.1.*
I'm installing tinc on one computer in each household. 

The goal is to let all computers in both house holds to see each other by ip
address. Also it is desired that for computer games purposes
all computers appear to be on the same LAN (for broadcasts). But this is not
mandatory. (it appears that it's not possible without installing tinc on
every PC 
as every tinc daemon serves a subnet and two tinc daemons can't serve a part
of subnet each)

All computers run different flavours of Windows, most being Windows 7.

I have two ideas how to set this up, although I'm not sure if any of these
two works:

IDEA1.
=====
Household A
Gateway IP: 10.30.0.1
Gateway Mask: 255.255.255.0
Gateway Default Gateway: ????

Other PCs IP: 10.30.0.2,3,4 etc
Other PCs Mask: 255.255.255.0
Other PCs Deafult Gateway: 10.30.0.1

Tinc Subnet: 10.30.0.0/25

Household B
Gateway IP: 10.30.0.129
Gateway Mask: 255.255.255.0
Gateway Default Gateway: ????

Other PCs IP: 10.30.0.130,131,132 etc
Other PCs Mask: 255.255.255.0
Other PCs Default Gateway: 10.30.0.129

Tinc Subnet: 10.30.0.128/25


IDEA2.
=====
Household A
Gatway IP: 10.30.0.1
Gateway Mask: 255.255.255.0
Gateway Default Gateway: ????

Other PCs IP: 10.30.0.2-255 etc
Other PCs Mask: 255.255.255.0
Other PCs Default Gateway: 10.30.0.1

Tinc Subnet: 10.30.0.0/24

Household B
Gateway IP: 10.30.1.1
Gateway Mask: 255.255.255.0
Gateway Default Gateway: ????

Other PCs IP: 10.30.1.2-255 etc
Other PCs Mask: 255.255.255.0
Other PCs Default Gateway: 10.30.0.129

Tinc Subnet: 10.30.1.0/24


So IDEA 1 probably won't work at all. Will it? And with IDEA 2 the pc's
won't appear on the same LAN and their broadcasts won't reach each other.
As far as I understand I need to install TAP interface on each of the
participating windows PCs, correct?
What is specified in default gateway of the gateways?


Thank you in advance,
Andrew

On 7/10/2010 4:36 a.m., Donald Pearson wrote: 

The PCs that you want to participate need to have a route for the VPN subnet
pointing to their local VPN gateway, which would be the local device with
Tinc installed on it. 

 

Theoretical configuration example.

 

VPN subnet is 10.10.10.0/24

 

At a location, one computer 192.168.1.254/24 connects to the VPN and serves
as the VPN gateway.  This gateway needs to be configured for TCP/IP
forwarding.

 

http://support.microsoft.com/kb/315236 - windows

http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ -
linux

 

Other computers local to the gateway need a route to the VPN network added
so they know how to get there.

 

In windows.   route -p add 10.10.10.0 mask 255.255.255.0 192.168.1.254

This will add the persistent route that remains after reboot.

 

Does that answer your question?

 

On Wed, Oct 6, 2010 at 6:41 AM, Andrew Savinykh <andrews at brutsoft.com>
wrote:

Thank you for your reply. As far as I can see there is no point specifying
subnet that consists of more than one PC in tinc config if you are going to
install tinc on every PC in the subnet anyway. Correct me if I'm wrong.
Now, assuming I'm right, there will be PCs in the subnet that don't have
tinc installed on them. How to configure these PCs so they are a part of the
subnet and participate in routing?

Cheers,
Andrew 



On 6/10/2010 10:13 p.m., Cédric Lemarchand wrote: 

Hi,

I am not sure to understand what you mean with "joining" a subnet.

But if your "local computer" need to reach the "remote subnet" served by
tinc, you can set the local IP of the local tinc server as the default
gateway, or add a route to the remote subnet via the local tinc IP. Of
course, computer located on the remote subnet need the same thing.

Cédric

Le 06/10/10 09:37, Andrew Savinykh a écrit : 

 Hello all, 

I understand that each tinc daemon corresponds to one or more subnets that
it "owns" a subnet can be a single ip or more. 
Could you please tell me what do I need to do to join a computer in local
network (windows) to a subnet served by tinc? 

Thank you in advance, 
Andrew 

_______________________________________________ 
tinc mailing list 
tinc at tinc-vpn.org 
http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc 

 

-- 

Cédric Lemarchand – iXSea SAS

Administrateur Système & Réseaux

http://www.ixsea.com/ -  <mailto:cedric.lemarchand at ixsea.com>
<cedric.lemarchand at ixsea.com>

Tel: +33 1 30 08 8888 – GSM: +33 6 37 23 40 93

 
_______________________________________________
tinc mailing list
tinc at tinc-vpn.org
http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

 


_______________________________________________
tinc mailing list
tinc at tinc-vpn.org
http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

 

 
 
_______________________________________________
tinc mailing list
tinc at tinc-vpn.org
http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20101006/83a2b347/attachment-0001.htm>


More information about the tinc mailing list