Windows subnets
Donald Pearson
donaldwhpearson at gmail.com
Thu Oct 7 03:14:57 CEST 2010
Sure it's possible, you just need to assign each node a new IP in the
10.30.1.0/24 network. It's not part of the Tinc configuration, it's part of
the network configuration of each computer.
All Tinc is doing, is creating a layer 2 path for them to reach each other.
Yes broadcasts will traverse the VPN. It literally is virtual ethernet over
the internet. :)
On Wed, Oct 6, 2010 at 9:04 PM, Andrew Savinykh <andrews at brutsoft.com>wrote:
> Donald, thank you for this.
>
> Do i read you right that to be able to receive broadcasts across LANs I
> have to use the address space that I already have and make sure that this
> space is the same for both LANs?
>
> What I'm trying to do is to define a *completely new subnet* that will act
> as the common LAN foR both LAN A and LAN B.
>
> To re-iterate:
> I have one router that is 10.1.1.1 and gives out DHCP 10.1.1.* and the
> other router 192.168.0.1 that gives out DHCP 192.168.0.*.
> I would like to leave these address spaces alone and define a new on
> 10.30.1.* that computer from both networks can participate in effectively
> forming a new virtual LAN.
>
> Is this possible with tinc? I know this possible with other software, I'm
> just having hard time figuring out if this is something I can configure tinc
> to do.
>
> Andrew
>
>
>
>
> On 7/10/2010 1:13 p.m., Donald Pearson wrote:
>
> Sorry you're right. I was looking at the IP address schema where all nodes
> would use the 10.30.0.0/24 network.
>
> There's no need to install tap adapters on the other devices. You have
> basically 2 realistic options if you want the LAN function
>
> You can specify multiple IP addresses for a single interface, even in
> Windows. You'll find this under the TCP/IP properties of the network
> adapter. And clicking on the Advanced button on the page where you can set
> a static IP or designate DHCP.
>
> A 2nd option would be to re-ip one of your locations so that they all use
> the same subnet natively.
>
> Bridging the tap adapter allows your network frames received by your
> physical interface to reach the TAP adapter and therefore traverse the VPN.
> This enables later 2 connectivity, the same way a real switch does. Virtual
> Ethernet over the Internet is how I like to describe it. This is how I have
> my VPN configured personally.
>
> Without the bridge, a frame that is received at the physical interface has
> the frame stripped off and the packet inspected. Now we're talking layer
> 3. If the packet is destined for a network on the other side of the VPN,
> your Tinc node frames the packet back up with a new frame, and sends it over
> the VPN. This act of stripping the frame, reading the packet for the
> network destination, and applying a new frame to get it there is what
> Routing is. Without the bridge in place, your Tinc node is literally
> routing between the physical interface and the tap interface. With the
> bridge, you're creating a layer 2 pathway so the frames can shoot across
> directly. Of course this means both sides need to be on the same subnet
> which you obviously already know.
>
> Be warned that this configuration comes with it's drawbacks. DHCP will
> traverse your VPN. I had location A computers getting addresses from
> location B which makes for some really inefficient internet traffic.
>
> Regards,
> Donald
> On Wed, Oct 6, 2010 at 7:57 PM, Andrew Savinykh <andrews at brutsoft.com>wrote:
>
>> Donald, thank you for the explanation.
>>
>> I understand the part about the switch mode and absence of subnet in
>> tinc.config.
>> However, could you please explain what bridging the tap adapter will
>> achieve and what kind of ip address will be used on tinc nodes and in the
>> rest of the network.
>>
>> In my example one household has local network addresses of 192.168.1.* and
>> the other has 10.1.1.*
>> If we don't install tap interfaces on other PC's this means that the other
>> PCs won't have another ip address.
>> I understand that bridging is going to solve this somehow, but I still
>> don't see how broadcast from 10.1.1.7 can reach 192.168.1.5 in the other
>> LAN.
>>
>> In short I don't understand how bridging to adapters work. I'll try to
>> google this topic to get a better understanding, meanwhile, could you please
>> explain
>> how this applies to our tinc configuration case.
>>
>> Also can you briefly describe what we achieve by setting PMTUDiscovery =
>> Yes. I read the description in manual but it didn't tell me much.
>>
>> Thank you again for all your help,
>> Andrew
>>
>>
>>
>>
>> On 7/10/2010 11:40 a.m., Donald Pearson wrote:
>>
>> Oh okay. Yes you can make it appear as a single LAN. Your Tinc nodes
>> will behave as bridges instead of routers (or gateways as you put it).
>>
>> Your tinc nodes will have the same subnet mask and default router as all
>> your other devices at that location.
>>
>> You will need to run the add-tap script only on the tinc nodes on each
>> side.
>>
>> You will then need to bridge the tap adapter to the local area connection
>> on the tinc nodes on each side.
>>
>> This will create a bridge network object under your network connections.
>> This bridge will have the IP configuration you illustrated.
>>
>> You have the right idea in segregating the IP distribution while still
>> using the 255.255.255.0 subnet mask.
>>
>> One both nodes are up and connected, and the interfaces have been bridged
>> on the Tinc nodes for each location, you will have a virtual LAN between the
>> two locations.
>>
>> Your Tinc configuration will be Switch mode. This means no Subnet
>> configurations are required in your tinc.conf
>>
>> Your tinc.conf will be something like
>>
>> Name = NodeA
>> ConnectTo = NodeB
>> Interface = <something>
>> Mode = switch
>> PrivateKeyFile = <path to the rsa_key.priv>
>>
>> Host files will be something like
>> For the host file named "NodeA"
>>
>> Address = <host.dyndns.org>
>> PMTUDiscovery = Yes
>>
>> --Begin RSA etc. etc.--
>>
>>
>> On Wed, Oct 6, 2010 at 6:17 PM, Andrew Savinykh <andrews at brutsoft.com>wrote:
>>
>>> Donald,
>>>
>>> thank you, while I still have some questions, your answer is definitely a
>>> step in the right direction.
>>> In the other reply I was asked what I'm trying to achieve. Let's consider
>>> the following scenario (which is quite similar to the one that described in
>>> the tinc manual).
>>>
>>> Let's assume we have two households, each has 3-5 computers in it. Both
>>> house holds have similar network configuration:
>>> They are connected to internet with an ADSL line and a router.
>>> The computers in the local network access internet via the router.
>>> The router is configured so that one of the computers have port 665
>>> forwarded to be accessible outside.
>>> The external IP is changed rarely and there is dynamic DNS service
>>> (external) in use to accommodate for the change of IP when it happens.
>>>
>>> One household has local network addresses of 192.168.1.* and the other
>>> has 10.1.1.*
>>> I'm installing tinc on one computer in each household.
>>>
>>> The goal is to let all computers in both house holds to see each other by
>>> ip address. Also it is desired that for computer games purposes
>>> all computers appear to be on the same LAN (for broadcasts). But this is
>>> not mandatory. (it appears that it's not possible without installing tinc on
>>> every PC
>>> as every tinc daemon serves a subnet and two tinc daemons can't serve a
>>> part of subnet each)
>>>
>>> All computers run different flavours of Windows, most being Windows 7.
>>>
>>> I have two ideas how to set this up, although I'm not sure if any of
>>> these two works:
>>>
>>> IDEA1.
>>> =====
>>> Household A
>>> Gateway IP: 10.30.0.1
>>> Gateway Mask: 255.255.255.0
>>> Gateway Default Gateway: ????
>>>
>>> Other PCs IP: 10.30.0.2,3,4 etc
>>> Other PCs Mask: 255.255.255.0
>>> Other PCs Deafult Gateway: 10.30.0.1
>>>
>>> Tinc Subnet: 10.30.0.0/25
>>>
>>> Household B
>>> Gateway IP: 10.30.0.129
>>> Gateway Mask: 255.255.255.0
>>> Gateway Default Gateway: ????
>>>
>>> Other PCs IP: 10.30.0.130,131,132 etc
>>> Other PCs Mask: 255.255.255.0
>>> Other PCs Default Gateway: 10.30.0.129
>>>
>>> Tinc Subnet: 10.30.0.128/25
>>>
>>>
>>> IDEA2.
>>> =====
>>> Household A
>>> Gatway IP: 10.30.0.1
>>> Gateway Mask: 255.255.255.0
>>> Gateway Default Gateway: ????
>>>
>>> Other PCs IP: 10.30.0.2-255 etc
>>> Other PCs Mask: 255.255.255.0
>>> Other PCs Default Gateway: 10.30.0.1
>>>
>>> Tinc Subnet: 10.30.0.0/24
>>>
>>> Household B
>>> Gateway IP: 10.30.1.1
>>> Gateway Mask: 255.255.255.0
>>> Gateway Default Gateway: ????
>>>
>>> Other PCs IP: 10.30.1.2-255 etc
>>> Other PCs Mask: 255.255.255.0
>>> Other PCs Default Gateway: 10.30.0.129
>>>
>>> Tinc Subnet: 10.30.1.0/24
>>>
>>>
>>> So IDEA 1 probably won't work at all. Will it? And with IDEA 2 the pc's
>>> won't appear on the same LAN and their broadcasts won't reach each other.
>>> As far as I understand I need to install TAP interface on each of the
>>> participating windows PCs, correct?
>>> What is specified in default gateway of the gateways?
>>>
>>>
>>>
>>> Thank you in advance,
>>> Andrew
>>>
>>> On 7/10/2010 4:36 a.m., Donald Pearson wrote:
>>>
>>> The PCs that you want to participate need to have a route for the VPN
>>> subnet pointing to their local VPN gateway, which would be the local device
>>> with Tinc installed on it.
>>>
>>> Theoretical configuration example.
>>>
>>> VPN subnet is 10.10.10.0/24
>>>
>>> At a location, one computer 192.168.1.254/24 connects to the VPN and
>>> serves as the VPN gateway. This gateway needs to be configured for TCP/IP
>>> forwarding.
>>>
>>> http://support.microsoft.com/kb/315236 - windows
>>> http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ -
>>> linux
>>>
>>> Other computers local to the gateway need a route to the VPN network
>>> added so they know how to get there.
>>>
>>> In windows. route -p add 10.10.10.0 mask 255.255.255.0 192.168.1.254
>>> This will add the persistent route that remains after reboot.
>>>
>>> Does that answer your question?
>>>
>>> On Wed, Oct 6, 2010 at 6:41 AM, Andrew Savinykh <andrews at brutsoft.com>wrote:
>>>
>>>> Thank you for your reply. As far as I can see there is no point
>>>> specifying subnet that consists of more than one PC in tinc config if you
>>>> are going to install tinc on every PC in the subnet anyway. Correct me if
>>>> I'm wrong.
>>>> Now, assuming I'm right, there will be PCs in the subnet that don't have
>>>> tinc installed on them. How to configure these PCs so they are a part of the
>>>> subnet and participate in routing?
>>>>
>>>> Cheers,
>>>> Andrew
>>>>
>>>>
>>>> On 6/10/2010 10:13 p.m., Cédric Lemarchand wrote:
>>>>
>>>> Hi,
>>>>
>>>> I am not sure to understand what you mean with "joining" a subnet.
>>>>
>>>> But if your "local computer" need to reach the "remote subnet" served by
>>>> tinc, you can set the local IP of the local tinc server as the default
>>>> gateway, or add a route to the remote subnet via the local tinc IP. Of
>>>> course, computer located on the remote subnet need the same thing.
>>>>
>>>> Cédric
>>>>
>>>> Le 06/10/10 09:37, Andrew Savinykh a écrit :
>>>>
>>>> Hello all,
>>>>
>>>> I understand that each tinc daemon corresponds to one or more subnets
>>>> that it "owns" a subnet can be a single ip or more.
>>>> Could you please tell me what do I need to do to join a computer in
>>>> local network (windows) to a subnet served by tinc?
>>>>
>>>> Thank you in advance,
>>>> Andrew
>>>>
>>>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>
> _______________________________________________
> tinc mailing listtinc at tinc-vpn.orghttp://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20101006/a6ef70a7/attachment-0001.htm>
More information about the tinc
mailing list