tinc started from /etc/network/interfaces and not from /etc/tinc/nets.boot

Guus Sliepen guus at tinc-vpn.org
Fri Jan 10 11:35:00 CET 2014 

On Fri, Jan 10, 2014 at 11:16:46AM +0100, Phooraalai wrote:

> > I guess because the init job was there first. Support for
> > /etc/network/interfaces came later.
> 
> Would you accept a small tutorial for the website where I explain howto
> duplicate my setup through /etc/network/interfaces once I finish ?

Sure! It would be nice if you can write that tutorial in MarkDown or
MultiMarkDown format, but HTML is fine as well.

> > Why did you use converted tinc-up/down scripts at all? You can put everything
> > that is in those inside /etc/network/interfaces.
> 
> I use the converted tinc-up and tinc-down to build some iptables rules
> and then tear them down again. Also I use them to log to syslog that an
> vpn connection has been established or terminated. How would I do that
> with /etc/network/interfaces ?

Just by adding the commands from those scripts as post-up and post-down
statements in your /etc/network/interfaces file. For example:

iface VPN inet static
        address 192.168.100.1
        netmask 255.255.255.0
        post-up logger VPN up
        post-up iptables ...
        post-down iptables ...
        tinc_net VPN
        tinc_chroot yes
        tinc_mlock yes
        tinc_user tincvpn

Otherwise, you have part of the configuration in /etc/network/interfaces, part
in your converted up/down scripts. Wouldn't it be nicer to have all that in one
place? Another option is to use the regular tinc-up and -down scripts to do all
the network configuration, but still be able to use ifup/ifdown to start and
stop tinc:

iface VPN inet manual
        tinc_net VPN
        tinc_chroot yes
        tinc_mlock yes
        tinc_user tincvpn

That way your VPN also works correctly if you decide to start tinc by hand or
using nets.boot.

> >> Is this what the host options StrictSubnets = yes and
> >> TunnelServer = yes are about ?
> > 
> > Those options those can indeed be used to limit which nodes can talk to which
> > other nodes. There is also IndirectData, DirectData and Forwarding.
> 
> I could not see a DirectData option in the tinc 1.0 man page for
> tinc.conf or in the PDF for 1.0 or 1.1 on the tinc website. Is there a
> difference between IndirectData <=> DirectData ?

Sorry, I meant DirectOnly instead of DirectData.

> So if I set StrictSubnets = yes, then the tinc vpn daemon will only talk
> to the machine for which it has host files present in
> /etc/tinc/VPN/hosts/, correct ?

Not exactly; as it says in the manual, it will only look at Subnet definitions
in its local host configuration files. It can still use hosts for which you
don't have a host file for forwarding in case the destination host is not
directly reachable.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20140110/1d85141b/attachment.sig>

More information about the tinc mailing list