Behavior like -R and -L SSH

Guus Sliepen guus at tinc-vpn.org
Tue Aug 29 20:43:33 CEST 2017


On Mon, Aug 28, 2017 at 10:48:56PM -0400, Rafael Wolf wrote:

> I wanted a TINC tunnel like this, where I have a server on the Internet
> with a public IPv4 address as my TINC server.  Then I can have clients
> connect to it and see each other except that the client at a customer
> site would allow me to route behind it so I could see hosts on site beyond
> my device on premise.
[...]
> Internal Devices <-- Customer Site with a rasperry pi --> Internet -->
> Public Server <-- Laptop, PC, whatever
> 
> Server with public IPv4 address:
[...]
> /etc/tinc/devtun/tinc-up
> 
>   #!/bin/sh
>   ifconfig $INTERFACE 192.168.2.1/29
>   route add -net 192.168.0.0/24 gw 192.168.2.1 dev $INTERFACE

The route statement is correct. However, "gw 192.168.2.1" does not do
anything when tinc is in router mode. You can leave it out.

> /etc/tinc/devtun/hosts/devtun
>   TunnelServer = yes
>   Address = 10.0.10.3
>   Subnet = 192.168.2.1/32
> 
>   -----BEGIN RSA PUBLIC KEY-----
>   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>   -----END RSA PUBLIC KEY-----
> 
>   * Note that I also tried putting in another "Subnet" for the 192.168.0.0
> but it
>     didn't seem to do anything.

You should only put in Subnet statements for those address ranges that
belong to that node itself. It seems like 192.168.0.0/24 is the address
range for the internal devices at the customer site, so this does not
belong to devtun.

> Client config (rasperry pi at the client site):
[...]
> /etc/tinc/tinc-up
> 
>   #!/bin/sh
>   ifconfig $INTERFACE 192.168.2.2/29
>   # This route breaks networking!  Definitely don't use this!
>   # route add -net 192.168.0.0/24 gw 192.168.2.2 dev $INTERFACE

You should indeed not add this route. If 192.168.0.0/24 belongs to the
internal network, then adding a route for 192.168.0.0/24 to the VPN
interface will ensure demo can no longer talk to its internal network.

> /etc/tinc/demo/hosts/demo
> 
>   TunnelServer = yes
>   Address = 67.219.201.3
>   Subnet = 192.168.2.2/32
>   Subnet = 192.168.0.0/24
>   Mode = router
> 
>   -----BEGIN RSA PUBLIC KEY-----
>   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>   -----END RSA PUBLIC KEY-----
[...]
> Got ADD_SUBNET from demo (75.134.104.213 port 54059): 10 3d2ef9c2 demo
> 192.168.2.2/32#10
> Ignoring unauthorized ADD_SUBNET from demo (75.134.104.213 port 54059):
> 192.168.2.2/32#10
[...]
> Both server and client can ping each other.
> 
> So...why would I be getting that "unauthorized subnet" from the demo site?

Because you are using the TunnelServer option, which implicitly also
enables the StrictSubnets option. Try it without TunnelServer = yes.

> Once I iron out the subnet issue how can I "route" from the server or other
> clients connected to the server beyond the client (which is my pi)?

Your configuration looks correct to me, as long as you remove the
TunnelServer option.

> OH and also...when I have the client config files like this on each host:
> 
> server has:
>   devtun <-- what I actually fire up with tincd to "listen"
>   demo
> 
> client has:
>   devtun
>   demo <-- what I actually fire up with tincd to "connect"
> 
> ...does the client really care what the "devtun" config file has in it
> besides the authentication key?

Yes, if you use TunnelServer = yes then it will also use the Subnets
from that file, and will not allow devtun use any other Subnet.
Otherwise, no.

> ...does the server really care what the "demo" config file has in it
> besides the autnetication key?

Yes, it also reads the Subnets because TunnelServer = yes, and it reads
the Address statement so it knows how to connect to demo.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170829/9ecf2504/attachment.sig>


More information about the tinc mailing list