Route certain trafic via a tinc node that is not directly connected.
Etienne Dechamps
etienne at edechamps.fr
Wed Apr 11 21:20:36 CEST 2018
On 11 April 2018 at 11:30, Hans de Groot <hansg at dandy.nl> wrote:
> Hello again :)
>
> Thank you all for your reply's. Below are the config files of the 3 hosts.
> I use tinc in router mode. I do not have a kernel mode config lines
> anywhere so tinc must be using the default settings here.
>
> I added the ipaddressx to subnets on hostc and this works. Traffic to
> that ip is now routed via hostc.
> But since this ipaddressx address changes often I need to resolve it
> automaticaly and change the iptable rules that mark the packets. I was
> really hoping to have to do this at one location (at hosta) and not update
> the subnets on hostc. (and I also would like to understand how this works
> with tinc)
>
> If I use the old route command I can tell it to route traffic for a
> certain ip to a certain gateway. (without tinc)
> ie: route add -host 192.168.0.16 gw 10.0.0.1 eth0
> I always assumed packets were specifically send to 10.0.0.1 if packets
> with destination 192.168.0.16 arrived on this his host.
> But Guus says the VIA option has no effect.
>
No, the "via" option doesn't have any effect, because it only has effect at
layer 2, e.g. on an Ethernet network. tinc running in router mode is a
layer 3 (IP) network, not a layer 2 (Ethernet) network.
When you use that option on a layer 2 network such as Ethernet, the "via"
option determines which layer 2 host (i.e. which MAC address, after ARP
resolution) the packet will go to. In "router mode" tinc there are no MAC
addresses, and tinc decides where to send packets based on destination IP
address, not the kernel.
> So is there a way to send packets to a specific gateway ip using ip
> route?
>
If you change the tinc mode to "switch", then your tinc VPN will behave
just like a physical Ethernet network, and the "via" option will work just
like it does on a real network. But note that setting that option comes
with a long list of consequences and is quite a radical, breaking change.
(Also keep in mind that all nodes on your network need to use the same
mode.)
> I do have a subnet 0.0.0.0 at hostb so that is probably why traffic goes
> out via hostb when I do not have the specific subnet/ip at hostc
>
Yes, that explains it. If one of your nodes has a 0.0.0.0 subnet then it
means tinc will send traffic to that node by default if no other subnets
match the destination IP address on the packet. Which is what happened with
"ipaddressx".
An alternative solution to your problem, besides going one layer down,
would be to go one layer up: you could set up a "tunnel within the tunnel",
i.e. hosta could establish a tunnel to hostc *on top of* the tinc VPN.
Then, if you want certain packets to go through hostc, you can just send
them through that tunnel and you're done. I am actually using such a
solution for a special purpose on my own tinc network right now. The
simplest solution for the tunnel is to use IP/IP, which has minimal
overhead and is easy to understand and troubleshoot. I contributed some
code to tinc that provides better support for that use case:
https://github.com/gsliepen/tinc/pull/166
> Regards
>
> Hans de Groot
>
>
> configs at hosta
> tinc.conf
> Name = hosta
> Device =/dev/net/tun
> Hostnames = No
> connectto = hostb
> Mode = Router
> KeyExpire = 3600
> PingInterval = 10
> PingTimeout = 15
> PrivateKeyFile = /etc/tinc/tincnet/rsa_key.priv
> ProcessPriority = high
> PMTUDiscovery = yes
>
> tinc-up
> #!/bin/bash
> ifconfig $INTERFACE 192.168.230.21 netmask 255.255.255.0
> route add -net 192.168.230.0 netmask 255.255.255.0 gw 192.168.230.1
> ip route add default via 192.168.230.160 dev tincnet table hostc
> ip rule add from 0.0.0.0/0 fwmark 1 table hostc
>
>
> hosta
> Address = x.x.x.x
> Cipher = blowfish
> Compression = 0
> Digest = sha1
> IndirectData = Yes
> Port = 110
> Subnet = 192.168.230.21/32
> TCPonly = yes
>
> -----BEGIN RSA PUBLIC KEY-----
> -----END RSA PUBLIC KEY-----
>
> hostb
> Address = x.x.x.x
> Cipher = blowfish
> Compression = 0
> Digest = sha1
> IndirectData = Yes
> Port = 110
> Subnet = 192.168.230.1/32
> Subnet = 0.0.0.0/0
> TCPonly = yes
> -----BEGIN RSA PUBLIC KEY-----
> -----END RSA PUBLIC KEY-----
>
> -------------------------------------------------
> configs at hostb
> tinc.conf
> AddressFamily = ipv4
> Name = hostb
> Device =/dev/net/tun
> Hostnames = No
> Mode = Router
> KeyExpire = 3600
> PingInterval = 30
> PingTimeout = 60
> PrivateKeyFile = /usr/local/etc/tinc/tincnet/rsa_key.priv
> ProcessPriority = high
> PMTUDiscovery = yes
>
> tinc-up
> #!/bin/bash
> ifconfig $INTERFACE 192.168.230.1 netmask 255.255.255.0
> route add -net 192.168.230.0 netmask 255.255.255.0 gw 192.168.230.1
> ip route add default via 192.168.230.160 dev tincnet table hostc
> ip rule add from 0.0.0.0/0 fwmark 1 table hostc
>
> hostb
> Address = x.x.x.x
> Cipher = blowfish
> Compression = 0
> Digest = sha1
> IndirectData = Yes
> Port = 110
> Subnet = 192.168.230.1/32
> Subnet = 0.0.0.0/0
> TCPonly = No
> -----BEGIN RSA PUBLIC KEY-----
> -----END RSA PUBLIC KEY-----
>
> hostc
> Cipher = blowfish
> Compression = 0
> Digest = sha1
> IndirectData = Yes
> Port = 655
> Subnet = 192.168.230.160/32
> Subnet = 10.100.1.241/32
> TCPonly = Yes
> -----BEGIN RSA PUBLIC KEY-----
> -----END RSA PUBLIC KEY-----
>
> -----------------------------------------------------------
> config at hostc
> tinc.conf
> AddressFamily = ipv4
> Name = hostc
> ConnectTo = hostb
> Interface = tincnet
> Hostnames = No
> Mode = Router
> KeyExpire = 3600
> PingInterval = 10
> PingTimeout = 10
>
> tinc-up
> #!/bin/bash
> ifconfig $INTERFACE 192.168.230.160 netmask 255.255.255.0
>
> hostb
> Address = x.x.x.x
> Cipher = blowfish
> Compression = 0
> Digest = sha1
> IndirectData = Yes
> Port = 110
> Subnet = 192.168.230.1/32
> Subnet = 0.0.0.0/0
> TCPonly = Yes
>
> -----BEGIN RSA PUBLIC KEY-----
> -----END RSA PUBLIC KEY-----
>
>
> hostc
> Address = x.x.x.x
> Cipher = blowfish
> Compression = 0
> Digest = sha1
> IndirectData = Yes
> Port = 655
> Subnet = 192.168.230.160/32
> Subnet = 10.100.2.2/32
> Subnet = 10.100.1.236/32
> TCPonly = Yes
> -----BEGIN RSA PUBLIC KEY-----
> -----END RSA PUBLIC KEY-----
>
>
>
>
>
>
>
>
> On 4/10/2018 11:18 PM, Guus Sliepen wrote:
>
> On Tue, Apr 10, 2018 at 03:36:08PM +0200, Hans de Groot wrote:
>
>
> hosta <--> hostb <--> hostc
>
> Hosta and hostc are not directly connected via tinc. But both are conncted
> via hostb (I called my network tincnet). This works fine I can ssh from
> hosta to hostc and vice versa without any problems.
>
> hostc is in a whitelisted iprange at some service provider.
>
> I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc.
>
> I added the iptables mangle rule to mark all traffic to ipaddressx at port
> 700.
>
> -A OUTPUT -p 6 -m tcp -d ipaddressx/255.255.255.255 --dport 700 -j MARK
> --set-mark 0x1
>
> I added:
> ip route add default via iphostc dev tincnet table hostc
> ip rule add from 0.0.0.0/0 fwmark 1 table hostc
>
> If you are running tinc in router mode (which is the default), then the
> "via iphostc" option does not have any effect. The packets will go to
> dev tincnet, but there is nothing in the header of IP packets that
> contains the address of the gateway.
>
> Also, if you are using router mode, then you must inform tinc about
> which peer to send packets with destination address ipaddressx to. So
> you can add "Subnet = ipaddressx/" to hostc's hosts/hostc. But tinc only
> routes on address, not on ports.
>
>
> Now when I try this:
>
> traceroute -T -n ipaddressx -p 700
>
> The route goes via the ip of hostb and not via the ip of hostc as I would
> have expected.
>
> There are two possibilities for this: one is that tinc thinks the
> packets with destination address ipaddressx should go to hostb (because
> of what is in the Subnet statements), the other is that hosta and hostc
> cannot directly communicate with each other, and traffic is routed via
> hostb, and you have Forwarding = kernel in your tinc.conf. The latter
> will force the packets to be sent to the tun interface on hostb, and if
> you don't have any rules on hostb to send packets for ipaddressx port
> 700 to hostc, they will not be forwarded the way you want.
>
>
> A weird thing is when I try the add route with any ip in the tincnet subnet
> the route gets added even if that ip is not in use and all traffic still
> goes via the ip of hostb.
> ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet table
> hostc
>
> Again, in router mode, the "via ..." option has no effect at all.
>
>
> Is it tincd at hostb that intercepts the traffic actually meant for hostc
> and thinks it's meant for hostb and rewrites stuff automaticaly? Or am I
> missing something in the ip route / ip rules part?
>
> Tinc itself does not rewrite anything.
>
>
> But I really would like to understand how to do this via mangle/fwmark and
> ip route / ip rule way.
>
> It would help if you could show us your tinc.conf from hostb, and all
> hosts/* files, so we can check how you configured tinc exactly.
>
>
>
>
> _______________________________________________
> tinc mailing listtinc at tinc-vpn.orghttps://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180411/49bd4589/attachment-0001.html>
More information about the tinc
mailing list