IndirectData = Yes is I think a legacy statement for versions prior to 1.0.10 that allowed Tinc to function in UDP mode behind NAT. I don't actually think it's needed any more, but I have not scrubbed my host configuration files yet for anything not necessary. Guss could speak with more authority on that.<br>
<br>PMTUDiscovery = Yes is I believe still best practice to use in Switch Mode, enabling Tinc to identify the largest Frame or Packet that can traverse across the VPN without fragmenting.<br><br>The ConnectTo statement is in the tinc.conf file. So you would want your tinc.conf file on your Client host to point to the host file of your Server.<br>
<br>tinc-up is a script that will be executed when Tinc is launched, if it exists. It's not actually necessary, but it makes things a bit simpler.<br><br>If you want your Tinc server to act as a gateway for it's LAN, you'll need to bridge it's Tun adapter, which talks on the VPN, with it's LAN adapter.<br>
<br><div class="gmail_quote">On Sun, Feb 7, 2010 at 6:43 PM, M.Farghaly <span dir="ltr"><<a href="mailto:m@farghaly.com">m@farghaly.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello Donald,<br>
<br>
thank you very much for your very fast reply.<br>
<br>
This makes sense. So until now I am only connecting to the<br>
tun-interface on the home server. And I somehow need to bridge the<br>
un-interface and eth0.<br>
<br>
Another question, is this :<br>
<br>
> IndirectData = Yes<br>
> PMTUDiscovery = Yes<br>
<br>
needed for this to work ?<br>
<br>
What about the client (ConnectTo) tinc-up, what is still in there ?<br>
<br>
Otherwise I will look into linux bridging to understand exactly the<br>
command sequence you gave me for tinc-up.<br>
<br>
Then I will give this a try.<br>
<br>
Mansour Farghaly<br>
<div><div></div><div class="h5"><br>
On Sun, Feb 7, 2010 at 11:46 PM, Donald Pearson<br>
<<a href="mailto:donaldwhpearson@gmail.com">donaldwhpearson@gmail.com</a>> wrote:<br>
> I'm doing exactly what I think you're trying to do.<br>
><br>
> You are using switched mode, so you can remove the Subnet statements.<br>
> Otherwise, if you mean to have your VPN routed instead of switched, you need<br>
> to remove the mode=switch statements.<br>
><br>
> I recommend keeping switch mode, and removing the un-necessary Subnet<br>
> statements.<br>
><br>
> Now, you need to bridge your tun interface with your physical interface at<br>
> home. This will open the rest of your home network to your VPN provided all<br>
> hosts use the same network and netmask.<br>
><br>
> You say you are using Ubuntu, so you can do "apt-get install bridge utils"<br>
><br>
> You will need your tinc-up script to be something like this;<br>
><br>
> #!/bin/sh<br>
> modprobe tun<br>
> ifconfig vpn 0.0.0.0<br>
> ifconfig vpn up<br>
> ifconfig eth0 0.0.0.0<br>
> ifconfig eth0 up<br>
><br>
> brctl addbr bridge<br>
> brctl addif bridge vpn<br>
> brctl addif bridge eth0<br>
> ifconfig bridge 10.10.0.30 netmask 255.255.255.0<br>
> route add default gw 10.10.0.254 bridge<br>
> ifconfig bridge up<br>
><br>
> Here's my tinc.conf. it's *very* simple.<br>
><br>
> donald@DonaldTincVM:/etc/tinc/vpn$ cat tinc.conf<br>
> Name = Donald<br>
> ConnectTo = Pat<br>
> Device = /dev/net/tun<br>
> Mode = switch<br>
> PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv<br>
><br>
><br>
> And here's my host files.<br>
><br>
> donald@DonaldTincVM:/etc/tinc/vpn/hosts$ cat Donald<br>
> Address = xxxx<br>
> Port = 8002<br>
> IndirectData = Yes<br>
> Compression = 0<br>
> PMTUDiscovery = Yes<br>
> RSA stuff.<br>
><br>
> donald@DonaldTincVM:/etc/tinc/vpn/hosts$ cat Pat<br>
> Address = <a href="http://nixon.endoftheinternet.org" target="_blank">nixon.endoftheinternet.org</a><br>
> Port = 8003<br>
> IndirectData = Yes<br>
> Compression = 0<br>
> PMTUDiscovery = Yes<br>
> RSA stuff.<br>
><br>
> On Sun, Feb 7, 2010 at 5:26 PM, M.Farghaly <<a href="mailto:m@farghaly.com">m@farghaly.com</a>> wrote:<br>
>><br>
>> Hi there,<br>
>><br>
>> I am using tinc since some monthes. I think the basic idea of<br>
>> extending vpn to a mesh of systems via tun/tap is great. And I think<br>
>> it is one of the useable developments compared to the much more<br>
>> complex vpn solutions I had used in the past. Great work.<br>
>><br>
>> Setting up tinc I have fought with the configuration (and with the<br>
>> concepts) for a while as I have found no example that covers my<br>
>> special setup until I reached this fairly minimal config below.<br>
>><br>
>> The setup is as follows:<br>
>> Home network is 10.10.0.x/24, Ubuntu Unix Server has internal IP<br>
>> 10.10.0.30, Gateway is 10.10.0.254<br>
>> I have a dynamic ip on this network and a masquerading firewall router.<br>
>><br>
>> I am accessing home network via Ubuntu linux laptop via UMTS which<br>
>> means dynamic IP-Address, normally also in the 10.x.y.z Range (can<br>
>> this be a problem ?).<br>
>><br>
>> From the forum answers I think I can delete the entries<br>
>> "PrivateKeyFile" as this is default, otherwise configuration is quite<br>
>> minimal.<br>
>><br>
>><br>
>> ======= Configuration =========<br>
>><br>
>> Server Side<br>
>> ===========<br>
>> # cat tinc.conf<br>
>> Name = fsvpns3f30<br>
>> Mode = switch<br>
>> Device = /dev/net/tun<br>
>> AddressFamily = ipv4<br>
>> PingInterval = 30<br>
>> PrivateKeyFile = /etc/tinc/fsvpn/rsa_key.priv<br>
>><br>
>> # cat tinc-up<br>
>> #!/bin/sh<br>
>> ifconfig $INTERFACE 10.10.100.30 netmask 255.255.0.0<br>
>><br>
>> # cat hosts/fsvpns3f30<br>
>> Address = <a href="http://xyz.dyndns.org" target="_blank">xyz.dyndns.org</a><br>
>> Port=655<br>
>> Compression=9<br>
>> Subnet=<a href="http://10.10.0.0/16" target="_blank">10.10.0.0/16</a><br>
>> TCPonly=yes<br>
>> -----BEGIN RSA PUBLIC KEY-----<br>
>> ...<br>
>> -----END RSA PUBLIC KEY-----<br>
>><br>
>> Client Side<br>
>> ========<br>
>> # cat tinc.conf<br>
>> Name = fsvpnmf<br>
>> Mode = switch<br>
>> Device = /dev/net/tun<br>
>> AddressFamily = ipv4<br>
>> PingInterval = 30<br>
>> ConnectTo = fsvpns3f30<br>
>> PrivateKeyFile=/etc/tinc/fsvpn/rsa_key.priv<br>
>><br>
>> # cat tinc-up<br>
>> #!/bin/sh<br>
>> ifconfig $INTERFACE 10.10.101.1 netmask 255.255.0.0<br>
>><br>
>> # cat fsvpnmf<br>
>> Port = tinc<br>
>> Compression = 9<br>
>> Subnet = <a href="http://10.10.101.1/32" target="_blank">10.10.101.1/32</a><br>
>> TCPonly=yes<br>
>> ConnectTo = <a href="http://xyz.dyndns.org" target="_blank">xyz.dyndns.org</a><br>
>> -----BEGIN RSA PUBLIC KEY-----<br>
>> ...<br>
>> -----END RSA PUBLIC KEY-----<br>
>><br>
>> This setup works now for a while with the restriction that I can<br>
>> directly only reach one machine on my network. I can ssh through it to<br>
>> reach the other machines in the network, but this is not ideal (e.g.<br>
>> if I want to directly reach windows machines). That means from my<br>
>> laptop I can only directly reach the <a href="http://10.10.0.30/10.10.100/30" target="_blank">10.10.0.30/10.10.100/30</a> machine.<br>
>> It looks like a routing problem. I guess I will have to add on tinc-up<br>
>> script on both sides but in combination with the vpn device I need<br>
>> some guidance.<br>
>><br>
>> Can you see how the configuration can be enhanced to reach the whole<br>
>> network of machines on the home network from laptops directly ?<br>
>><br>
>> Any suggestions are welcome.<br>
>><br>
>> Mansour Farghaly<br>
>> _______________________________________________<br>
>> tinc mailing list<br>
>> <a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
>> <a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
><br>
><br>
> _______________________________________________<br>
> tinc mailing list<br>
> <a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
> <a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
><br>
><br>
_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
</div></div></blockquote></div><br>