<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Awesome! Now I think I finally understand how to do this. Thank you
very much. (Just to confirm, I need to assign the new additional IP
on physical adapter for each non tinc PC and on tap adapter for tinc
gateway PCs, right?)<br>
<br>
Andrew.<br>
<br>
<blockquote cite="mid:4CAD21E0.1020501@brutsoft.com" type="cite"> On
7/10/2010 2:14 p.m., Donald Pearson wrote:
<blockquote
cite="mid:AANLkTi=_rSo3rtOpv6OgQfY-7XQDqBw1KNnWv2Fqk+Da@mail.gmail.com"
type="cite">Sure it's possible, you just need to assign each
node a new IP in the <a moz-do-not-send="true"
href="http://10.30.1.0/24">10.30.1.0/24</a> network. It's not
part of the Tinc configuration, it's part of the network
configuration of each computer.<br>
<br>
All Tinc is doing, is creating a layer 2 path for them to reach
each other. Yes broadcasts will traverse the VPN. It literally
is virtual ethernet over the internet. :)<br>
<br>
<div class="gmail_quote">On Wed, Oct 6, 2010 at 9:04 PM, Andrew
Savinykh <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:andrews@brutsoft.com">andrews@brutsoft.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> Donald, thank you for
this. <br>
<br>
Do i read you right that to be able to receive broadcasts
across LANs I have to use the address space that I already
have and make sure that this space is the same for both
LANs?<br>
<br>
What I'm trying to do is to define a *completely new
subnet* that will act as the common LAN foR both LAN A and
LAN B.<br>
<br>
To re-iterate:<br>
I have one router that is 10.1.1.1 and gives out DHCP
10.1.1.* and the other router 192.168.0.1 that gives out
DHCP 192.168.0.*. <br>
I would like to leave these address spaces alone and
define a new on 10.30.1.* that computer from both networks
can participate in effectively forming a new virtual LAN.<br>
<br>
Is this possible with tinc? I know this possible with
other software, I'm just having hard time figuring out if
this is something I can configure tinc to do.<br>
<font color="#888888"> <br>
Andrew</font>
<div>
<div class="h5"><br>
<br>
<br>
<br>
On 7/10/2010 1:13 p.m., Donald Pearson wrote:
<blockquote type="cite">Sorry you're right. I was
looking at the IP address schema where all nodes
would use the <a moz-do-not-send="true"
href="http://10.30.0.0/24" target="_blank">10.30.0.0/24</a>
network.<br>
<br>
There's no need to install tap adapters on the other
devices. You have basically 2 realistic options if
you want the LAN function<br>
<br>
You can specify multiple IP addresses for a single
interface, even in Windows. You'll find this under
the TCP/IP properties of the network adapter. And
clicking on the Advanced button on the page where
you can set a static IP or designate DHCP.<br>
<br>
A 2nd option would be to re-ip one of your locations
so that they all use the same subnet natively.<br>
<br>
Bridging the tap adapter allows your network frames
received by your physical interface to reach the TAP
adapter and therefore traverse the VPN. This
enables later 2 connectivity, the same way a real
switch does. Virtual Ethernet over the Internet is
how I like to describe it. This is how I have my
VPN configured personally.<br>
<br>
Without the bridge, a frame that is received at the
physical interface has the frame stripped off and
the packet inspected. Now we're talking layer 3.
If the packet is destined for a network on the other
side of the VPN, your Tinc node frames the packet
back up with a new frame, and sends it over the
VPN. This act of stripping the frame, reading the
packet for the network destination, and applying a
new frame to get it there is what Routing is.
Without the bridge in place, your Tinc node is
literally routing between the physical interface and
the tap interface. With the bridge, you're creating
a layer 2 pathway so the frames can shoot across
directly. Of course this means both sides need to
be on the same subnet which you obviously already
know.<br>
<br>
Be warned that this configuration comes with it's
drawbacks. DHCP will traverse your VPN. I had
location A computers getting addresses from location
B which makes for some really inefficient internet
traffic.<br>
<br>
Regards,<br>
Donald<br>
<div class="gmail_quote">On Wed, Oct 6, 2010 at 7:57
PM, Andrew Savinykh <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:andrews@brutsoft.com"
target="_blank">andrews@brutsoft.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt
0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> Donald,
thank you for the explanation.<br>
<br>
I understand the part about the switch mode
and absence of subnet in tinc.config.<br>
However, could you please explain what
bridging the tap adapter will achieve and what
kind of ip address will be used on tinc nodes
and in the rest of the network.<br>
<br>
In my example one household has local network
addresses of 192.168.1.* and the other has
10.1.1.*<br>
If we don't install tap interfaces on other
PC's this means that the other PCs won't have
another ip address.<br>
I understand that bridging is going to solve
this somehow, but I still don't see how
broadcast from 10.1.1.7 can reach 192.168.1.5
in the other LAN.<br>
<br>
In short I don't understand how bridging to
adapters work. I'll try to google this topic
to get a better understanding, meanwhile,
could you please explain<br>
how this applies to our tinc configuration
case.<br>
<br>
Also can you briefly describe what we achieve
by setting PMTUDiscovery = Yes. I read the
description in manual but it didn't tell me
much.<br>
<br>
Thank you again for all your help,<br>
<font color="#888888"> Andrew</font>
<div>
<div><br>
<br>
<br>
<br>
On 7/10/2010 11:40 a.m., Donald Pearson
wrote:
<blockquote type="cite">Oh okay. Yes you
can make it appear as a single LAN.
Your Tinc nodes will behave as bridges
instead of routers (or gateways as you
put it).<br>
<br>
Your tinc nodes will have the same
subnet mask and default router as all
your other devices at that location.<br>
<br>
You will need to run the add-tap script
only on the tinc nodes on each side.<br>
<br>
You will then need to bridge the tap
adapter to the local area connection on
the tinc nodes on each side.<br>
<br>
This will create a bridge network object
under your network connections. This
bridge will have the IP configuration
you illustrated.<br>
<br>
You have the right idea in segregating
the IP distribution while still using
the 255.255.255.0 subnet mask.<br>
<br>
One both nodes are up and connected, and
the interfaces have been bridged on the
Tinc nodes for each location, you will
have a virtual LAN between the two
locations.<br>
<br>
Your Tinc configuration will be Switch
mode. This means no Subnet
configurations are required in your
tinc.conf<br>
<br>
Your tinc.conf will be something like<br>
<br>
Name = NodeA<br>
ConnectTo = NodeB<br>
Interface = <something><br>
Mode = switch<br>
PrivateKeyFile = <path to the
rsa_key.priv><br>
<br>
Host files will be something like<br>
For the host file named "NodeA"<br>
<br>
Address = <<a moz-do-not-send="true"
href="http://host.dyndns.org"
target="_blank">host.dyndns.org</a>><br>
PMTUDiscovery = Yes<br>
<br>
--Begin RSA etc. etc.--<br>
<br>
<br>
<div class="gmail_quote">On Wed, Oct 6,
2010 at 6:17 PM, Andrew Savinykh <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:andrews@brutsoft.com"
target="_blank">andrews@brutsoft.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin: 0pt 0pt 0pt 0.8ex;
border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;">
<div bgcolor="#ffffff"
text="#000000"> Donald,<br>
<br>
thank you, while I still have some
questions, your answer is
definitely a step in the right
direction.<br>
In the other reply I was asked
what I'm trying to achieve. Let's
consider the following scenario
(which is quite similar to the one
that described in the tinc
manual).<br>
<br>
Let's assume we have two
households, each has 3-5 computers
in it. Both house holds have
similar network configuration:<br>
They are connected to internet
with an ADSL line and a router.<br>
The computers in the local network
access internet via the router.<br>
The router is configured so that
one of the computers have port 665
forwarded to be accessible
outside.<br>
The external IP is changed rarely
and there is dynamic DNS service
(external) in use to accommodate
for the change of IP when it
happens.<br>
<br>
One household has local network
addresses of 192.168.1.* and the
other has 10.1.1.*<br>
I'm installing tinc on one
computer in each household. <br>
<br>
The goal is to let all computers
in both house holds to see each
other by ip address. Also it is
desired that for computer games
purposes<br>
all computers appear to be on the
same LAN (for broadcasts). But
this is not mandatory. (it appears
that it's not possible without
installing tinc on every PC <br>
as every tinc daemon serves a
subnet and two tinc daemons can't
serve a part of subnet each)<br>
<br>
All computers run different
flavours of Windows, most being
Windows 7.<br>
<br>
I have two ideas how to set this
up, although I'm not sure if any
of these two works:<br>
<br>
IDEA1.<br>
=====<br>
Household A<br>
Gateway IP: 10.30.0.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.2,3,4 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Deafult Gateway:
10.30.0.1<br>
<br>
Tinc Subnet: <a
moz-do-not-send="true"
href="http://10.30.0.0/25"
target="_blank">10.30.0.0/25</a><br>
<br>
Household B<br>
Gateway IP: 10.30.0.129<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.130,131,132
etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway:
10.30.0.129<br>
<br>
Tinc Subnet: <a
moz-do-not-send="true"
href="http://10.30.0.128/25"
target="_blank">10.30.0.128/25</a><br>
<br>
<br>
IDEA2.<br>
=====<br>
Household A<br>
Gatway IP: 10.30.0.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.2-255 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway:
10.30.0.1<br>
<br>
Tinc Subnet: <a
moz-do-not-send="true"
href="http://10.30.0.0/24"
target="_blank">10.30.0.0/24</a><br>
<br>
Household B<br>
Gateway IP: 10.30.1.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.1.2-255 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway:
10.30.0.129<br>
<br>
Tinc Subnet: <a
moz-do-not-send="true"
href="http://10.30.1.0/24"
target="_blank">10.30.1.0/24</a><br>
<br>
<br>
So IDEA 1 probably won't work at
all. Will it? And with IDEA 2 the
pc's won't appear on the same LAN
and their broadcasts won't reach
each other.<br>
As far as I understand I need to
install TAP interface on each of
the participating windows PCs,
correct?<br>
What is specified in default
gateway of the gateways?
<div><br>
<br>
<br>
Thank you in advance,<br>
Andrew<br>
<br>
</div>
<div>
<div> On 7/10/2010 4:36 a.m.,
Donald Pearson wrote: </div>
</div>
<blockquote type="cite">
<div>
<div>The PCs that you want to
participate need to have a
route for the VPN subnet
pointing to their local VPN
gateway, which would be the
local device with Tinc
installed on it.
<div><br>
</div>
<div>Theoretical
configuration example.</div>
<div><br>
</div>
<div>VPN subnet is <a
moz-do-not-send="true"
href="http://10.10.10.0/24"
target="_blank">10.10.10.0/24</a></div>
<div><br>
</div>
<div>At a location, one
computer <a
moz-do-not-send="true"
href="http://192.168.1.254/24"
target="_blank">192.168.1.254/24</a>
connects to the VPN and
serves as the VPN gateway.
This gateway needs to be
configured for TCP/IP
forwarding.</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="http://support.microsoft.com/kb/315236"
target="_blank">http://support.microsoft.com/kb/315236</a> -
windows</div>
<div><a
moz-do-not-send="true"
href="http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/"
target="_blank">http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/</a> -
linux</div>
<div><br>
</div>
<div>Other computers local
to the gateway need a
route to the VPN network
added so they know how to
get there.</div>
<div><br>
</div>
<div>In windows. route -p
add 10.10.10.0 mask
255.255.255.0
192.168.1.254</div>
<div>This will add the
persistent route that
remains after reboot.</div>
<div><br>
</div>
<div>Does that answer your
question?</div>
<div><br>
<div class="gmail_quote">On
Wed, Oct 6, 2010 at 6:41
AM, Andrew Savinykh <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:andrews@brutsoft.com" target="_blank">andrews@brutsoft.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin: 0pt 0pt
0pt 0.8ex;
border-left: 1px solid
rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff"
text="#000000">
Thank you for your
reply. As far as I
can see there is no
point specifying
subnet that consists
of more than one PC
in tinc config if
you are going to
install tinc on
every PC in the
subnet anyway.
Correct me if I'm
wrong.<br>
Now, assuming I'm
right, there will be
PCs in the subnet
that don't have tinc
installed on them.
How to configure
these PCs so they
are a part of the
subnet and
participate in
routing?<br>
<br>
Cheers,<br>
Andrew
<div>
<div><br>
<br>
On 6/10/2010
10:13 p.m.,
Cédric
Lemarchand
wrote: </div>
</div>
<blockquote
type="cite">
<div>
<div> Hi,<br>
<br>
I am not sure
to understand
what you mean
with "joining"
a subnet.<br>
<br>
But if your
"local
computer" need
to reach the
"remote
subnet" served
by tinc, you
can set the
local IP of
the local tinc
server as the
default
gateway, or
add a route to
the remote
subnet via the
local tinc IP.
Of course,
computer
located on the
remote subnet
need the same
thing.<br>
<br>
Cédric<br>
<br>
Le 06/10/10
09:37, Andrew
Savinykh a
écrit :
<blockquote
type="cite"> Hello
all, <br>
<br>
I understand
that each tinc
daemon
corresponds to
one or more
subnets that
it "owns" a
subnet can be
a single ip or
more. <br>
Could you
please tell me
what do I need
to do to join
a computer in
local network
(windows) to a
subnet served
by tinc? <br>
<br>
Thank you in
advance, <br>
Andrew <br>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
tinc mailing list<br>
<a moz-do-not-send="true"
href="mailto:tinc@tinc-vpn.org"
target="_blank">tinc@tinc-vpn.org</a><br>
<a moz-do-not-send="true"
href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br>
</blockquote>
</div>
<br>
<pre><fieldset></fieldset>
_______________________________________________
tinc mailing list
<a moz-do-not-send="true" href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a>
<a moz-do-not-send="true" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
tinc mailing list<br>
<a moz-do-not-send="true" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a moz-do-not-send="true"
href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br>
</blockquote>
</div>
<br>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
tinc mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>