<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Awesome! Now I think I finally understand how to do this. Thank you
very much. (Just to confirm, I need to assign the new additional IP
on physical adapter for each non tinc PC and on tap adapter for tinc
gateway PCs, right?)<br>
<br>
Andrew.<br>
<br>
On 7/10/2010 2:14 p.m., Donald Pearson wrote:
<blockquote
cite="mid:AANLkTi=_rSo3rtOpv6OgQfY-7XQDqBw1KNnWv2Fqk+Da@mail.gmail.com"
type="cite">Sure it's possible, you just need to assign each node
a new IP in the <a moz-do-not-send="true"
href="http://10.30.1.0/24">10.30.1.0/24</a> network. It's not
part of the Tinc configuration, it's part of the network
configuration of each computer.<br>
<br>
All Tinc is doing, is creating a layer 2 path for them to reach
each other. Yes broadcasts will traverse the VPN. It literally
is virtual ethernet over the internet. :)<br>
<br>
<div class="gmail_quote">On Wed, Oct 6, 2010 at 9:04 PM, Andrew
Savinykh <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:andrews@brutsoft.com">andrews@brutsoft.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> Donald, thank you for
this. <br>
<br>
Do i read you right that to be able to receive broadcasts
across LANs I have to use the address space that I already
have and make sure that this space is the same for both
LANs?<br>
<br>
What I'm trying to do is to define a *completely new subnet*
that will act as the common LAN foR both LAN A and LAN B.<br>
<br>
To re-iterate:<br>
I have one router that is 10.1.1.1 and gives out DHCP
10.1.1.* and the other router 192.168.0.1 that gives out
DHCP 192.168.0.*. <br>
I would like to leave these address spaces alone and define
a new on 10.30.1.* that computer from both networks can
participate in effectively forming a new virtual LAN.<br>
<br>
Is this possible with tinc? I know this possible with other
software, I'm just having hard time figuring out if this is
something I can configure tinc to do.<br>
<font color="#888888"> <br>
Andrew</font>
<div>
<div class="h5"><br>
<br>
<br>
<br>
On 7/10/2010 1:13 p.m., Donald Pearson wrote:
<blockquote type="cite">Sorry you're right. I was
looking at the IP address schema where all nodes would
use the <a moz-do-not-send="true"
href="http://10.30.0.0/24" target="_blank">10.30.0.0/24</a>
network.<br>
<br>
There's no need to install tap adapters on the other
devices. You have basically 2 realistic options if
you want the LAN function<br>
<br>
You can specify multiple IP addresses for a single
interface, even in Windows. You'll find this under
the TCP/IP properties of the network adapter. And
clicking on the Advanced button on the page where you
can set a static IP or designate DHCP.<br>
<br>
A 2nd option would be to re-ip one of your locations
so that they all use the same subnet natively.<br>
<br>
Bridging the tap adapter allows your network frames
received by your physical interface to reach the TAP
adapter and therefore traverse the VPN. This enables
later 2 connectivity, the same way a real switch
does. Virtual Ethernet over the Internet is how I
like to describe it. This is how I have my VPN
configured personally.<br>
<br>
Without the bridge, a frame that is received at the
physical interface has the frame stripped off and the
packet inspected. Now we're talking layer 3. If the
packet is destined for a network on the other side of
the VPN, your Tinc node frames the packet back up with
a new frame, and sends it over the VPN. This act of
stripping the frame, reading the packet for the
network destination, and applying a new frame to get
it there is what Routing is. Without the bridge in
place, your Tinc node is literally routing between the
physical interface and the tap interface. With the
bridge, you're creating a layer 2 pathway so the
frames can shoot across directly. Of course this
means both sides need to be on the same subnet which
you obviously already know.<br>
<br>
Be warned that this configuration comes with it's
drawbacks. DHCP will traverse your VPN. I had
location A computers getting addresses from location B
which makes for some really inefficient internet
traffic.<br>
<br>
Regards,<br>
Donald<br>
<div class="gmail_quote">On Wed, Oct 6, 2010 at 7:57
PM, Andrew Savinykh <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:andrews@brutsoft.com"
target="_blank">andrews@brutsoft.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt
0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> Donald,
thank you for the explanation.<br>
<br>
I understand the part about the switch mode and
absence of subnet in tinc.config.<br>
However, could you please explain what bridging
the tap adapter will achieve and what kind of ip
address will be used on tinc nodes and in the
rest of the network.<br>
<br>
In my example one household has local network
addresses of 192.168.1.* and the other has
10.1.1.*<br>
If we don't install tap interfaces on other PC's
this means that the other PCs won't have another
ip address.<br>
I understand that bridging is going to solve
this somehow, but I still don't see how
broadcast from 10.1.1.7 can reach 192.168.1.5 in
the other LAN.<br>
<br>
In short I don't understand how bridging to
adapters work. I'll try to google this topic to
get a better understanding, meanwhile, could you
please explain<br>
how this applies to our tinc configuration case.<br>
<br>
Also can you briefly describe what we achieve by
setting PMTUDiscovery = Yes. I read the
description in manual but it didn't tell me
much.<br>
<br>
Thank you again for all your help,<br>
<font color="#888888"> Andrew</font>
<div>
<div><br>
<br>
<br>
<br>
On 7/10/2010 11:40 a.m., Donald Pearson
wrote:
<blockquote type="cite">Oh okay. Yes you
can make it appear as a single LAN. Your
Tinc nodes will behave as bridges instead
of routers (or gateways as you put it).<br>
<br>
Your tinc nodes will have the same subnet
mask and default router as all your other
devices at that location.<br>
<br>
You will need to run the add-tap script
only on the tinc nodes on each side.<br>
<br>
You will then need to bridge the tap
adapter to the local area connection on
the tinc nodes on each side.<br>
<br>
This will create a bridge network object
under your network connections. This
bridge will have the IP configuration you
illustrated.<br>
<br>
You have the right idea in segregating the
IP distribution while still using the
255.255.255.0 subnet mask.<br>
<br>
One both nodes are up and connected, and
the interfaces have been bridged on the
Tinc nodes for each location, you will
have a virtual LAN between the two
locations.<br>
<br>
Your Tinc configuration will be Switch
mode. This means no Subnet
configurations are required in your
tinc.conf<br>
<br>
Your tinc.conf will be something like<br>
<br>
Name = NodeA<br>
ConnectTo = NodeB<br>
Interface = <something><br>
Mode = switch<br>
PrivateKeyFile = <path to the
rsa_key.priv><br>
<br>
Host files will be something like<br>
For the host file named "NodeA"<br>
<br>
Address = <<a moz-do-not-send="true"
href="http://host.dyndns.org"
target="_blank">host.dyndns.org</a>><br>
PMTUDiscovery = Yes<br>
<br>
--Begin RSA etc. etc.--<br>
<br>
<br>
<div class="gmail_quote">On Wed, Oct 6,
2010 at 6:17 PM, Andrew Savinykh <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:andrews@brutsoft.com"
target="_blank">andrews@brutsoft.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin: 0pt 0pt 0pt 0.8ex;
border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
Donald,<br>
<br>
thank you, while I still have some
questions, your answer is definitely
a step in the right direction.<br>
In the other reply I was asked what
I'm trying to achieve. Let's
consider the following scenario
(which is quite similar to the one
that described in the tinc manual).<br>
<br>
Let's assume we have two households,
each has 3-5 computers in it. Both
house holds have similar network
configuration:<br>
They are connected to internet with
an ADSL line and a router.<br>
The computers in the local network
access internet via the router.<br>
The router is configured so that one
of the computers have port 665
forwarded to be accessible outside.<br>
The external IP is changed rarely
and there is dynamic DNS service
(external) in use to accommodate for
the change of IP when it happens.<br>
<br>
One household has local network
addresses of 192.168.1.* and the
other has 10.1.1.*<br>
I'm installing tinc on one computer
in each household. <br>
<br>
The goal is to let all computers in
both house holds to see each other
by ip address. Also it is desired
that for computer games purposes<br>
all computers appear to be on the
same LAN (for broadcasts). But this
is not mandatory. (it appears that
it's not possible without installing
tinc on every PC <br>
as every tinc daemon serves a subnet
and two tinc daemons can't serve a
part of subnet each)<br>
<br>
All computers run different flavours
of Windows, most being Windows 7.<br>
<br>
I have two ideas how to set this up,
although I'm not sure if any of
these two works:<br>
<br>
IDEA1.<br>
=====<br>
Household A<br>
Gateway IP: 10.30.0.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.2,3,4 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Deafult Gateway: 10.30.0.1<br>
<br>
Tinc Subnet: <a
moz-do-not-send="true"
href="http://10.30.0.0/25"
target="_blank">10.30.0.0/25</a><br>
<br>
Household B<br>
Gateway IP: 10.30.0.129<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.130,131,132
etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway:
10.30.0.129<br>
<br>
Tinc Subnet: <a
moz-do-not-send="true"
href="http://10.30.0.128/25"
target="_blank">10.30.0.128/25</a><br>
<br>
<br>
IDEA2.<br>
=====<br>
Household A<br>
Gatway IP: 10.30.0.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.2-255 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway: 10.30.0.1<br>
<br>
Tinc Subnet: <a
moz-do-not-send="true"
href="http://10.30.0.0/24"
target="_blank">10.30.0.0/24</a><br>
<br>
Household B<br>
Gateway IP: 10.30.1.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.1.2-255 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway:
10.30.0.129<br>
<br>
Tinc Subnet: <a
moz-do-not-send="true"
href="http://10.30.1.0/24"
target="_blank">10.30.1.0/24</a><br>
<br>
<br>
So IDEA 1 probably won't work at
all. Will it? And with IDEA 2 the
pc's won't appear on the same LAN
and their broadcasts won't reach
each other.<br>
As far as I understand I need to
install TAP interface on each of the
participating windows PCs, correct?<br>
What is specified in default gateway
of the gateways?
<div><br>
<br>
<br>
Thank you in advance,<br>
Andrew<br>
<br>
</div>
<div>
<div> On 7/10/2010 4:36 a.m.,
Donald Pearson wrote: </div>
</div>
<blockquote type="cite">
<div>
<div>The PCs that you want to
participate need to have a
route for the VPN subnet
pointing to their local VPN
gateway, which would be the
local device with Tinc
installed on it.
<div><br>
</div>
<div>Theoretical configuration
example.</div>
<div><br>
</div>
<div>VPN subnet is <a
moz-do-not-send="true"
href="http://10.10.10.0/24"
target="_blank">10.10.10.0/24</a></div>
<div><br>
</div>
<div>At a location, one
computer <a
moz-do-not-send="true"
href="http://192.168.1.254/24"
target="_blank">192.168.1.254/24</a>
connects to the VPN and
serves as the VPN gateway.
This gateway needs to be
configured for TCP/IP
forwarding.</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://support.microsoft.com/kb/315236" target="_blank">http://support.microsoft.com/kb/315236</a> -
windows</div>
<div><a moz-do-not-send="true"
href="http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/"
target="_blank">http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/</a> -
linux</div>
<div><br>
</div>
<div>Other computers local to
the gateway need a route to
the VPN network added so
they know how to get there.</div>
<div><br>
</div>
<div>In windows. route -p
add 10.10.10.0 mask
255.255.255.0 192.168.1.254</div>
<div>This will add the
persistent route that
remains after reboot.</div>
<div><br>
</div>
<div>Does that answer your
question?</div>
<div><br>
<div class="gmail_quote">On
Wed, Oct 6, 2010 at 6:41
AM, Andrew Savinykh <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:andrews@brutsoft.com" target="_blank">andrews@brutsoft.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin: 0pt 0pt
0pt 0.8ex; border-left:
1px solid rgb(204, 204,
204); padding-left:
1ex;">
<div bgcolor="#ffffff"
text="#000000"> Thank
you for your reply. As
far as I can see there
is no point specifying
subnet that consists
of more than one PC in
tinc config if you are
going to install tinc
on every PC in the
subnet anyway. Correct
me if I'm wrong.<br>
Now, assuming I'm
right, there will be
PCs in the subnet that
don't have tinc
installed on them. How
to configure these PCs
so they are a part of
the subnet and
participate in
routing?<br>
<br>
Cheers,<br>
Andrew
<div>
<div><br>
<br>
On 6/10/2010 10:13
p.m., Cédric
Lemarchand wrote:
</div>
</div>
<blockquote
type="cite">
<div>
<div> Hi,<br>
<br>
I am not sure to
understand what
you mean with
"joining" a
subnet.<br>
<br>
But if your
"local computer"
need to reach
the "remote
subnet" served
by tinc, you can
set the local IP
of the local
tinc server as
the default
gateway, or add
a route to the
remote subnet
via the local
tinc IP. Of
course, computer
located on the
remote subnet
need the same
thing.<br>
<br>
Cédric<br>
<br>
Le 06/10/10
09:37, Andrew
Savinykh a
écrit :
<blockquote
type="cite"> Hello
all, <br>
<br>
I understand
that each tinc
daemon
corresponds to
one or more
subnets that
it "owns" a
subnet can be
a single ip or
more. <br>
Could you
please tell me
what do I need
to do to join
a computer in
local network
(windows) to a
subnet served
by tinc? <br>
<br>
Thank you in
advance, <br>
Andrew <br>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
tinc mailing list<br>
<a moz-do-not-send="true"
href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a><br>
<a moz-do-not-send="true"
href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br>
</blockquote>
</div>
<br>
<pre><fieldset></fieldset>
_______________________________________________
tinc mailing list
<a moz-do-not-send="true" href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a>
<a moz-do-not-send="true" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
tinc mailing list<br>
<a moz-do-not-send="true" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a moz-do-not-send="true"
href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br>
</blockquote>
</div>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
tinc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a>
<a class="moz-txt-link-freetext" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
</blockquote>
<br>
</body>
</html>