<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    Awesome! Now I think I finally understand how to do this. Thank you
    very much. (Just to confirm, I need to assign the new additional IP
    on physical adapter for each non tinc PC and on tap adapter for tinc
    gateway PCs, right?)<br>
    <br>
    Andrew.<br>
    <br>
    On 7/10/2010 2:14 p.m., Donald Pearson wrote:
    <blockquote
      cite="mid:AANLkTi=_rSo3rtOpv6OgQfY-7XQDqBw1KNnWv2Fqk+Da@mail.gmail.com"
      type="cite">Sure it's possible, you just need to assign each node
      a new IP in the <a moz-do-not-send="true"
        href="http://10.30.1.0/24">10.30.1.0/24</a> network.&nbsp; It's not
      part of the Tinc configuration, it's part of the network
      configuration of each computer.<br>
      <br>
      All Tinc is doing, is creating a layer 2 path for them to reach
      each other.&nbsp; Yes broadcasts will traverse the VPN.&nbsp; It literally
      is virtual ethernet over the internet.&nbsp; :)<br>
      <br>
      <div class="gmail_quote">On Wed, Oct 6, 2010 at 9:04 PM, Andrew
        Savinykh <span dir="ltr">&lt;<a moz-do-not-send="true"
            href="mailto:andrews@brutsoft.com">andrews@brutsoft.com</a>&gt;</span>
        wrote:<br>
        <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
          0.8ex; border-left: 1px solid rgb(204, 204, 204);
          padding-left: 1ex;">
          <div bgcolor="#ffffff" text="#000000"> Donald, thank you for
            this. <br>
            <br>
            Do i read you right that to be able to receive broadcasts
            across LANs I have to use the address space that I already
            have and make sure that this space is the same for both
            LANs?<br>
            <br>
            What I'm trying to do is to define a *completely new subnet*
            that will act as the common LAN foR both LAN A and LAN B.<br>
            <br>
            To re-iterate:<br>
            I have one router that is 10.1.1.1 and gives out DHCP
            10.1.1.* and the other router 192.168.0.1 that gives out
            DHCP 192.168.0.*. <br>
            I would like to leave these address spaces alone and define
            a new on 10.30.1.* that computer from both networks can
            participate in effectively forming a new virtual LAN.<br>
            <br>
            Is this possible with tinc? I know this possible with other
            software, I'm just having hard time figuring out if this is
            something I can configure tinc to do.<br>
            <font color="#888888"> <br>
              Andrew</font>
            <div>
              <div class="h5"><br>
                <br>
                <br>
                <br>
                On 7/10/2010 1:13 p.m., Donald Pearson wrote:
                <blockquote type="cite">Sorry you're right.&nbsp; I was
                  looking at the IP address schema where all nodes would
                  use the <a moz-do-not-send="true"
                    href="http://10.30.0.0/24" target="_blank">10.30.0.0/24</a>
                  network.<br>
                  <br>
                  There's no need to install tap adapters on the other
                  devices.&nbsp; You have basically 2 realistic options if
                  you want the LAN function<br>
                  <br>
                  You can specify multiple IP addresses for a single
                  interface, even in Windows.&nbsp; You'll find this under
                  the TCP/IP properties of the network adapter.&nbsp; And
                  clicking on the Advanced button on the page where you
                  can set a static IP or designate DHCP.<br>
                  <br>
                  A 2nd option would be to re-ip one of your locations
                  so that they all use the same subnet natively.<br>
                  <br>
                  Bridging the tap adapter allows your network frames
                  received by your physical interface to reach the TAP
                  adapter and therefore traverse the VPN.&nbsp; This enables
                  later 2 connectivity, the same way a real switch
                  does.&nbsp; Virtual Ethernet over the Internet is how I
                  like to describe it.&nbsp; This is how I have my VPN
                  configured personally.<br>
                  <br>
                  Without the bridge, a frame that is received at the
                  physical interface has the frame stripped off and the
                  packet inspected.&nbsp; Now we're talking layer 3.&nbsp; If the
                  packet is destined for a network on the other side of
                  the VPN, your Tinc node frames the packet back up with
                  a new frame, and sends it over the VPN.&nbsp;&nbsp; This act of
                  stripping the frame, reading the packet for the
                  network destination, and applying a new frame to get
                  it there is what Routing is.&nbsp; Without the bridge in
                  place, your Tinc node is literally routing between the
                  physical interface and the tap interface.&nbsp; With the
                  bridge, you're creating a layer 2 pathway so the
                  frames can shoot across directly.&nbsp; Of course this
                  means both sides need to be on the same subnet which
                  you obviously already know.<br>
                  <br>
                  Be warned that this configuration comes with it's
                  drawbacks.&nbsp; DHCP will traverse your VPN.&nbsp; I had
                  location A computers getting addresses from location B
                  which makes for some really inefficient internet
                  traffic.<br>
                  <br>
                  Regards,<br>
                  Donald<br>
                  <div class="gmail_quote">On Wed, Oct 6, 2010 at 7:57
                    PM, Andrew Savinykh <span dir="ltr">&lt;<a
                        moz-do-not-send="true"
                        href="mailto:andrews@brutsoft.com"
                        target="_blank">andrews@brutsoft.com</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin: 0pt
                      0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
                      204, 204); padding-left: 1ex;">
                      <div bgcolor="#ffffff" text="#000000"> Donald,
                        thank you for the explanation.<br>
                        <br>
                        I understand the part about the switch mode and
                        absence of subnet in tinc.config.<br>
                        However, could you please explain what bridging
                        the tap adapter will achieve and what kind of ip
                        address will be used on tinc nodes and in the
                        rest of the network.<br>
                        <br>
                        In my example one household has local network
                        addresses of 192.168.1.* and the other has
                        10.1.1.*<br>
                        If we don't install tap interfaces on other PC's
                        this means that the other PCs won't have another
                        ip address.<br>
                        I understand that bridging is going to solve
                        this somehow, but I still don't see how
                        broadcast from 10.1.1.7 can reach 192.168.1.5 in
                        the other LAN.<br>
                        <br>
                        In short I don't understand how bridging to
                        adapters work. I'll try to google this topic to
                        get a better understanding, meanwhile, could you
                        please explain<br>
                        how this applies to our tinc configuration case.<br>
                        <br>
                        Also can you briefly describe what we achieve by
                        setting PMTUDiscovery = Yes. I read the
                        description in manual but it didn't tell me
                        much.<br>
                        <br>
                        Thank you again for all your help,<br>
                        <font color="#888888"> Andrew</font>
                        <div>
                          <div><br>
                            <br>
                            <br>
                            <br>
                            On 7/10/2010 11:40 a.m., Donald Pearson
                            wrote:
                            <blockquote type="cite">Oh okay.&nbsp; Yes you
                              can make it appear as a single LAN.&nbsp; Your
                              Tinc nodes will behave as bridges instead
                              of routers (or gateways as you put it).<br>
                              <br>
                              Your tinc nodes will have the same subnet
                              mask and default router as all your other
                              devices at that location.<br>
                              <br>
                              You will need to run the add-tap script
                              only on the tinc nodes on each side.<br>
                              <br>
                              You will then need to bridge the tap
                              adapter to the local area connection on
                              the tinc nodes on each side.<br>
                              <br>
                              This will create a bridge network object
                              under your network connections.&nbsp; This
                              bridge will have the IP configuration you
                              illustrated.<br>
                              <br>
                              You have the right idea in segregating the
                              IP distribution while still using the
                              255.255.255.0 subnet mask.<br>
                              <br>
                              One both nodes are up and connected, and
                              the interfaces have been bridged on the
                              Tinc nodes for each location, you will
                              have a virtual LAN between the two
                              locations.<br>
                              <br>
                              Your Tinc configuration will be Switch
                              mode.&nbsp;&nbsp; This means no Subnet
                              configurations are required in your
                              tinc.conf<br>
                              <br>
                              Your tinc.conf will be something like<br>
                              <br>
                              Name = NodeA<br>
                              ConnectTo = NodeB<br>
                              Interface = &lt;something&gt;<br>
                              Mode = switch<br>
                              PrivateKeyFile = &lt;path to the
                              rsa_key.priv&gt;<br>
                              <br>
                              Host files will be something like<br>
                              For the host file named "NodeA"<br>
                              <br>
                              Address = &lt;<a moz-do-not-send="true"
                                href="http://host.dyndns.org"
                                target="_blank">host.dyndns.org</a>&gt;<br>
                              PMTUDiscovery = Yes<br>
                              <br>
                              --Begin RSA etc. etc.--<br>
                              <br>
                              <br>
                              <div class="gmail_quote">On Wed, Oct 6,
                                2010 at 6:17 PM, Andrew Savinykh <span
                                  dir="ltr">&lt;<a
                                    moz-do-not-send="true"
                                    href="mailto:andrews@brutsoft.com"
                                    target="_blank">andrews@brutsoft.com</a>&gt;</span>
                                wrote:<br>
                                <blockquote class="gmail_quote"
                                  style="margin: 0pt 0pt 0pt 0.8ex;
                                  border-left: 1px solid rgb(204, 204,
                                  204); padding-left: 1ex;">
                                  <div bgcolor="#ffffff" text="#000000">
                                    Donald,<br>
                                    <br>
                                    thank you, while I still have some
                                    questions, your answer is definitely
                                    a step in the right direction.<br>
                                    In the other reply I was asked what
                                    I'm trying to achieve. Let's
                                    consider the following scenario
                                    (which is quite similar to the one
                                    that described in the tinc manual).<br>
                                    <br>
                                    Let's assume we have two households,
                                    each has 3-5 computers in it.&nbsp; Both
                                    house holds have similar network
                                    configuration:<br>
                                    They are connected to internet with
                                    an ADSL line and a router.<br>
                                    The computers in the local network
                                    access internet via the router.<br>
                                    The router is configured so that one
                                    of the computers have port 665
                                    forwarded to be accessible outside.<br>
                                    The external IP is changed rarely
                                    and there is dynamic DNS service
                                    (external) in use to accommodate for
                                    the change of IP when it happens.<br>
                                    <br>
                                    One household has local network
                                    addresses of 192.168.1.* and the
                                    other has 10.1.1.*<br>
                                    I'm installing tinc on one computer
                                    in each household. <br>
                                    <br>
                                    The goal is to let all computers in
                                    both house holds to see each other
                                    by ip address. Also it is desired
                                    that for computer games purposes<br>
                                    all computers appear to be on the
                                    same LAN (for broadcasts). But this
                                    is not mandatory. (it appears that
                                    it's not possible without installing
                                    tinc on every PC <br>
                                    as every tinc daemon serves a subnet
                                    and two tinc daemons can't serve a
                                    part of subnet each)<br>
                                    <br>
                                    All computers run different flavours
                                    of Windows, most being Windows 7.<br>
                                    <br>
                                    I have two ideas how to set this up,
                                    although I'm not sure if any of
                                    these two works:<br>
                                    <br>
                                    IDEA1.<br>
                                    =====<br>
                                    Household A<br>
                                    Gateway IP: 10.30.0.1<br>
                                    Gateway Mask: 255.255.255.0<br>
                                    Gateway Default Gateway: ????<br>
                                    <br>
                                    Other PCs IP: 10.30.0.2,3,4 etc<br>
                                    Other PCs Mask: 255.255.255.0<br>
                                    Other PCs Deafult Gateway: 10.30.0.1<br>
                                    <br>
                                    Tinc Subnet: <a
                                      moz-do-not-send="true"
                                      href="http://10.30.0.0/25"
                                      target="_blank">10.30.0.0/25</a><br>
                                    <br>
                                    Household B<br>
                                    Gateway IP: 10.30.0.129<br>
                                    Gateway Mask: 255.255.255.0<br>
                                    Gateway Default Gateway: ????<br>
                                    <br>
                                    Other PCs IP: 10.30.0.130,131,132
                                    etc<br>
                                    Other PCs Mask: 255.255.255.0<br>
                                    Other PCs Default Gateway:
                                    10.30.0.129<br>
                                    <br>
                                    Tinc Subnet: <a
                                      moz-do-not-send="true"
                                      href="http://10.30.0.128/25"
                                      target="_blank">10.30.0.128/25</a><br>
                                    <br>
                                    <br>
                                    IDEA2.<br>
                                    =====<br>
                                    Household A<br>
                                    Gatway IP: 10.30.0.1<br>
                                    Gateway Mask: 255.255.255.0<br>
                                    Gateway Default Gateway: ????<br>
                                    <br>
                                    Other PCs IP: 10.30.0.2-255 etc<br>
                                    Other PCs Mask: 255.255.255.0<br>
                                    Other PCs Default Gateway: 10.30.0.1<br>
                                    <br>
                                    Tinc Subnet: <a
                                      moz-do-not-send="true"
                                      href="http://10.30.0.0/24"
                                      target="_blank">10.30.0.0/24</a><br>
                                    <br>
                                    Household B<br>
                                    Gateway IP: 10.30.1.1<br>
                                    Gateway Mask: 255.255.255.0<br>
                                    Gateway Default Gateway: ????<br>
                                    <br>
                                    Other PCs IP: 10.30.1.2-255 etc<br>
                                    Other PCs Mask: 255.255.255.0<br>
                                    Other PCs Default Gateway:
                                    10.30.0.129<br>
                                    <br>
                                    Tinc Subnet: <a
                                      moz-do-not-send="true"
                                      href="http://10.30.1.0/24"
                                      target="_blank">10.30.1.0/24</a><br>
                                    <br>
                                    <br>
                                    So IDEA 1 probably won't work at
                                    all. Will it? And with IDEA 2 the
                                    pc's won't appear on the same LAN
                                    and their broadcasts won't reach
                                    each other.<br>
                                    As far as I understand I need to
                                    install TAP interface on each of the
                                    participating windows PCs, correct?<br>
                                    What is specified in default gateway
                                    of the gateways?
                                    <div><br>
                                      <br>
                                      <br>
                                      Thank you in advance,<br>
                                      Andrew<br>
                                      <br>
                                    </div>
                                    <div>
                                      <div> On 7/10/2010 4:36 a.m.,
                                        Donald Pearson wrote: </div>
                                    </div>
                                    <blockquote type="cite">
                                      <div>
                                        <div>The PCs that you want to
                                          participate need to have a
                                          route for the VPN subnet
                                          pointing to their local VPN
                                          gateway, which would be the
                                          local device with Tinc
                                          installed on it.
                                          <div><br>
                                          </div>
                                          <div>Theoretical configuration
                                            example.</div>
                                          <div><br>
                                          </div>
                                          <div>VPN subnet is <a
                                              moz-do-not-send="true"
                                              href="http://10.10.10.0/24"
                                              target="_blank">10.10.10.0/24</a></div>
                                          <div><br>
                                          </div>
                                          <div>At a location, one
                                            computer <a
                                              moz-do-not-send="true"
                                              href="http://192.168.1.254/24"
                                              target="_blank">192.168.1.254/24</a>
                                            connects to the VPN and
                                            serves as the VPN gateway.
                                            &nbsp;This gateway needs to be
                                            configured for TCP/IP
                                            forwarding.</div>
                                          <div><br>
                                          </div>
                                          <div><a moz-do-not-send="true"
href="http://support.microsoft.com/kb/315236" target="_blank">http://support.microsoft.com/kb/315236</a>&nbsp;-



                                            windows</div>
                                          <div><a moz-do-not-send="true"
href="http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/"
                                              target="_blank">http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/</a>&nbsp;-



                                            linux</div>
                                          <div><br>
                                          </div>
                                          <div>Other computers local to
                                            the gateway need a route to
                                            the VPN network added so
                                            they know how to get there.</div>
                                          <div><br>
                                          </div>
                                          <div>In windows. &nbsp; route -p
                                            add 10.10.10.0 mask
                                            255.255.255.0 192.168.1.254</div>
                                          <div>This will add the
                                            persistent route that
                                            remains after reboot.</div>
                                          <div><br>
                                          </div>
                                          <div>Does that answer your
                                            question?</div>
                                          <div><br>
                                            <div class="gmail_quote">On
                                              Wed, Oct 6, 2010 at 6:41
                                              AM, Andrew Savinykh <span
                                                dir="ltr">&lt;<a
                                                  moz-do-not-send="true"
href="mailto:andrews@brutsoft.com" target="_blank">andrews@brutsoft.com</a>&gt;</span>
                                              wrote:<br>
                                              <blockquote
                                                class="gmail_quote"
                                                style="margin: 0pt 0pt
                                                0pt 0.8ex; border-left:
                                                1px solid rgb(204, 204,
                                                204); padding-left:
                                                1ex;">
                                                <div bgcolor="#ffffff"
                                                  text="#000000"> Thank
                                                  you for your reply. As
                                                  far as I can see there
                                                  is no point specifying
                                                  subnet that consists
                                                  of more than one PC in
                                                  tinc config if you are
                                                  going to install tinc
                                                  on every PC in the
                                                  subnet anyway. Correct
                                                  me if I'm wrong.<br>
                                                  Now, assuming I'm
                                                  right, there will be
                                                  PCs in the subnet that
                                                  don't have tinc
                                                  installed on them. How
                                                  to configure these PCs
                                                  so they are a part of
                                                  the subnet and
                                                  participate in
                                                  routing?<br>
                                                  <br>
                                                  Cheers,<br>
                                                  Andrew
                                                  <div>
                                                    <div><br>
                                                      <br>
                                                      On 6/10/2010 10:13
                                                      p.m., C&eacute;dric
                                                      Lemarchand wrote:
                                                    </div>
                                                  </div>
                                                  <blockquote
                                                    type="cite">
                                                    <div>
                                                      <div> Hi,<br>
                                                        <br>
                                                        I am not sure to
                                                        understand what
                                                        you mean with
                                                        "joining" a
                                                        subnet.<br>
                                                        <br>
                                                        But if your
                                                        "local computer"
                                                        need to reach
                                                        the "remote
                                                        subnet" served
                                                        by tinc, you can
                                                        set the local IP
                                                        of the local
                                                        tinc server as
                                                        the default
                                                        gateway, or add
                                                        a route to the
                                                        remote subnet
                                                        via the local
                                                        tinc IP. Of
                                                        course, computer
                                                        located on the
                                                        remote subnet
                                                        need the same
                                                        thing.<br>
                                                        <br>
                                                        C&eacute;dric<br>
                                                        <br>
                                                        Le 06/10/10
                                                        09:37, Andrew
                                                        Savinykh a
                                                        &eacute;crit&nbsp;:
                                                        <blockquote
                                                          type="cite">&nbsp;Hello

                                                          all, <br>
                                                          <br>
                                                          I understand
                                                          that each tinc
                                                          daemon
                                                          corresponds to
                                                          one or more
                                                          subnets that
                                                          it "owns" a
                                                          subnet can be
                                                          a single ip or
                                                          more. <br>
                                                          Could you
                                                          please tell me
                                                          what do I need
                                                          to do to join
                                                          a computer in
                                                          local network
                                                          (windows) to a
                                                          subnet served
                                                          by tinc? <br>
                                                          <br>
                                                          Thank you in
                                                          advance, <br>
                                                          Andrew <br>
                                                        </blockquote>
                                                      </div>
                                                    </div>
                                                  </blockquote>
                                                </div>
                                              </blockquote>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </blockquote>
                                  </div>
                                </blockquote>
                              </div>
                            </blockquote>
                            <br>
                          </div>
                        </div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      tinc mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a><br>
                      <a moz-do-not-send="true"
                        href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
                        target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                  <pre><fieldset></fieldset>
_______________________________________________
tinc mailing list
<a moz-do-not-send="true" href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a>
<a moz-do-not-send="true" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
                </blockquote>
                <br>
              </div>
            </div>
          </div>
          <br>
          _______________________________________________<br>
          tinc mailing list<br>
          <a moz-do-not-send="true" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
          <a moz-do-not-send="true"
            href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
            target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
          <br>
        </blockquote>
      </div>
      <br>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
tinc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a>
<a class="moz-txt-link-freetext" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>