<div dir="ltr">A routing solution works at layer 3 and therefore won't use bridging which is at layer 2.<div><br></div><div>For routing, all clients on the <a href="http://172.16.254.0/24">172.16.254.0/24</a> (assuming /24) network network will need to have a route added to use 172.16.253.102 as the next hop to reach the remote <a href="http://192.168.99.0/24">192.168.99.0/24</a> network.</div>
<div><br></div><div>Similarly, all clients on the <a href="http://192.168.99.0/24">192.168.99.0/24</a> will need to have routes to use 192.168.99.4 as the next hop to reach the <a href="http://172.16.254.0/24">172.16.254.0/24</a> network.</div>
<div><br></div><div>Alternatively, on each side's gateway, you can add a route there to direct the traffic. If you do this, an example path your traffic would take would be something like this</div><div><br></div><div>
172.16.253.100 pings 192.168.99.100.</div><div>172.16.253.100 -> 172.16.253.1 (assuming default gw is .1) -> 172.16.253.102 (because you set the route in the gw to send all <a href="http://192.168.99.0/24">192.168.99.0/24</a> traffic to .102) -> 10.10.10.103 (packet moves from lan to vpn subnet and moves over vpn to remote tinc box) -> 192.168.99.100 ( remote tinc moves packet from vpn subnet to remote lan subnet).</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Mar 19, 2014 at 3:23 PM, Aaron Anderson <span dir="ltr"><<a href="mailto:anderson.aaron@gmail.com" target="_blank">anderson.aaron@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So we're all on the same page, here's what I want: (will need to be in<br>
fixed width font)<br>
<br>
-[client (10.10.10.102) and<br>
(172.16.253.102)]--[router]-[internet]-------[router]-[tincserver<br>
(10.10.10.103) and (192.168.99.4)]<br>
<br>
-[other box (192.168.99.5)]<br>
<br>
-[other box (192.168.99.6)]<br>
<br>
<br>
<br>
Where 192.168.99.x and 172.16.253.x are the local non-tinc subnets and<br>
10.10.10.x are tinc addresses.<br>
<br>
<br>
>From "client" i want to be about to access the "other boxes" through<br>
"tincserver" - I'm aware there will be routes for this, I'm fully<br>
capable of dealing with those.<br>
<br>
How should I set up the bridge on "tincserver" ?<br>
<br>
On Wed, Mar 19, 2014 at 3:09 PM, Donald Pearson<br>
<div class="HOEnZb"><div class="h5"><<a href="mailto:donaldwhpearson@gmail.com">donaldwhpearson@gmail.com</a>> wrote:<br>
> By the way, if you create a layer 2 vpn using bridging like this, I suggest<br>
> installing ebtables on your tinc box so that you can put in some layer 2<br>
> firewall rules. An interesting result when you don't do this is DHCP<br>
> traversing the VPN. Much to my surprise I've seen hosts on one site receive<br>
> DHCP from a site across the VPN, ultimately using the remote router as its<br>
> gateway.<br>
> You would think the local server would be faster and always win, but that's<br>
> not always the case.<br>
><br>
><br>
> On Wed, Mar 19, 2014 at 3:03 PM, Donald Pearson <<a href="mailto:donaldwhpearson@gmail.com">donaldwhpearson@gmail.com</a>><br>
> wrote:<br>
>><br>
>> Well you use brctl to bridge the virtual adapter (interface) to a real<br>
>> physical interface, and that's represented by an additional virtual<br>
>> interface which is the bridge itself. That bridge is what you configure<br>
>> with an IP on your LAN statically or via DHCP.<br>
>><br>
>> If you do all this ahead of time you don't even need a tinc-up script.<br>
>><br>
>> If you want the bridge to be built up when tinc connects it would look<br>
>> something like this. Do the inverse for a tinc-down<br>
>><br>
>> tinc.conf<br>
>> Name = Alpha<br>
>> ConnectTo = Beta<br>
>> ConnectTo = Charlie<br>
>> Device = /dev/net/tun<br>
>> Mode = switch<br>
>> PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv<br>
>> #<br>
>> #<br>
>><br>
>> Tinc-up<br>
>> #!/bin/sh<br>
>> modprobe tun<br>
>> ifconfig vpn 0.0.0.0<br>
>> ifconfig vpn up<br>
>> ifconfig eth1 0.0.0.0<br>
>> ifconfig eth1 up<br>
>><br>
>> brctl addbr bridge<br>
>> brctl addif bridge vpn<br>
>> brctl addif bridge eth1<br>
>> ifconfig bridge 10.10.0.1 netmask 255.255.0.0<br>
>> route add default gw 10.10.0.254 bridge<br>
>> ifconfig bridge up<br>
>><br>
>><br>
>><br>
>><br>
>> On Wed, Mar 19, 2014 at 2:44 PM, Aaron Anderson <<a href="mailto:anderson.aaron@gmail.com">anderson.aaron@gmail.com</a>><br>
>> wrote:<br>
>>><br>
>>> Does connecting to that machine get you access to other machines on<br>
>>> the network? That's what I'm having trouble with. I want to connect to<br>
>>> machines that do not have tinc installed.<br>
>>><br>
>>> On Wed, Mar 19, 2014 at 2:30 PM, vmlinux <<a href="mailto:vmlinux@charter.net">vmlinux@charter.net</a>> wrote:<br>
>>> > Aaron Anderson said on 03/19/2014 01:23 PM:<br>
>>> >> I do already have those installed. I was really hoping for someone who<br>
>>> >> had some already working configs or examples.<br>
>>> ><br>
>>> > # /etc/tinc/myvpn/tinc.conf<br>
>>> > Name = mynode<br>
>>> > AddressFamily = ipv4<br>
>>> > interface = tinc0<br>
>>> ><br>
>>> > # /etc/tinc/myvpn/tinc-up<br>
>>> > #!/bin/bash<br>
>>> > ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0<br>
>>> ><br>
>>> > # /etc/tinc/myvpn/tinc-down<br>
>>> > #!/bin/bash<br>
>>> > ifconfig $INTERFACE down<br>
>>> ><br>
>>> > # tincd -n myvpn<br>
>>> ><br>
>>> > _______________________________________________<br>
>>> > tinc mailing list<br>
>>> > <a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
>>> > <a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
>>> _______________________________________________<br>
>>> tinc mailing list<br>
>>> <a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
>>> <a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
>><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> tinc mailing list<br>
> <a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
> <a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
><br>
_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
</div></div></blockquote></div><br></div>