<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi :)<br>
<br>
An example on this could be the following (I'm using tinc 1.0, so
these files may vary):<br>
Name = servera<br>
ConnectTo = serverb<br>
Device = /dev/net/tun<br>
Mode = switch<br>
(The inverse on serverb)<br>
<br>
tinc-up<br>
#server a<br>
ifconfig $INTERFACE up<br>
ifconfig $INTERFACE 10.10.10.102 netmask 255.255.255.0<br>
route add -net 192.168.99.0/24 gw 10.10.10.103<br>
<br>
#server b<br>
ifconfig $INTERFACE up<br>
ifconfig $INTERFACE 10.10.10.103 netmask 255.255.255.0<br>
route add -net 172.16.253.0/24 gw 10.10.10.102<br>
tinc-down is just the same as usual.<br>
<br>
Given that you deal with pointing the traffic at these boxes, this
should work.<br>
This can still be improved by configuring tinc in routing mode (I
think..)<br>
<br>
On 19.03.2014 20:35, Donald Pearson wrote:<br>
</div>
<blockquote
cite="mid:CAC=t97CDL_Jsa1YZ-dxndOKn3TumWThRrYimJ3tNgcQvZdMB5w@mail.gmail.com"
type="cite">
<div dir="ltr">A routing solution works at layer 3 and therefore
won't use bridging which is at layer 2.
<div><br>
</div>
<div>For routing, all clients on the <a moz-do-not-send="true"
href="http://172.16.254.0/24">172.16.254.0/24</a> (assuming
/24) network network will need to have a route added to use
172.16.253.102 as the next hop to reach the remote <a
moz-do-not-send="true" href="http://192.168.99.0/24">192.168.99.0/24</a>
network.</div>
<div><br>
</div>
<div>Similarly, all clients on the <a moz-do-not-send="true"
href="http://192.168.99.0/24">192.168.99.0/24</a> will need
to have routes to use 192.168.99.4 as the next hop to reach
the <a moz-do-not-send="true" href="http://172.16.254.0/24">172.16.254.0/24</a>
network.</div>
<div><br>
</div>
<div>Alternatively, on each side's gateway, you can add a route
there to direct the traffic. If you do this, an example path
your traffic would take would be something like this</div>
<div><br>
</div>
<div>
172.16.253.100 pings 192.168.99.100.</div>
<div>172.16.253.100 -> 172.16.253.1 (assuming default gw is
.1) -> 172.16.253.102 (because you set the route in the gw
to send all <a moz-do-not-send="true"
href="http://192.168.99.0/24">192.168.99.0/24</a> traffic to
.102) -> 10.10.10.103 (packet moves from lan to vpn subnet
and moves over vpn to remote tinc box) -> 192.168.99.100 (
remote tinc moves packet from vpn subnet to remote lan
subnet).</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Mar 19, 2014 at 3:23 PM, Aaron
Anderson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:anderson.aaron@gmail.com" target="_blank">anderson.aaron@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">So we're
all on the same page, here's what I want: (will need to be
in<br>
fixed width font)<br>
<br>
-[client (10.10.10.102) and<br>
(172.16.253.102)]--[router]-[internet]-------[router]-[tincserver<br>
(10.10.10.103) and (192.168.99.4)]<br>
<br>
-[other box (192.168.99.5)]<br>
<br>
-[other box (192.168.99.6)]<br>
<br>
<br>
<br>
Where 192.168.99.x and 172.16.253.x are the local non-tinc
subnets and<br>
10.10.10.x are tinc addresses.<br>
<br>
<br>
>From "client" i want to be about to access the "other
boxes" through<br>
"tincserver" - I'm aware there will be routes for this, I'm
fully<br>
capable of dealing with those.<br>
<br>
How should I set up the bridge on "tincserver" ?<br>
<br>
On Wed, Mar 19, 2014 at 3:09 PM, Donald Pearson<br>
<div class="HOEnZb">
<div class="h5"><<a moz-do-not-send="true"
href="mailto:donaldwhpearson@gmail.com">donaldwhpearson@gmail.com</a>>
wrote:<br>
> By the way, if you create a layer 2 vpn using
bridging like this, I suggest<br>
> installing ebtables on your tinc box so that you
can put in some layer 2<br>
> firewall rules. An interesting result when you
don't do this is DHCP<br>
> traversing the VPN. Much to my surprise I've seen
hosts on one site receive<br>
> DHCP from a site across the VPN, ultimately using
the remote router as its<br>
> gateway.<br>
> You would think the local server would be faster
and always win, but that's<br>
> not always the case.<br>
><br>
><br>
> On Wed, Mar 19, 2014 at 3:03 PM, Donald Pearson
<<a moz-do-not-send="true"
href="mailto:donaldwhpearson@gmail.com">donaldwhpearson@gmail.com</a>><br>
> wrote:<br>
>><br>
>> Well you use brctl to bridge the virtual
adapter (interface) to a real<br>
>> physical interface, and that's represented by
an additional virtual<br>
>> interface which is the bridge itself. That
bridge is what you configure<br>
>> with an IP on your LAN statically or via DHCP.<br>
>><br>
>> If you do all this ahead of time you don't even
need a tinc-up script.<br>
>><br>
>> If you want the bridge to be built up when tinc
connects it would look<br>
>> something like this. Do the inverse for a
tinc-down<br>
>><br>
>> tinc.conf<br>
>> Name = Alpha<br>
>> ConnectTo = Beta<br>
>> ConnectTo = Charlie<br>
>> Device = /dev/net/tun<br>
>> Mode = switch<br>
>> PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv<br>
>> #<br>
>> #<br>
>><br>
>> Tinc-up<br>
>> #!/bin/sh<br>
>> modprobe tun<br>
>> ifconfig vpn 0.0.0.0<br>
>> ifconfig vpn up<br>
>> ifconfig eth1 0.0.0.0<br>
>> ifconfig eth1 up<br>
>><br>
>> brctl addbr bridge<br>
>> brctl addif bridge vpn<br>
>> brctl addif bridge eth1<br>
>> ifconfig bridge 10.10.0.1 netmask 255.255.0.0<br>
>> route add default gw 10.10.0.254 bridge<br>
>> ifconfig bridge up<br>
>><br>
>><br>
>><br>
>><br>
>> On Wed, Mar 19, 2014 at 2:44 PM, Aaron Anderson
<<a moz-do-not-send="true"
href="mailto:anderson.aaron@gmail.com">anderson.aaron@gmail.com</a>><br>
>> wrote:<br>
>>><br>
>>> Does connecting to that machine get you
access to other machines on<br>
>>> the network? That's what I'm having trouble
with. I want to connect to<br>
>>> machines that do not have tinc installed.<br>
>>><br>
>>> On Wed, Mar 19, 2014 at 2:30 PM, vmlinux
<<a moz-do-not-send="true"
href="mailto:vmlinux@charter.net">vmlinux@charter.net</a>>
wrote:<br>
>>> > Aaron Anderson said on 03/19/2014
01:23 PM:<br>
>>> >> I do already have those installed.
I was really hoping for someone who<br>
>>> >> had some already working configs
or examples.<br>
>>> ><br>
>>> > # /etc/tinc/myvpn/tinc.conf<br>
>>> > Name = mynode<br>
>>> > AddressFamily = ipv4<br>
>>> > interface = tinc0<br>
>>> ><br>
>>> > # /etc/tinc/myvpn/tinc-up<br>
>>> > #!/bin/bash<br>
>>> > ifconfig $INTERFACE 10.10.10.1 netmask
255.255.255.0<br>
>>> ><br>
>>> > # /etc/tinc/myvpn/tinc-down<br>
>>> > #!/bin/bash<br>
>>> > ifconfig $INTERFACE down<br>
>>> ><br>
>>> > # tincd -n myvpn<br>
>>> ><br>
>>> >
_______________________________________________<br>
>>> > tinc mailing list<br>
>>> > <a moz-do-not-send="true"
href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
>>> > <a moz-do-not-send="true"
href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
>>>
_______________________________________________<br>
>>> tinc mailing list<br>
>>> <a moz-do-not-send="true"
href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
>>> <a moz-do-not-send="true"
href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
>><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> tinc mailing list<br>
> <a moz-do-not-send="true"
href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
> <a moz-do-not-send="true"
href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
><br>
_______________________________________________<br>
tinc mailing list<br>
<a moz-do-not-send="true"
href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a moz-do-not-send="true"
href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
tinc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a>
<a class="moz-txt-link-freetext" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
</blockquote>
<br>
</body>
</html>