<div dir="ltr">Thanks for the answer Guus,<div><br></div><div>One more thing. I can run two tinc daemons one for each group, but I sill need to communicate clients from one group to the other.</div><div><br></div><div>Clients from group 2 (admin group) need to reach clients from group 1 (remote server group), but clients from group 1 must not be able to reach each other nor the server.</div><div><br></div><div>If I'm not using TunnelServer and Forwarding, How can I setup the routes between the two Tinc daemons?</div><div><br></div><div>Thanks!</div><div><br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">El dom., 15 ene. 2017 a las 11:29, Ramesh (<<a href="mailto:nramesh1@gmail.com">nramesh1@gmail.com</a>>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="gmail_msg">thanks, but i was able to make it work based on some suggestion on tomato shibby forums.</div><div class="gmail_extra gmail_msg"><br clear="all" class="gmail_msg"><div class="gmail_msg"><div class="m_-294083759455260088gmail_signature gmail_msg" data-smartmail="gmail_signature">Regards</div></div></div><div class="gmail_extra gmail_msg"><div class="gmail_msg"><div class="m_-294083759455260088gmail_signature gmail_msg" data-smartmail="gmail_signature"><br class="gmail_msg">Ramesh</div></div></div><div class="gmail_extra gmail_msg">
<br class="gmail_msg"><div class="gmail_quote gmail_msg">On Sun, Jan 15, 2017 at 9:02 AM, Guus Sliepen <span dir="ltr" class="gmail_msg"><<a href="mailto:guus@tinc-vpn.org" class="gmail_msg" target="_blank">guus@tinc-vpn.org</a>></span> wrote:<br class="gmail_msg"><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="gmail_msg">On Fri, Jan 13, 2017 at 06:53:07PM +0000, Guillermo Bisheimer wrote:<br class="gmail_msg">
<br class="gmail_msg">
> I've setup a Tinc VPN for a bunch of nodes divided in two groups:<br class="gmail_msg">
><br class="gmail_msg">
> Group 1:<br class="gmail_msg">
> IP Range 10.100.0.2 to 10.100.127.255<br class="gmail_msg">
><br class="gmail_msg">
> Group 2:<br class="gmail_msg">
> IP Range 10.100.128.1 to 10.100.255.255<br class="gmail_msg">
><br class="gmail_msg">
> Server IP: 10.100.0.1<br class="gmail_msg">
<br class="gmail_msg">
</span>I would recommend running two tinc daemons on the server, one for each<br class="gmail_msg">
group. That way, you don't have to use TunnelServer and Forwarding =<br class="gmail_msg">
kernel.<br class="gmail_msg">
<span class="gmail_msg"><br class="gmail_msg">
> The problem is that I also need to isolate clients from group 1 from<br class="gmail_msg">
> reaching the server, but found no way to do that yet.<br class="gmail_msg">
<br class="gmail_msg">
</span>If you use two tinc daemons, and then for group 1, you can add<br class="gmail_msg">
"DeviceType = dummy" to the server's tinc.conf. That way the server<br class="gmail_msg">
doesn't create a tun/tap interface at all, so it cannot send or receive<br class="gmail_msg">
packets for that group.<br class="gmail_msg">
<span class="gmail_msg"><br class="gmail_msg">
> Tried with<br class="gmail_msg">
><br class="gmail_msg">
> sudo iptables -D INPUT -s <a href="http://10.100.0.0/17" rel="noreferrer" class="gmail_msg" target="_blank">10.100.0.0/17</a> -d <a href="http://10.100.0.1/32" rel="noreferrer" class="gmail_msg" target="_blank">10.100.0.1/32</a> -j DROP<br class="gmail_msg">
><br class="gmail_msg">
> but this only works for blocking ping but it doesn't stop curl or anything<br class="gmail_msg">
> else.<br class="gmail_msg">
<br class="gmail_msg">
</span>That command works better with -A instead of -D. It should then drop<br class="gmail_msg">
everything, not just ping packets, unless there is another rule earlier<br class="gmail_msg">
in the INPUT chain that explicitly allows that traffic.<br class="gmail_msg">
<span class="m_-294083759455260088HOEnZb gmail_msg"><font color="#888888" class="gmail_msg"><br class="gmail_msg">
--<br class="gmail_msg">
Met vriendelijke groet / with kind regards,<br class="gmail_msg">
Guus Sliepen <<a href="mailto:guus@tinc-vpn.org" class="gmail_msg" target="_blank">guus@tinc-vpn.org</a>><br class="gmail_msg">
</font></span><br class="gmail_msg">_______________________________________________<br class="gmail_msg">
tinc mailing list<br class="gmail_msg">
<a href="mailto:tinc@tinc-vpn.org" class="gmail_msg" target="_blank">tinc@tinc-vpn.org</a><br class="gmail_msg">
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" class="gmail_msg" target="_blank">https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br class="gmail_msg">
<br class="gmail_msg"></blockquote></div><br class="gmail_msg"></div>
_______________________________________________<br class="gmail_msg">
tinc mailing list<br class="gmail_msg">
<a href="mailto:tinc@tinc-vpn.org" class="gmail_msg" target="_blank">tinc@tinc-vpn.org</a><br class="gmail_msg">
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" class="gmail_msg" target="_blank">https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br class="gmail_msg">
</blockquote></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr"><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><b><i><span style="font-family:arial,sans-serif;color:rgb(31,73,125)">Ing. Guillermo Bisheimer</span></i></b><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><b><span style="font-family:arial,sans-serif;color:rgb(31,73,125)">B&S Sistemas de Control y Equipamientos</span></b><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(79,129,189)">Av. de los Constituyentes 1172</span><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(79,129,189)">(E3116CIX) Crespo, Entre Ríos</span><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="background-color:rgb(255,255,0)"><span style="font-family:arial,sans-serif;color:rgb(79,129,189)">Tel/Fax: (</span><font color="#4f81bd" face="Arial, sans-serif">0343) 407-8990 (Nuevo número)</font></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(79,129,189)">Cel: (0343) 154679052</span><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(31,73,125)">WEB: </span><span style="font-size:10pt;font-family:arial,sans-serif;color:rgb(31,73,125)"><a href="http://www.bys-control.com.ar/" target="_blank">www.bys-control.com.ar</a></span><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(31,73,125)">e-mail: <a href="mailto:gbisheimer@bys-control.com.ar" target="_blank">gbisheimer@bys-control.com.ar</a></span><span style="font-family:arial,sans-serif"></span></p><p style="font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:19.5px;margin:0cm 0cm 0.0001pt"><span style="font-family:arial,sans-serif;color:rgb(31,73,125)">skype: guillermo.bisheimer</span></p></div></div>