<div dir="auto">I'm using the recommended config for the pfS package which suggests using the LAN IP as the tunnel IP and a mask that covers the entire VPN. It just seems like an odd setup to me. <div dir="auto"><br></div><div dir="auto">I did some testing and assigned a unique address to the TUN, and that seemed to work fine as well. (Even when the same IP and mask was used for the TUN on both routers.)</div><div dir="auto"><br></div><div dir="auto"><br><br><div data-smartmail="gmail_signature" dir="auto"><br>__<br>Corey</div></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Aug 29, 2018, 5:05 PM Lars Kruse <<a href="mailto:lists@sumpfralle.de">lists@sumpfralle.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Corey,<br>
<br>
<br>
Am Wed, 29 Aug 2018 16:33:30 -0400<br>
schrieb Corey Boyle <<a href="mailto:coreybrett@gmail.com" target="_blank" rel="noreferrer">coreybrett@gmail.com</a>>:<br>
<br>
> I just found that the VPN Netmask option in the pfSense tinc GUI is<br>
> related to the "netmask" option in /usr/local/etc/tinc/tinc-up<br>
> <br>
> ifconfig $INTERFACE 192.168.117.1 netmask 255.255.0.0<br>
> <br>
> What exactly is this line doing? Is it assigning the address that my<br>
> lan adapter has to the tunnel interface as well?<br>
<br>
Above you see the environment variable "INTERFACE". It is described in<br>
"man tinc.conf".<br>
The command above assigns an IP address to the network interface provided<br>
by the tinc daemon.<br>
In your forum thread you mentioned, that <a href="http://192.168.117.0/24" rel="noreferrer noreferrer" target="_blank">192.168.117.0/24</a> is the address range<br>
of your LAN interface. Thus the "ifconfig" line above is probably a mistake,<br>
since you will end up with two network interfaces using the same address range.<br>
This is not impossible, but most likely not your goal :)<br>
<br>
Instead you probably want to pick an address range for the tinc network<br>
interface. Each node should have one IP in this network. This IP needs to be<br>
mentioned in two places for each node:<br>
* as a Subnet line in the node's host file ("Subnet = w.x.y.z/32")<br>
(make sure that all host files are in sync in order to reduce confusion)<br>
* as part of an "ifconfig" command (see above) in "tinc-up"<br>
<br>
Maybe you could also get away without assigning an IP address to the tinc<br>
interface at all, but this would surely make debugging harder.<br>
<br>
Afterwards you will be able to ping the other tinc nodes and direct traffic<br>
over this interface.<br>
<br>
Have fun investigating!<br>
Cheers,<br>
Lars<br>
_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org" target="_blank" rel="noreferrer">tinc@tinc-vpn.org</a><br>
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer noreferrer" target="_blank">https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
</blockquote></div>