proxy ARP as an alternative to bridging

Example: proxy ARP as an alternative to bridging

If one wants to have a remote node appear to be on a local LAN (i.e., having an IP address inside the local LAN’s subnet), one can set up a bridge at the local node, as described in the bridging example. However, setting up a bridge is rather complex, and if one only needs unicast IP traffic to work, and broadcast or non-IP traffic is not a requirement, one can use the proxy ARP features of the operating system instead.

Since we only use unicast IP traffic, proxy ARP works with both router and switch mode.

Overview

The network setup is as follows:

Office LAN, the LAN on interface eth0 uses the range 192.168.1.0/24. The office node uses the address 192.168.1.2.
Road warrior, using the address 192.168.1.123.

Configuration of tinc at the office

host# cat /etc/tinc/vpn/tinc.conf
Name = office
#Optional:
#Mode = switch

host# cat /etc/tinc/vpn/tinc-up
#!/bin/sh

ifconfig $INTERFACE 192.168.1.2 netmask 255.255.255.255
route add 192.168.1.123 dev $INTERFACE
echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 >/proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp

host# ls /etc/tinc/vpn/hosts
office  roadwarrior  ...

host# cat /etc/tinc/vpn/hosts/office
Address = 123.234.123.42
Subnet = 192.168.1.0/24
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

host# cat /etc/tinc/vpn/hosts/roadwarrior
Subnet = 192.168.1.123
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

Configuration of tinc at the road warrior

host# cat /etc/tinc/vpn/tinc.conf
Name = roadwarrior
ConnectTo = office
#Optional:
#Mode = switch

host# cat /etc/tinc/vpn/tinc-up
#!/bin/sh

ifconfig $INTERFACE 192.168.1.123 netmask 255.255.255.0

The host config files are, of course, identical to those on the office node.

Automatically adding routes

In the above configuration, the tinc-up script of the office node has a route to the roadwarrior’s address hardcoded. To have tinc automatically add the necessary routes, remove the route add command from the tinc-up script, and instead add this subnet-up script:

host# cat /etc/tinc/vpn/subnet-up
#!/bin/sh
[ "$NAME" = "$NODE" ] && exit 0
ip route replace $SUBNET dev $INTERFACE