1 [[!meta title="tinc on a masquerading firewall"]]
3 ## Example: tinc on a masquerading firewall
5 This example shows a setup with tinc running on a masquerading
6 firewall, allowing the private subnet behind the firewall to access
7 the VPN. Example firewall rules are included in this example. They
8 are written for iptables (Linux 2.4 firewall code), but commented
9 so that you may apply the same kind of rules to other firewalls.
15 [[!img examples/fig-on-firewall]]
17 The network setup is as follows:
19 * Internal network is 10.20.30.0/24
20 * Firewall IP is 123.234.123.1 on the outside, 10.20.30.1/24 on the inside.
21 * VPN the host wants to connect to has address range 10.20.0.0/16.
23 ### Configuration of the firewall running tinc
26 ppp0 Link encap:Point-to-Point Protocol
27 inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
28 UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
31 eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
32 inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
33 UP BROADCAST RUNNING MTU:1500 Metric:1
36 lo Link encap:Local Loopback
37 inet addr:127.0.0.1 Mask:255.0.0.0
38 UP LOOPBACK RUNNING MTU:3856 Metric:1
41 vpn Link encap:Point-to-Point Protocol
42 inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.0.0
43 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
47 Kernel IP routing table
48 Destination Gateway Genmask Flags Metric Ref Use Iface
49 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
50 10.20.0.0 * 255.255.0.0 U 0 0 0 vpn
51 default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
53 firewall# iptables -L -v
54 Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
55 pkts bytes target prot opt in out source destination
57 Chain FORWARD (policy DROP 1234 packets, 123K bytes)
58 pkts bytes target prot opt in out source destination
59 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
60 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
61 1234 123K ACCEPT any -- vpn eth0 10.20.0.0/16 10.20.30.0/24
62 1234 123K ACCEPT any -- eth0 vpn 10.20.30.0/24 10.20.0.0/16
64 Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
65 pkts bytes target prot opt in out source destination
67 firewall# iptables -L -v -t nat
68 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
69 pkts bytes target prot opt in out source destination
71 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
72 pkts bytes target prot opt in out source destination
73 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
75 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
76 pkts bytes target prot opt in out source destination
78 firewall# cat /etc/init.d/firewall
81 echo 1 >/proc/sys/net/ipv4/ip_forward
83 iptables -P FORWARD DROP
85 iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
86 iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
87 iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24
88 iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16
90 iptables -t nat -F POSTROUTING
91 iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0
93 ### Configuration of tinc
95 firewall# cat /etc/tinc/vpn/tinc.conf
100 firewall# cat /etc/tinc/vpn/tinc-up
103 ifconfig $INTERFACE 10.20.30.1 netmask 255.255.0.0
105 firewall# ls /etc/tinc/vpn/hosts
106 office branch employee_smith employee_jones ...
108 firewall# cat /etc/tinc/vpn/hosts/office
109 Address = 123.234.123.1
110 Subnet = 10.20.30.0/24
111 -----BEGIN RSA PUBLIC KEY-----
113 -----END RSA PUBLIC KEY-----
115 firewall# cat /etc/tinc/vpn/hosts/branch
116 Address = 123.234.213.129
117 Subnet = 10.20.40.0/24
118 -----BEGIN RSA PUBLIC KEY-----
120 -----END RSA PUBLIC KEY-----
122 firewall# cat /etc/tinc/vpn/hosts/employee_smith
123 Address = 200.201.202.203
124 Subnet = 10.20.50.1/32
125 -----BEGIN RSA PUBLIC KEY-----
127 -----END RSA PUBLIC KEY-----