X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;ds=inline;f=examples%2Fbridging.mdwn;fp=examples%2Fbridging.mdwn;h=ca5e6ec85b016607db18c9440ca42798f665ef25;hb=7c74a57cd95cfc0358fdd5980d9170ea16751dfb;hp=0000000000000000000000000000000000000000;hpb=f980b3945271b51a8a200c44b8d3e7d61d086bab;p=wiki diff --git a/examples/bridging.mdwn b/examples/bridging.mdwn new file mode 100644 index 0000000..ca5e6ec --- /dev/null +++ b/examples/bridging.mdwn @@ -0,0 +1,130 @@ +[[!meta title="bridging Ethernet segments using tinc under Linux"]] + +## Example: bridging Ethernet segments using tinc under Linux + +Normally, in the default router mode, tinc will only tunnel IPv4 and IPv6 +unicast packets. However, since 1.0pre5 there is an option to let the tinc +daemon act as a switch or a hub (using the Mode configuration variable). This +mode is necessary for tinc to pass non-IP based protocols (NetBEUI, AppleTalk, +IPX, etcetera), and to allow broadcast-based functionality in some applications +(Windows 'Network Neighborhood' without a WINS server, among others) to be +usable on a VPN created with tinc. + +In switch and hub mode, broadcast packets are broadcast to other daemons and +(in switch mode) MAC addresses are dynamically learned from other tinc daemons +in order to route packets. With these mode tinc can be used to act as a bridge +between two or more Ethernet segments. + +### Overview + +The network setup is as follows: + +* Internal network, on both sides, is 192.168.0.0/16 +* The host's own IP address on the internal network is 192.168.10.20 + +The gateway of each segment has an external interface, eth0, and an internal +interface eth1. Furthermore a bridge interface will be created with name +"bridge", and the internal interface will be made a slave of this bridge. The +virtual network interface used by tinc will also be a slave. Configuration of +the kernel In addition to the standard kernel configuration described in the +Configuring the kernel section of the manual, a bridge device needs to be added +to your kernel configuration. + +To add the bridge device to the Linux 2.4.0 and higher kernels, select the +option under 'Networking options' called 802.1d Ethernet Bridging. You may +either compile this option as a module or build it into the kernel. +Configuration of the interfaces Switch and hub modes require that both sides of +a tinc VPN be contained within the same subnet (in this example, the subnet is +192.168.0.0/16). This is no different from the configuration that would be +required if tinc was replaced with an actual switch or hub. + +> host# brctl addbr bridge +> host# ifconfig bridge 192.168.10.20 netmask 255.255.0.0 +> +> host# ifconfig eth1 0.0.0.0 +> host# brctl addif bridge eth1 +> host# ifconfig eth1 up +> +> After starting tinc: +> +> host# brctl show +> bridge name bridge id STP enabled interfaces +> bridge 8000.005004003002 yes eth1 +> vpn +> +> host# ifconfig +> eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60 +> inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0 +> UP BROADCAST RUNNING MTU:1500 Metric:1 +> ... +> +> eth1 Link encap:Ethernet HWaddr 00:11:22:33:44:55 +> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 +> ... +> +> lo Link encap:Local Loopback +> inet addr:127.0.0.1 Mask:255.0.0.0 +> UP LOOPBACK RUNNING MTU:3856 Metric:1 +> ... +> +> bridge Link encap:Ethernet HWaddr 00:11:22:33:44:55 +> inet addr:192.168.10.20 Bcast:192.168.255.255 Mask:255.255.0.0 +> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 +> +> vpn Link encap:Ethernet HWaddr 00:11:22:33:44:55 +> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 +> ... +> +> host# route +> Kernel IP routing table +> Destination Gateway Genmask Flags Metric Ref Use Iface +> 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0 +> 192.168.0.0 * 255.255.0.0 U 0 0 0 bridge +> default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0 + +### Configuration of tinc + +Note that switch' and hub' mode do not utilize the Subnet variable in the host +files. Instead, any packet received by the bridge interface will be passed to +the TUN/TAP device for processing. If your tinc instance is running in hub +mode, all packets are forwarded to the remote tinc instance. In switch mode, +tinc maintains an ARP cache to determine whether any received packet should be +forwarded to the remote tinc instance. + +> host# cat /etc/tinc/vpn/tinc.conf +> Name = segment1 +> Device = /dev/tun +> Mode = switch +> ConnectTo = segment2 +> +> host# cat /etc/tinc/vpn/tinc-up +> #!/bin/sh +> +> ifconfig vpn 0.0.0.0 +> brctl addif bridge vpn +> ifconfig vpn up +> +> host# ls /etc/tinc/vpn/hosts +> segment1 segment2 ... +> +> host# cat /etc/tinc/vpn/hosts/segment1 +> Address = 123.234.123.42 +> -----BEGIN RSA PUBLIC KEY----- +> ... +> -----END RSA PUBLIC KEY----- +> +> host# cat /etc/tinc/vpn/hosts/segment2 +> Address = 200.201.202.203 +> -----BEGIN RSA PUBLIC KEY----- +> ... +> -----END RSA PUBLIC KEY----- + +### Additional Configuration + +If the Ethernet interface added to the bridge was used for the default route, +you will need to re-add the default route. + +If you want to be able to filter packets on your bridge interface, you will +need to a kernel with [ebtables](http://ebtables.sourceforge.net/) support. +More information For more information on Linux bridging, see the [bridge-utils +homepage](http://www.linuxfoundation.org/en/Net:Bridge).