[[!meta title="proxy ARP as an alternative to bridging"]]

## Example: proxy ARP as an alternative to bridging

If one wants to have a remote node appear to be on a local LAN (i.e., having an
IP address inside the local LAN's subnet), one can set up a bridge at the local
node, as described in the [[bridging example|examples/bridging]].  However,
setting up a bridge is rather complex, and if one only needs unicast IP traffic
to work, and broadcast or non-IP traffic is not a requirement, one can use the
[proxy ARP](http://en.wikipedia.org/wiki/Proxy_ARP) features of the operating
system instead.

Since we only use unicast IP traffic, proxy ARP works with both router and
switch mode.

### Overview

The network setup is as follows:

* Office LAN, the LAN on interface eth0 uses the range 192.168.1.0/24. The office node uses the address 192.168.1.2.
* Road warrior, using the address 192.168.1.123. 

### Configuration of tinc at the office

>     host# cat /etc/tinc/vpn/tinc.conf
>     Name = office
>     #Optional:
>     #Mode = switch
>     
>     host# cat /etc/tinc/vpn/tinc-up
>     #!/bin/sh
>     
>     ifconfig $INTERFACE 192.168.1.2 netmask 255.255.255.255
>     route add 192.168.1.123 dev $INTERFACE
>     echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp
>     echo 1 >/proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
>     
>     host# ls /etc/tinc/vpn/hosts
>     office  roadwarrior  ...
>     
>     host# cat /etc/tinc/vpn/hosts/office
>     Address = 123.234.123.42
>     Subnet = 192.168.1.0/24
>     -----BEGIN RSA PUBLIC KEY-----
>     ...
>     -----END RSA PUBLIC KEY-----
>     
>     host# cat /etc/tinc/vpn/hosts/roadwarrior
>     Subnet = 192.168.1.123
>     -----BEGIN RSA PUBLIC KEY-----
>     ...
>     -----END RSA PUBLIC KEY-----

### Configuration of tinc at the road warrior

>     host# cat /etc/tinc/vpn/tinc.conf
>     Name = roadwarrior
>     #Optional:
>     #Mode = switch
>     
>     host# cat /etc/tinc/vpn/tinc-up
>     #!/bin/sh
>     
>     ifconfig $INTERFACE 192.168.1.123 netmask 255.255.255.0

The host config files are, of course, identical to those on the office node.

### Automatically adding routes

In the above configuration, the `tinc-up` script of the office node has a route
to the roadwarrior's address hardcoded.  To have tinc automatically add the
necessary routes, remove the `route add` command from the `tinc-up` script, and
instead add this `subnet-up` script:

>     host# cat /etc/tinc/vpn/subnet-up
>     #!/bin/sh
>     [ "$NAME" = "$NODE" ] && exit 0
>     ip route replace $SUBNET dev $INTERFACE