[[!meta title="simple-bridging-with-dhcp-client-side"]] # Company: PowerCraft Technology # Author: Copyright Jelle de Jong # Note: Please send me an email if you enhanced the document # Date: 2010-05-24 / 2010-07-04 # License: CC-BY-SA # This document is free documentation; you can redistribute it and/or # modify it under the terms of the Creative Commons Attribution Share # Alike as published by the Creative Commons Foundation; either version # 3.0 of the License, or (at your option) any later version. # # This document is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # Creative Commons BY-SA License for more details. # # https://creativecommons.org/licenses/by-sa/ #----------------------------------------------------------------------- # for commercial support contact me, part of the revenue go back to tinc #----------------------------------------------------------------------- # https://www.tinc-vpn.org/ # https://www.tinc-vpn.org/documentation/tinc_toc #----------------------------------------------------------------------- # this is the configuration of the roxy system #----------------------------------------------------------------------- unset LANG LANGUAGE LC_ALL apt-get update; apt-get dist-upgrade apt-cache show tinc apt-get install tinc/testing #----------------------------------------------------------------------- /etc/init.d/tinc stop #----------------------------------------------------------------------- # ls -hal /dev/net/tun crw------- 1 root root 10, 200 May 24 15:53 /dev/net/tun # grep tinc /etc/services tinc 655/tcp # tinc control port tinc 655/udp # getent services tinc/udp tinc 655/udp # getent services tinc/tcp tinc 655/tcp cat /usr/share/doc/tinc/README.Debian zcat /usr/share/doc/tinc/README.gz | less zcat /usr/share/doc/tinc/NEWS.gz | less cat /usr/share/doc/tinc/examples/tinc-up w3m /usr/share/doc/tinc/tinc_0.html #----------------------------------------------------------------------- vim /etc/default/tinc EXTRA="-d" cat /etc/default/tinc # less /etc/init.d/tinc #----------------------------------------------------------------------- ifconfig -a route -n #----------------------------------------------------------------------- # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6c inet addr:84.245.9.246 Bcast:84.245.9.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4863 errors:0 dropped:0 overruns:0 frame:0 TX packets:2958 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4302418 (4.1 MiB) TX bytes:303100 (295.9 KiB) Interrupt:10 Base address:0x1000 eth1 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6d UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:11 Base address:0x1400 eth2 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6e UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:15 Base address:0x1800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1200 errors:0 dropped:0 overruns:0 frame:0 TX packets:1200 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:96572 (94.3 KiB) TX bytes:96572 (94.3 KiB) # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0 #----------------------------------------------------------------------- # client01 configuration cat /etc/tinc/nets.boot echo 'powercraft01' | sudo tee --append /etc/tinc/nets.boot cat /etc/tinc/nets.boot #----------------------------------------------------------------------- sudo mkdir --verbose /etc/tinc/powercraft01/ sudo mkdir --verbose /etc/tinc/powercraft01/hosts/ sudo touch /etc/tinc/powercraft01/tinc.conf #----------------------------------------------------------------------- # on server cat /etc/tinc/powercraft01/hosts/server01 # on client, copy cert data of server to client sudo vim /etc/tinc/powercraft01/hosts/server01 # on client, add on head of file Address = powercraft.nl 656 Address = 84.245.3.195 656 Address = tinc-vpn.powercraft.nl 656 Address = powercraft.nl 655 Address = 84.245.3.195 655 Address = tinc-vpn.powercraft.nl 655 #----------------------------------------------------------------------- echo 'ConnectTo = server01 Device = /dev/net/tun Interface = tun1 Mode = switch Name = client01' | sudo tee /etc/tinc/powercraft01/tinc.conf sudo cat /etc/tinc/powercraft01/tinc.conf sudo chmod 644 /etc/tinc/powercraft01/tinc.conf ls -hal /etc/tinc/powercraft01/tinc.conf echo '#!/bin/sh ifconfig $INTERFACE 0.0.0.0' | tee /etc/tinc/powercraft01/tinc-up sudo cat /etc/tinc/powercraft01/tinc-up sudo chmod 755 /etc/tinc/powercraft01/tinc-up ls -hal /etc/tinc/powercraft01/tinc-up echo '#!/bin/sh # ifconfig tun1 hw ether 00:ff:5d:ea:b4:ec ifup $INTERFACE &' | sudo tee /etc/tinc/powercraft01/hosts/server01-up sudo cat /etc/tinc/powercraft01/hosts/server01-up sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-up ls -hal /etc/tinc/powercraft01/hosts/server01-up echo '#!/bin/sh ifconfig $INTERFACE down' | sudo tee /etc/tinc/powercraft01/tinc-down sudo cat /etc/tinc/powercraft01/tinc-down sudo chmod 755 /etc/tinc/powercraft01/tinc-down ls -hal /etc/tinc/powercraft01/tinc-down echo '#!/bin/sh ifdown $INTERFACE' | sudo tee /etc/tinc/powercraft01/hosts/server01-down sudo cat /etc/tinc/powercraft01/hosts/server01-down sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-down ls -hal /etc/tinc/powercraft01/hosts/server01-down #----------------------------------------------------------------------- sudo rm /etc/tinc/powercraft01/rsa_key.priv sudo rm /etc/tinc/powercraft01/hosts/client10 sudo tincd -n powercraft01 -K #----------------------------------------------------------------------- # on client add on head of file sudo vim /etc/tinc/powercraft01/hosts/client01 Compression = 9 PMTU = 1492 PMTUDiscovery = yes Port = 656 # Cipher = aes-128-cbc # on client sudo cat /etc/tinc/powercraft01/hosts/client01 # on server, copy cert data of client to server vim /etc/tinc/powercraft01/hosts/client01 #----------------------------------------------------------------------- # watch out when using multiple dhcp clients there can be conflicts echo 'interface "tun1" { request subnet-mask, broadcast-address, time-offset, host-name, netbios-scope, interface-mtu, ntp-servers; }' | tee --append /etc/dhcp3/dhclient.conf cat /etc/dhcp3/dhclient.conf #----------------------------------------------------------------------- vim /etc/network/interfaces iface tun1 inet dhcp pre-up ifconfig tun1 down || true pre-up ifconfig tun1 hw ether 9a:f6:50:3b:c0:48 || true post-up route del default dev tun1 || true # pre-down /etc/init.d/munin-node stop || true # post-up /etc/init.d/munin-node restart || true # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/tun1/proxy_arp || true # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/vlan4/proxy_arp || true # optional # post-up route add -net 192.168.2.0 netmask 255.255.255.0 tun1 || true # optional # pre-down route del -net 192.168.2.0 netmask 255.255.255.0 tun1 || true #----------------------------------------------------------------------- ifdown tun1; ifdown tun1 #----------------------------------------------------------------------- sudo /etc/init.d/tinc stop fg sudo /usr/sbin/tincd --net powercraft01 --no-detach --debug=5 #----------------------------------------------------------------------- sudo /etc/init.d/tinc start #----------------------------------------------------------------------- # tincd --version tinc version 1.0.13 (built Apr 13 2010 10:27:56, protocol 17) #----------------------------------------------------------------------- tincd -n powercraft01 -kUSR2 tail -n 100 /var/log/syslog #----------------------------------------------------------------------- May 24 19:43:59 roxy tinc.powercraft01[5104]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun: May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes in: 830 May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes out: 914 May 24 19:43:59 roxy tinc.powercraft01[5104]: Nodes: May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop client01 via client01 pmtu 1518 (min 0 max 1518) May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 at 84.245.3.195 port 656 cipher 91 digest 64 maclength 4 compression 9 options c status 001a nexthop server01 via server01 pmtu 1416 (min 1416 max 1416) May 24 19:43:59 roxy tinc.powercraft01[5104]: End of nodes. May 24 19:43:59 roxy tinc.powercraft01[5104]: Edges: May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 to server01 at 84.245.3.195 port 656 options c weight 413 May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 to client01 at 84.245.9.246 port 655 options c weight 413 May 24 19:43:59 roxy tinc.powercraft01[5104]: End of edges. May 24 19:43:59 roxy tinc.powercraft01[5104]: Subnet list: May 24 19:43:59 roxy tinc.powercraft01[5104]: 0:1b:21:61:af:d7#10 owner server01 May 24 19:43:59 roxy tinc.powercraft01[5104]: 56:fc:c2:fd:69:10#10 owner server01 May 24 19:43:59 roxy tinc.powercraft01[5104]: ea:3:e7:3d:46:20#10 owner client01 May 24 19:43:59 roxy tinc.powercraft01[5104]: End of subnet list. #----------------------------------------------------------------------- # ifconfig -a ifconfig tun1 route -n #----------------------------------------------------------------------- # ifconfig tun1 tun1 Link encap:Ethernet HWaddr ea:03:e7:3d:46:20 inet addr:192.168.3.201 Bcast:192.168.3.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:27 errors:0 dropped:0 overruns:0 frame:0 TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:9342 (9.1 KiB) TX bytes:9088 (8.8 KiB) # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0 #----------------------------------------------------------------------- ping -c 2 192.168.3.1 ping -c 2 -M dont -s 1500 192.168.3.1 #----------------------------------------------------------------------- lsof -i :655 lsof -i :656 #----------------------------------------------------------------------- # Accept new connections for fordwarding designated from our virtual private netwerk to the local network /sbin/iptables --append FORWARD --in-interface ${VPN01} --out-interface ${LAN01} --jump ACCEPT /sbin/iptables --append FORWARD --in-interface ${LAN01} --out-interface ${VPN01} --jump ACCEPT # Use masquerade so the outside world sees only one ip source for all outgoing trafic /sbin/iptables --table nat --append POSTROUTING --out-interface ${VPN01} --jump MASQUERADE #-----------------------------------------------------------------------