[[!meta title="simple-bridging-with-dhcp-server-side"]] # Company: PowerCraft Technology # Author: Copyright Jelle de Jong # Note: Please send me an email if you enhanced the document # Date: 2010-05-24 / 2010-07-04 # License: CC-BY-SA # This document is free documentation; you can redistribute it and/or # modify it under the terms of the Creative Commons Attribution Share # Alike as published by the Creative Commons Foundation; either version # 3.0 of the License, or (at your option) any later version. # # This document is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # Creative Commons BY-SA License for more details. # # https://creativecommons.org/licenses/by-sa/ #----------------------------------------------------------------------- # for commercial support contact me, part of the revenue go back to tinc #----------------------------------------------------------------------- # https://www.tinc-vpn.org/ # https://www.tinc-vpn.org/examples/bridging # https://www.tinc-vpn.org/documentation/tinc_toc #----------------------------------------------------------------------- # <@guus> Well all the tinc daemons together act like a single switcch # <@guus> And each node in the VPN is connected to a port of that switch # <@guus> And if you bridge the VPN interface with eth0, then it's like you plug a cable in a port of your eth0 LAN and the other end of that cable into the tinc switch #----------------------------------------------------------------------- unset LANG LANGUAGE LC_ALL apt-get update; apt-get dist-upgrade apt-cache show tinc apt-get install tinc apt-get install bridge-utils #----------------------------------------------------------------------- /etc/init.d/tinc stop #----------------------------------------------------------------------- # ls -hal /dev/net/tun crw-rw-rw- 1 root root 10, 200 May 20 20:07 /dev/net/tun # grep tinc /etc/services tinc 655/tcp # tinc control port tinc 655/udp cat /usr/share/doc/tinc/README.Debian zcat /usr/share/doc/tinc/README.gz | less zcat /usr/share/doc/tinc/NEWS.gz | less cat /usr/share/doc/tinc/examples/tinc-up w3m /usr/share/doc/tinc/tinc_0.html cat /etc/default/tinc less /etc/init.d/tinc #----------------------------------------------------------------------- vim /etc/default/tinc EXTRA="-d" cat /etc/default/tinc #----------------------------------------------------------------------- cat /etc/tinc/nets.boot echo 'powercraft01' | tee --append /etc/tinc/nets.boot cat /etc/tinc/nets.boot #----------------------------------------------------------------------- ls -hal /etc/tinc/scallab01/ mkdir --verbose /etc/tinc/powercraft01/ mkdir --verbose /etc/tinc/powercraft01/hosts/ touch /etc/tinc/powercraft01/tinc.conf #----------------------------------------------------------------------- vim /etc/network/interfaces # tinc-vpn: dhcp bridge auto br0 iface br0 inet static address 192.168.3.1 netmask 255.255.255.0 # pre-up /sbin/ifconfig eth2 hw ether 00:1b:21:61:af:d7 # pre-up /sbin/ifconfig eth2 0.0.0.0 # bridge_ports eth2 bridge_ports tun1 bridge_maxwait 1 bridge_fd 2.5 post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp # optional cat /etc/network/interfaces #----------------------------------------------------------------------- echo 'interface "br0" { request subnet-mask, broadcast-address, time-offset, host-name, netbios-scope, interface-mtu, ntp-servers; }' | tee --append /etc/dhcp3/dhclient.conf cat /etc/dhcp3/dhclient.conf #----------------------------------------------------------------------- vim /etc/dhcp3/dhcpd.conf subnet 192.168.3.0 netmask 255.255.255.0 { range 192.168.3.200 192.168.3.240; option routers 192.168.3.1; option domain-name-servers 192.168.3.1; } #----------------------------------------------------------------------- ifdown br0 ifup br0 #----------------------------------------------------------------------- vim /etc/default/dhcp3-server INTERFACES="vlan2 eth0 br0" # add the br0 to the correct location /etc/init.d/dhcp3-server restart ps aux | grep dhcp tail -n 400 -f /var/log/syslog #----------------------------------------------------------------------- ifconfig br0 route -n brctl show #----------------------------------------------------------------------- # ifconfig br0 br0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 inet6 addr: fe80::dc56:d3ff:fe1a:31df/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2568 (2.5 KB) TX bytes:1536 (1.5 KB) # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 84.245.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 84.245.3.1 0.0.0.0 UG 100 0 0 eth1 # brctl show bridge name bridge id STP enabled interfaces br0 8000.000000000000 no #----------------------------------------------------------------------- echo 'AddressFamily = ipv4 Device = /dev/net/tun Interface = tun1 Mode = switch Name = server01' | tee /etc/tinc/powercraft01/tinc.conf cat /etc/tinc/powercraft01/tinc.conf chmod 640 /etc/tinc/powercraft01/tinc.conf ls -hal /etc/tinc/powercraft01/tinc.conf echo '#!/bin/sh ifconfig $INTERFACE 0.0.0.0 route add -net 192.168.30.0 netmask 255.255.255.0 br0 # optional subnet brctl addif br0 $INTERFACE' | tee /etc/tinc/powercraft01/tinc-up cat /etc/tinc/powercraft01/tinc-up chmod 750 /etc/tinc/powercraft01/tinc-up ls -hal /etc/tinc/powercraft01/tinc-up echo '#!/bin/sh brctl delif br0 $INTERFACE route del -net 192.168.30.0 netmask 255.255.255.0 br0 # optional subnet ifconfig $INTERFACE down' | tee /etc/tinc/powercraft01/tinc-down cat /etc/tinc/powercraft01/tinc-down chmod 750 /etc/tinc/powercraft01/tinc-down ls -hal /etc/tinc/powercraft01/tinc-down #----------------------------------------------------------------------- rm /etc/tinc/powercraft01/rsa_key.priv rm /etc/tinc/powercraft01/hosts/server01 tincd -n powercraft01 -K #----------------------------------------------------------------------- getent services | grep 656 #----------------------------------------------------------------------- vim /etc/tinc/powercraft01/hosts/server01 # add on head of file Compression = 9 PMTU = 1492 PMTUDiscovery = yes Port = 656 cat /etc/tinc/powercraft01/hosts/server01 #----------------------------------------------------------------------- /etc/init.d/tinc stop fg /usr/sbin/tincd --net powercraft01 --no-detach --debug=5 #----------------------------------------------------------------------- /etc/init.d/tinc restart tail --line=500 --follow /var/log/syslog #----------------------------------------------------------------------- ifconfig br0 ifconfig tun1 route -n brctl show br0 brctl showmacs br0 #----------------------------------------------------------------------- # ifconfig br0 br0 Link encap:Ethernet HWaddr 1e:eb:95:c3:04:d8 inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 inet6 addr: fe80::dc56:d3ff:fe1a:31df/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17 errors:0 dropped:0 overruns:0 frame:0 TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3328 (3.3 KB) TX bytes:2408 (2.4 KB) # ifconfig tun1 tun1 Link encap:Ethernet HWaddr 1e:eb:95:c3:04:d8 inet6 addr: fe80::1ceb:95ff:fec3:4d8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:2627 (2.6 KB) TX bytes:1340 (1.3 KB) # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 84.245.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 84.245.3.1 0.0.0.0 UG 100 0 0 eth1 # brctl show br0 bridge name bridge id STP enabled interfaces br0 8000.1eeb95c304d8 no tun1 # brctl showmacs br0 port no mac addr is local? ageing timer 1 1e:eb:95:c3:04:d8 yes 0.00 1 86:03:27:21:2e:60 no 44.19 #----------------------------------------------------------------------- ps aux | grep tincd tincd -n powercraft01 -kUSR2 tail -n 100 /var/log/syslog #----------------------------------------------------------------------- May 24 17:29:31 ashley tinc.powercraft01[11557]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun: May 24 17:29:31 ashley tinc.powercraft01[11557]: total bytes in: 468 May 24 17:29:31 ashley tinc.powercraft01[11557]: total bytes out: 0 May 24 17:29:31 ashley tinc.powercraft01[11557]: Nodes: May 24 17:29:31 ashley tinc.powercraft01[11557]: server01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options 4 status 0018 nexthop server01 via server01 pmtu 1518 (min 0 max 1518) May 24 17:29:31 ashley tinc.powercraft01[11557]: End of nodes. May 24 17:29:31 ashley tinc.powercraft01[11557]: Edges: May 24 17:29:31 ashley tinc.powercraft01[11557]: End of edges. May 24 17:29:31 ashley tinc.powercraft01[11557]: Subnet list: May 24 17:29:31 ashley tinc.powercraft01[11557]: a2:63:0:96:a:c8#10 owner server01 May 24 17:29:31 ashley tinc.powercraft01[11557]: End of subnet list. #----------------------------------------------------------------------- tcpdump -n -i br0 broadcast tcpdump -n -i tun0 broadcast #----------------------------------------------------------------------- tcpdump -n -e -i br0 icmp tcpdump -A -p -n -i br0 port 80 tcpdump -A -p -n -i br0 tcpdump -i br0 host 84.245.3.195 -l #----------------------------------------------------------------------- cat /var/lib/dhcp3/dhcpd.leases #----------------------------------------------------------------------- # optional export LAN01=vlan2 export VPN02=br0 # /sbin/iptables --append FORWARD --in-interface br0 --out-interface vlan2 --jump ACCEPT /sbin/iptables --append FORWARD --in-interface ${VPN02} --source 192.168.3.150 --destination 192.168.2.206 --out-interface ${LAN01} --jump ACCEPT #-----------------------------------------------------------------------