Tinc clients behind a NAT, tunnels get unstable
Marcus Schopen
lists at localguru.de
Sat Sep 26 12:20:23 CEST 2015
Am Freitag, den 25.09.2015, 22:45 +0200 schrieb Marcus Schopen:
> Hi Guus,
>
> Am Freitag, den 25.09.2015, 17:46 +0200 schrieb Marcus Schopen:
> > Hmmm ... I've tried "LocalDiscovery = yes"
> > in /etc/tinc/mytunnel/tinc.conf already, but that didn't help. Config on
> > client A is:
> >
> > ---------------
> > Name = clienta
> > AddressFamily = ipv4
> > Interface = tun0
> > ConnectTo = host
> > PingInterval = 30
> > LocalDiscovery = yes
> > ---------------
>
> I think I figured the problem out. The clients behind the local NAT
> connect the host and all traffic is running through the host, which is
> working as NAT itself for accessing the internet (internet
> proxy/gateway).
>
> On each client this script is executed, when starting the tunnel
> connection to the host:
>
> ---------
> #!/bin/sh
>
> VPN_GATEWAY=10.20.0.1
> ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
>
> ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY
> ip route add $VPN_GATEWAY dev $INTERFACE
> ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
> ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
> ---------
>
> If I disable above routing rules, the clients behind the NAT can talk
> directly to each other. But how do I have to configure the ip route
> rule, so that all "internet" traffic is going through the external tinc
> host and the same time the tinc clients behind the NAT talk directly? On
> the local eth0 interface each client can ping or connect to services at
> each another client in the local network. What did I miss to configure
> here?
Problem seems to be the routing rule, which I took from the "redirecting
the default gateway to a host on the VPN" Howto [1]
ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
Without this route, the clients can handle out each other. Hmmm ...
Last Problem seems to be the local UFW Firewall on the clients whichs
seems to block the Broadcast for LocalDiscovery = yes. Need to check the
logs here.
Ciao!
Marcus
[1] http://www.tinc-vpn.org/examples/redirect-gateway/
More information about the tinc
mailing list