Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problems getting tinc running

362 views
Skip to first unread message

Russell Horn

unread,
Feb 15, 2004, 12:41:04 PM2/15/04
to
Hi folks,

Sorry to trouble you all - I'm having some trouble getting tincd up and
running - I suspect I'm having problems with subnets. Any help would
relaly be appreciated!

At the moment I'm trying to get two linux boxes, both of which are
running as NAT routers for their respective networks to talk. My goal is
to allow staff to connect to the corporate network from their laptops
using dial up.

The office network is on 10.0.0.0/24 The box that's running the vpn has
an internal IP of 10.0.0.3 and an external IP of 1.2.3.4

The home network uses 192.168.0.0/24 The box on it running tinc has an
internal IP of 192.168.0.1 and an external IP of 5.6.7.8

I'm trying to make the vpn server have an IP of 10.0.1.1 and the client
have 10.0.1.10

I think I'm making a little progress - at least on the client I'm seeing


/dev/net/tun is a Linux tun/tap device
Executing script tinc-up
Process 2293 (tinc-up) exited with non-zero status 4
Node home (MYSELF) became reachable

For network interfaces I have on the client:

vpn Link encap:Ethernet HWaddr 00:FF:30:E2:C7:E8
inet addr:10.0.1.10 Bcast:10.255.255.255 Mask:255.255.255.0

and on the server:

vpn Link encap:Point-to-Point Protocol
inet addr:10.0.1.1 P-t-P:10.0.1.1 Mask:255.255.0.0


On the office server I have:

tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.0.1.1 netmask 255.255.0.0
route add -host 10.0.1.1 dev $INTERFACE
route add -net 10.0.1.0 netmask 255.255.0.0 gw 10.0.1.1

tinc.conf
Name = hqvpn
Device = /dev/net/tun
onnectTo = home
PrivateKeyFile=/etc/tinc/rsa_key.priv

hosts/hqvpn
Compression = 9
Address = 1.2.3.4
Subnet = 10.0.0.0/24
public key.

hosts/home
Address = 5.6.7.8
Subnet = 10.0.1.10/32
public key.


At home I have:

tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.0.1.10 netmask 255.255.255.0
route add -host 10.0.1.10 dev $INTERFACE
route add -net 10.0.1.0 netmask 255.255.0.0 gw 10.0.1.10

tinc.conf
Name = home
Device = /dev/net/tun
#ConnectTo = russell
onnectTo = hqvpn
PrivateKeyFile=/etc/tinc/vpn/rsa_key.priv

hosts/hqvpn
Address = 1.2.3.4
Subnet = 10.0.0.0/24
Compression=9
-----BEGIN RSA PUBLIC KEY-----

hosts/home
Address = 5.6.7.8
Subnet = 10.0.1.10/32
-----BEGIN RSA PUBLIC KEY-----


Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/


Guus Sliepen

unread,
Feb 15, 2004, 7:06:47 PM2/15/04
to
On Sun, Feb 15, 2004 at 05:41:04PM -0000, Russell Horn wrote:

> I'm trying to make the vpn server have an IP of 10.0.1.1 and the client
> have 10.0.1.10

If that really is what you want, then:

> On the office server I have:
>
> tinc-up
> #!/bin/sh
> ifconfig $INTERFACE 10.0.1.1 netmask 255.255.0.0
> route add -host 10.0.1.1 dev $INTERFACE
> route add -net 10.0.1.0 netmask 255.255.0.0 gw 10.0.1.1

The tinc-up script should just contain:

#!/bin/sh
ifconfig $INTERFACE 10.0.1.1 netmask 255.255.255.0

> hosts/hqvpn
> Compression = 9
> Address = 1.2.3.4
> Subnet = 10.0.0.0/24
> public key.

Subnet should be 10.0.1.1/32

> At home I have:
>
> tinc-up
> #!/bin/sh
> ifconfig $INTERFACE 10.0.1.10 netmask 255.255.255.0
> route add -host 10.0.1.10 dev $INTERFACE
> route add -net 10.0.1.0 netmask 255.255.0.0 gw 10.0.1.10

That should be:

#!/bin/sh
ifconfig $INTERFACE 10.0.1.10 netmask 255.255.255.0

> hosts/home


> Address = 5.6.7.8
> Subnet = 10.0.1.10/32
> -----BEGIN RSA PUBLIC KEY-----

That one is correct.

--
Met vriendelijke groet / with kind regards,
Guus Sliepen <gu...@sliepen.eu.org>

signature.asc

Russell Horn

unread,
Feb 16, 2004, 5:57:43 PM2/16/04
to
> On Sun, Feb 15, 2004 at 05:41:04PM -0000, Russell Horn wrote:
>
> > I'm trying to make the vpn server have an IP of 10.0.1.1 and the
> > client have 10.0.1.10
>
> If that really is what you want, then:
>


Thanks for the help here. I've come to learn that "If that's really what
you want" usually means "well here's how to do that, but it isn't going
to do what you think" or something similar.

So, I've done lots of reading over the weekend, upgraded kernels and
torn out hair. Nonetheless, I've made progress, my two configurations
can, at last, connect to one another - I just don't have any data
flowing between the networks.

So, my question (if I still have any question points left) is given my
network configurations, how should I be configuring tinc to connect the
two and get data to flow?

Do I make a new subnet altogether for the VPN? If so, can anyone point
me in the direction of how to get data to flow between the networks?

The office is 10.0.0.3 on network 10.0.0.0/24 with an external IP of
1.2.3.4
Home is 192.168.0.1 on network 192.168.0.0/24 with an external IP of
5.6.7.8

Both external IPs are boxes running tinc and also running NAT for the
internal networks.

I'm happy to do more reading if anyone has any pointers. I've been
through the manual however and would really like to see this work.

Very many thanks!

Russell

Jason

unread,
Feb 16, 2004, 6:18:05 PM2/16/04
to
On Mon, 16 Feb 2004, Russell Horn wrote:

> So, my question (if I still have any question points left) is given my
> network configurations, how should I be configuring tinc to connect the
> two and get data to flow?
>
> Do I make a new subnet altogether for the VPN? If so, can anyone point
> me in the direction of how to get data to flow between the networks?
>
> The office is 10.0.0.3 on network 10.0.0.0/24 with an external IP of
> 1.2.3.4
> Home is 192.168.0.1 on network 192.168.0.0/24 with an external IP of
> 5.6.7.8
>
> Both external IPs are boxes running tinc and also running NAT for the
> internal networks.

My answer will probably differ a little from Guus's answer since he
generally prefers router mode over switch mode, but I prefer to setup a new
subnet, say a /24, that all of the vpn servers share. I use tinc's switch
mode so that I don't have to tell tinc about all of the various ips and
subnets that i will be sending through the VPN. So basically it works just
like if you had a big ethernet switch in the sky with an extra ethernet card
in each "vpn server" and a really really long cat5 cable going from each
server box to the switch in the sky. Then do your ip routing normally.
So in your situation, this vpn switched subnet might be 10.100.0.0/24 with
the office router being 10.100.0.1 on that subnet and the home router being
10.100.0.2 on that subnet. now just setup normal routing: enable ip
forwarding in the kernels and use route add to tell the kernels how to reach
the other subnets. if you have a larger network, you could even use routing
protocols to auto-update all of the kernel routing tables. but in your
case with just 2 networks, do something like this:

on home box:
# route add -net 10.0.0.0/24 gw 10.100.0.1
on work box:
# route add -net 192.168.0.0/24 gw 10.100.0.2
(tinc-up would be a good place for those)

note that in switch mode, each interface in ur network needs its own mac
addr. for my linux tinc boxes, i use the convention fe:fd:0:0:0:n where n is
the same as the last digit of the ip of that box on the vpn subnet. on my
windows boxes, i let the tun driver use the pseudorandom mac addr that it
comes up with automatically.

this also lets you do interesting things like if you want your connections
from your home boxes to a particular ip on the internet to go out to the
internet from your work's ISP instead of your home ISP, just route that ip
to 10.100.0.1 on your home box and it will get NATted by your work router
instead of your home router. also, since your vpn is at the ethernet mac
level, you can also use other routable protocols other than IP if you ever
need to (IPX/SPX for example).

Have fun. tinc and vpns in general can be really fun.

Guus Sliepen

unread,
Feb 16, 2004, 6:25:04 PM2/16/04
to
On Mon, Feb 16, 2004 at 10:57:43PM -0000, Russell Horn wrote:

> So, my question (if I still have any question points left) is given my
> network configurations, how should I be configuring tinc to connect the
> two and get data to flow?
>
> Do I make a new subnet altogether for the VPN? If so, can anyone point
> me in the direction of how to get data to flow between the networks?

You can, but you can also use the subnets you are already using.

> The office is 10.0.0.3 on network 10.0.0.0/24 with an external IP of
> 1.2.3.4

In that case, you should put "Address = 1.2.3.4" and "Subnet =
10.0.0.0/24" in hosts/office.

> Home is 192.168.0.1 on network 192.168.0.0/24 with an external IP of
> 5.6.7.8

And "Address = 5.6.7.8" and "Subnet = 192.168.0.0/24" in hosts/home.

As for routing in between them, it works just like routing between real
network cards. So in office's tinc-up you should put something like:

#!/bin/sh
ifconfig $INTERFACE 10.0.0.3 netmask 255.255.255.0
route add -net 192.168.0.0 netmask 255.255.255.0 dev $INTERFACE

And home's tinc-up is completely analogous.

> I'm happy to do more reading if anyone has any pointers. I've been
> through the manual however and would really like to see this work.

http://www.linux-ip.net/

If you have masquerading firewalls, you should either try to let them
forward tinc's traffic (http://tinc.nl.linux.org/examples/) or use
"TCPOnly = yes" (see manual) to let tinc tunnel everything over TCP.

signature.asc

Guus Sliepen

unread,
Feb 16, 2004, 6:30:21 PM2/16/04
to
On Mon, Feb 16, 2004 at 04:18:05PM -0700, Jason wrote:

> My answer will probably differ a little from Guus's answer since he
> generally prefers router mode over switch mode, but I prefer to setup a new

Yes :)

> note that in switch mode, each interface in ur network needs its own mac
> addr. for my linux tinc boxes, i use the convention fe:fd:0:0:0:n where n is
> the same as the last digit of the ip of that box on the vpn subnet. on my
> windows boxes, i let the tun driver use the pseudorandom mac addr that it
> comes up with automatically.

Linux's tun/tap driver also assigns random MAC addresses, only the old
ethertap driver had a fixed one.

signature.asc
0 new messages