Re: linking non-neighboring networks together?
Sure. Pick a new unused private network such as 10.255.255.0/24 for your vpn. On Mar 15, 2015 3:34 AM, Patrick C patrick...@gmail.com wrote: I am trying to determine the best way to link different private networks together, similar to the branch office example given online. However, in my case, the private networks are split up. For example, I would like to connect subnets such as: 10.30.0.0/16 172.23.0.0/16 10.90.50.0/24 192.168.3.0/24 How does this affect my tinc-up files? What subnet mask do I give the tinc interface? Can this work? -- patrick correa patrick...@gmail.com ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Current state of Tinc 1.1?
Is there a specific capability you are looking for or concern you have? No doubt Gus can give details on the differences but if you're wondering if 1.0 will work for you we may be able to help with some more information. Regards, Donald On Sun, Dec 21, 2014 at 7:42 PM, Alexander Ypema alexanderyp...@gmail.com wrote: So as probably any Tinc user, I noticed there are two versions: 1.0 and 1.1. On the website is explained that 1.1 is the stepping stone for 2.0 and that it has a lot of neat features *planned*. However, in the repositories, one usually finds version 1.0, and since I'm someone who prefers having everything run through repositories instead of manually updated, I want to know if it's worth it, if it's actually in a usable state, and if any of the 'planned' features are implemented. In short, does anyone know what the current state of Tinc 1.1 is? Is it recommended to use it at all, or stay with 1.0 as provided in most distro repositories? I'm also asking this question over here: http://serverfault.com/questions/654053/current-state-of-tinc-1-1 , someone suggested there I'd poke the mailing list :) Feel free to answer the question there if you think it's more appropriate. Met vriendelijke groet / Kind regards, Alexander Ypema ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Linux box as network gateway
Well you use brctl to bridge the virtual adapter (interface) to a real physical interface, and that's represented by an additional virtual interface which is the bridge itself. That bridge is what you configure with an IP on your LAN statically or via DHCP. If you do all this ahead of time you don't even need a tinc-up script. If you want the bridge to be built up when tinc connects it would look something like this. Do the inverse for a tinc-down tinc.conf Name = Alpha ConnectTo = Beta ConnectTo = Charlie Device = /dev/net/tun Mode = switch PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv # # Tinc-up #!/bin/sh modprobe tun ifconfig vpn 0.0.0.0 ifconfig vpn up ifconfig eth1 0.0.0.0 ifconfig eth1 up brctl addbr bridge brctl addif bridge vpn brctl addif bridge eth1 ifconfig bridge 10.10.0.1 netmask 255.255.0.0 route add default gw 10.10.0.254 bridge ifconfig bridge up On Wed, Mar 19, 2014 at 2:44 PM, Aaron Anderson anderson.aa...@gmail.comwrote: Does connecting to that machine get you access to other machines on the network? That's what I'm having trouble with. I want to connect to machines that do not have tinc installed. On Wed, Mar 19, 2014 at 2:30 PM, vmlinux vmli...@charter.net wrote: Aaron Anderson said on 03/19/2014 01:23 PM: I do already have those installed. I was really hoping for someone who had some already working configs or examples. # /etc/tinc/myvpn/tinc.conf Name = mynode AddressFamily = ipv4 interface = tinc0 # /etc/tinc/myvpn/tinc-up #!/bin/bash ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # /etc/tinc/myvpn/tinc-down #!/bin/bash ifconfig $INTERFACE down # tincd -n myvpn ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Linux box as network gateway
By the way, if you create a layer 2 vpn using bridging like this, I suggest installing ebtables on your tinc box so that you can put in some layer 2 firewall rules. An interesting result when you don't do this is DHCP traversing the VPN. Much to my surprise I've seen hosts on one site receive DHCP from a site across the VPN, ultimately using the remote router as its gateway. You would think the local server would be faster and always win, but that's not always the case. On Wed, Mar 19, 2014 at 3:03 PM, Donald Pearson donaldwhpear...@gmail.comwrote: Well you use brctl to bridge the virtual adapter (interface) to a real physical interface, and that's represented by an additional virtual interface which is the bridge itself. That bridge is what you configure with an IP on your LAN statically or via DHCP. If you do all this ahead of time you don't even need a tinc-up script. If you want the bridge to be built up when tinc connects it would look something like this. Do the inverse for a tinc-down tinc.conf Name = Alpha ConnectTo = Beta ConnectTo = Charlie Device = /dev/net/tun Mode = switch PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv # # Tinc-up #!/bin/sh modprobe tun ifconfig vpn 0.0.0.0 ifconfig vpn up ifconfig eth1 0.0.0.0 ifconfig eth1 up brctl addbr bridge brctl addif bridge vpn brctl addif bridge eth1 ifconfig bridge 10.10.0.1 netmask 255.255.0.0 route add default gw 10.10.0.254 bridge ifconfig bridge up On Wed, Mar 19, 2014 at 2:44 PM, Aaron Anderson anderson.aa...@gmail.comwrote: Does connecting to that machine get you access to other machines on the network? That's what I'm having trouble with. I want to connect to machines that do not have tinc installed. On Wed, Mar 19, 2014 at 2:30 PM, vmlinux vmli...@charter.net wrote: Aaron Anderson said on 03/19/2014 01:23 PM: I do already have those installed. I was really hoping for someone who had some already working configs or examples. # /etc/tinc/myvpn/tinc.conf Name = mynode AddressFamily = ipv4 interface = tinc0 # /etc/tinc/myvpn/tinc-up #!/bin/bash ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # /etc/tinc/myvpn/tinc-down #!/bin/bash ifconfig $INTERFACE down # tincd -n myvpn ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Network pause issue.
Matt, I see. I suppose if that's right there's something I'm overlooking but it seems not quite right to me. I'll try to elaborate. The BranchA host file, that all other nodes receive states a 10.1.0.0/16network, stating that 10.1.x.x lives at BranchA and that routing is required to reach it (because router mode is the default mode when no mode is specified). BranchA actually configures its virtual adapter as 10.1.54.1/8 claiming that all of 10.x.x.x is LAN, therefore reachable without any routing. The same story goes for all other branches. They have host files stating that some 10.N.x.x/16 network is over there and requires routing to reach, then they configure their local virtual adapter with 10.x.x.x/8 which is in conflict with the above and states that 10.N.x.x is within local broadcast range. There may be some reason I'm missing why this configuration is correct despite what looks like a contradiction. Somehow it's working anyway with most of your nodes. However I would try changing each node's tinc-up netmask to match its corresponding host file and see how that goes. On Mon, Jan 27, 2014 at 10:50 AM, Matthew Tolle m...@night.com wrote: Hi Donald, I was following the example provided here: http://www.tinc-vpn.org/documentation-1.1/Example-configuration.html#Example-configuration Is there a better way to do it? -Matt On Jan 25, 2014, at 8:54 AM, Donald Pearson donaldwhpear...@gmail.com wrote: I admit it's been a long time since I've used tinc so I'm pretty rusty, but your config does seem a little odd to me. You are in router mode, and defining /16 networks for each location, but then bringing up the tinc interface for something with a /8. From the perspective of that interface then every 10.x.x.x address is a peer on a LAN that can be reached via switching, not routing. Maybe that has nothing to do with it though, and it is curious that only one endpoint is impacted. Does your vpn not work if you use a /16 in your tinc-up script? On Tue, Jan 21, 2014 at 10:59 AM, Matthew Tolle m...@night.com wrote: Hi Donald, Thanks for the idea. I didn't even think about MAC conflicts. I checked all the servers that participate in the tinc network and they are different. The tunnel link all look like this: home Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 Those links are POINTOPOINT connections so I think that's ok. I don't think I need to makeup and set a MAC address for each of those do I? I'll poke around and check the other servers at node2 site to see if there are any conflicts there.. but I doubt there is. -Matt On Jan 21, 2014, at 7:05 AM, Donald Pearson donaldwhpear...@gmail.com wrote: My 1st guess would be IP or MAC address conflicts. On Tue, Jan 21, 2014 at 1:07 AM, Matthew Tolle m...@night.com wrote: Howdy Folks, I've got a 5 node setup here. My server home is the primary server that all other servers connect to. The configs on all the servers look like this: # cat /etc/tinc/home/hosts/node1 Subnet = 10.2.0.0/16 Address = 192.168.2.1 RSA KEY # cat /etc/tinc/home/hosts/node2 Subnet = 10.3.0.0/16 Address = 192.168.3.1 RSA KEY Etc. All the hosts are setup the same. # /sbin/tinc -n home dump subnets 10.1.0.0/16 owner home 10.2.0.0/16 owner node1 10.3.0.0/16 owner node2 10.4.0.0/16 owner node3 10.5.0.0/16 owner node4 # cat /etc/tinc/home/tinc-up ifconfig $INTERFACE 10.2.0.10 netmask 255.0.0.0 ifconfig $INTERFACE up # cat tinc.conf Name = node1 ConnectTo = home Mode = router AddressFamily = ipv4 PingInterval = 600 PingTimeout = 15 4 out of 5 nodes work just fine. Node 2 however has issues. It does work fine for 5-30m and then pauses my connection to it. It's still up. I can't ping it over the pause time with 0% packet loss. Any TCP connection over the link just pauses for a while. The odd thing is it doesn't timeout. In an SSH session to the box over the tinc link I'll type ps -ef and 10m later I'll get the response. SSH should timeout way before then so I'm not sure what's going on. It's not like that all the time. I get maybe 15-30m when it's working just fine and then 10m of network pause. While my SSH session is paused I can see that the app on the server is talking to my primary node over the tunnel. That seems odd. The app on the node side seems happy and can reach everything it needs to. No sign of issue there. It only seems to be an issue over the tinc tunnel. It kind of feels like maybe something is routing the IP space in a different direction for a period of time and then it comes back. If that were the case my TCP ssh connection would timeout well before the connection returns to life. Has anyone seen anything like this? I've poked at a bunch of things to try and pinpoint the issue. So far no love. The routing table looks fine and the same on all of them: Kernel IP routing table Destination Gateway Genmask Flags
Re: Network pause issue.
Raul, It probably is, it just seems odd on the surface. You make a good point though, in that config the traffic will definitely go to the virtual interface at which point tinc can pick it up and magic it to the right destination. On Mon, Jan 27, 2014 at 12:20 PM, Raul Dias r...@dias.com.br wrote: Matt, just a wild guess. I had problems in the past with badly configured IPv6 support and too large MTUs (unrelated). -rsd 2014-01-21 Matthew Tolle m...@night.com Howdy Folks, I've got a 5 node setup here. My server home is the primary server that all other servers connect to. The configs on all the servers look like this: # cat /etc/tinc/home/hosts/node1 Subnet = 10.2.0.0/16 Address = 192.168.2.1 RSA KEY # cat /etc/tinc/home/hosts/node2 Subnet = 10.3.0.0/16 Address = 192.168.3.1 RSA KEY Etc. All the hosts are setup the same. # /sbin/tinc -n home dump subnets 10.1.0.0/16 owner home 10.2.0.0/16 owner node1 10.3.0.0/16 owner node2 10.4.0.0/16 owner node3 10.5.0.0/16 owner node4 # cat /etc/tinc/home/tinc-up ifconfig $INTERFACE 10.2.0.10 netmask 255.0.0.0 ifconfig $INTERFACE up # cat tinc.conf Name = node1 ConnectTo = home Mode = router AddressFamily = ipv4 PingInterval = 600 PingTimeout = 15 4 out of 5 nodes work just fine. Node 2 however has issues. It does work fine for 5-30m and then pauses my connection to it. It's still up. I can't ping it over the pause time with 0% packet loss. Any TCP connection over the link just pauses for a while. The odd thing is it doesn't timeout. In an SSH session to the box over the tinc link I'll type ps -ef and 10m later I'll get the response. SSH should timeout way before then so I'm not sure what's going on. It's not like that all the time. I get maybe 15-30m when it's working just fine and then 10m of network pause. While my SSH session is paused I can see that the app on the server is talking to my primary node over the tunnel. That seems odd. The app on the node side seems happy and can reach everything it needs to. No sign of issue there. It only seems to be an issue over the tinc tunnel. It kind of feels like maybe something is routing the IP space in a different direction for a period of time and then it comes back. If that were the case my TCP ssh connection would timeout well before the connection returns to life. Has anyone seen anything like this? I've poked at a bunch of things to try and pinpoint the issue. So far no love. The routing table looks fine and the same on all of them: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 192.168.3.1 0.0.0.0 UG0 00 eth0 10.0.0.00.0.0.0 255.0.0.0 U 0 00 home 192.168.3.0 0.0.0.0 255.255.255.0 U 0 00 eth0 Nothing else in node2's area uses 10. space. Any ideas I would appreciate it. Thanks, -Matt ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Network pause issue.
I admit it's been a long time since I've used tinc so I'm pretty rusty, but your config does seem a little odd to me. You are in router mode, and defining /16 networks for each location, but then bringing up the tinc interface for something with a /8. From the perspective of that interface then every 10.x.x.x address is a peer on a LAN that can be reached via switching, not routing. Maybe that has nothing to do with it though, and it is curious that only one endpoint is impacted. Does your vpn not work if you use a /16 in your tinc-up script? On Tue, Jan 21, 2014 at 10:59 AM, Matthew Tolle m...@night.com wrote: Hi Donald, Thanks for the idea. I didn't even think about MAC conflicts. I checked all the servers that participate in the tinc network and they are different. The tunnel link all look like this: home Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 Those links are POINTOPOINT connections so I think that's ok. I don't think I need to makeup and set a MAC address for each of those do I? I'll poke around and check the other servers at node2 site to see if there are any conflicts there.. but I doubt there is. -Matt On Jan 21, 2014, at 7:05 AM, Donald Pearson donaldwhpear...@gmail.com wrote: My 1st guess would be IP or MAC address conflicts. On Tue, Jan 21, 2014 at 1:07 AM, Matthew Tolle m...@night.com wrote: Howdy Folks, I've got a 5 node setup here. My server home is the primary server that all other servers connect to. The configs on all the servers look like this: # cat /etc/tinc/home/hosts/node1 Subnet = 10.2.0.0/16 Address = 192.168.2.1 RSA KEY # cat /etc/tinc/home/hosts/node2 Subnet = 10.3.0.0/16 Address = 192.168.3.1 RSA KEY Etc. All the hosts are setup the same. # /sbin/tinc -n home dump subnets 10.1.0.0/16 owner home 10.2.0.0/16 owner node1 10.3.0.0/16 owner node2 10.4.0.0/16 owner node3 10.5.0.0/16 owner node4 # cat /etc/tinc/home/tinc-up ifconfig $INTERFACE 10.2.0.10 netmask 255.0.0.0 ifconfig $INTERFACE up # cat tinc.conf Name = node1 ConnectTo = home Mode = router AddressFamily = ipv4 PingInterval = 600 PingTimeout = 15 4 out of 5 nodes work just fine. Node 2 however has issues. It does work fine for 5-30m and then pauses my connection to it. It's still up. I can't ping it over the pause time with 0% packet loss. Any TCP connection over the link just pauses for a while. The odd thing is it doesn't timeout. In an SSH session to the box over the tinc link I'll type ps -ef and 10m later I'll get the response. SSH should timeout way before then so I'm not sure what's going on. It's not like that all the time. I get maybe 15-30m when it's working just fine and then 10m of network pause. While my SSH session is paused I can see that the app on the server is talking to my primary node over the tunnel. That seems odd. The app on the node side seems happy and can reach everything it needs to. No sign of issue there. It only seems to be an issue over the tinc tunnel. It kind of feels like maybe something is routing the IP space in a different direction for a period of time and then it comes back. If that were the case my TCP ssh connection would timeout well before the connection returns to life. Has anyone seen anything like this? I've poked at a bunch of things to try and pinpoint the issue. So far no love. The routing table looks fine and the same on all of them: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 192.168.3.1 0.0.0.0 UG0 00 eth0 10.0.0.00.0.0.0 255.0.0.0 U 0 00 home 192.168.3.0 0.0.0.0 255.255.255.0 U 0 00 eth0 Nothing else in node2's area uses 10. space. Any ideas I would appreciate it. Thanks, -Matt ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Network pause issue.
My 1st guess would be IP or MAC address conflicts. On Tue, Jan 21, 2014 at 1:07 AM, Matthew Tolle m...@night.com wrote: Howdy Folks, I've got a 5 node setup here. My server home is the primary server that all other servers connect to. The configs on all the servers look like this: # cat /etc/tinc/home/hosts/node1 Subnet = 10.2.0.0/16 Address = 192.168.2.1 RSA KEY # cat /etc/tinc/home/hosts/node2 Subnet = 10.3.0.0/16 Address = 192.168.3.1 RSA KEY Etc. All the hosts are setup the same. # /sbin/tinc -n home dump subnets 10.1.0.0/16 owner home 10.2.0.0/16 owner node1 10.3.0.0/16 owner node2 10.4.0.0/16 owner node3 10.5.0.0/16 owner node4 # cat /etc/tinc/home/tinc-up ifconfig $INTERFACE 10.2.0.10 netmask 255.0.0.0 ifconfig $INTERFACE up # cat tinc.conf Name = node1 ConnectTo = home Mode = router AddressFamily = ipv4 PingInterval = 600 PingTimeout = 15 4 out of 5 nodes work just fine. Node 2 however has issues. It does work fine for 5-30m and then pauses my connection to it. It's still up. I can't ping it over the pause time with 0% packet loss. Any TCP connection over the link just pauses for a while. The odd thing is it doesn't timeout. In an SSH session to the box over the tinc link I'll type ps -ef and 10m later I'll get the response. SSH should timeout way before then so I'm not sure what's going on. It's not like that all the time. I get maybe 15-30m when it's working just fine and then 10m of network pause. While my SSH session is paused I can see that the app on the server is talking to my primary node over the tunnel. That seems odd. The app on the node side seems happy and can reach everything it needs to. No sign of issue there. It only seems to be an issue over the tinc tunnel. It kind of feels like maybe something is routing the IP space in a different direction for a period of time and then it comes back. If that were the case my TCP ssh connection would timeout well before the connection returns to life. Has anyone seen anything like this? I've poked at a bunch of things to try and pinpoint the issue. So far no love. The routing table looks fine and the same on all of them: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 192.168.3.1 0.0.0.0 UG0 00 eth0 10.0.0.00.0.0.0 255.0.0.0 U 0 00 home 192.168.3.0 0.0.0.0 255.255.255.0 U 0 00 eth0 Nothing else in node2's area uses 10. space. Any ideas I would appreciate it. Thanks, -Matt ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: 10th anniversary of tinc 1.0
Congrats Guus and thank you! On Sun, Aug 4, 2013 at 12:17 PM, Raul Dias r...@dias.com.br wrote: Congratulations! I have no word to express what I would have done if it wasn't for tinc, Thank you Guus! 2013/8/4 Guus Sliepen g...@tinc-vpn.org Hello everyone, Today is exactly 10 years ago that tinc 1.0 was released. I would have hoped to celebrate this by releasing 1.0.22 and 1.1pre8 today, but this will instead happen in one week. Tinc 1.1 is close to becoming stable, and I hope to release 1.1.0 before the end of the year. The main features of tinc 1.1 are the improved security over tinc 1.0, and a much nicer interface that makes it very easy to set up new VPNs, and allows you to easily get live information from a running VPN. Tinc 1.1 will also feature an invitation protocol which allows you to easily invite others to join a VPN, by simply giving them an invitation URL that you can create with a simple command. No central servers are involved, invitees will directly connect to your own tinc node to redeem invitations. The invitation protocol will be available in the 1.1pre8 release. Tinc is the work of many people. For those of you who haven't read the THANKS file in the source code distribution, here is a list of all the contributors: Alexander Reil and Gemeinde Berg, Allesandro Gatti, Andreas van Cranenburgh, Anthony G. Basile, Armijn Hemel, Brandon Black, Cheng LI, Cris van Pelt, Darius Jahandarie, Delf Eldkraft, dnk, Enrique Zanardi, Erik Tews, Etienne Dechamps, Flynn Marquardt, Grzegorz Dymarek, Hans Bayle, Ivo Timmermans, Ivo van Dong, James MacLean, Jamie Briggs, Jason Harper, Jeroen Ubbink, Jerome Etienne, Julien Muchembled, Loïc Grenié, Lubomír Bulej, Mads Kiilerich, Marc A. Lehmann, Mark Glines, Markus Goetz, Martin Kihlgren, Martin Schobert, Martin Schürrer, Matias Carrasco, Max Rijevski, Menno Smits, Mesar Hameed, Michael Tokarev, Miles Nordin, Nick Hibma, Nick Patavalis, Paul Littlefield, Philipp Babel, Robert van der Meulen, Rumko, Scott Lamb, Sven-Haegar Koch, Teemu Kiviniemi, Timothy Redaelli, Tonnerre Lombard, Vil Brekin, Wessel Dankers and Wouter van Heyst. And finally, thank you for using tinc! -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@tinc-vpn.org ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Simple Class A VPN Guide - Problems
As an example, one of the setups I ran was 2 sites, reach with a local /24. Tinc subnets were configured on each side with a /25 inside of the local /24. Any devices that you would wish to participate in the VPN, you'd provision with an IP inside of the /25. Otherwise provision it inside of the /24. The devices themselves would still use a /24 mask but the VPN would only expose half of that range due to it's /25 configuration. In that way for any one site, all local devices could communicate with all other local devices, and 1/2 of the IP range of the remote site through the VPN. On Thu, May 2, 2013 at 11:04 AM, Guus Sliepen g...@tinc-vpn.org wrote: On Fri, May 03, 2013 at 12:51:34AM +1000, Andrew Armstrong wrote: Thanks Guus, I will try this shortly. Can you elaborate on when an actual subnet of (say) 10.0.0.0/8 would ever be used (or things other than a /32 address). You typically use things other than a /32 when you have a LAN connected to a node running tinc, and you want to make the whole LAN part of the VPN. See for example the configuration described in the manual: http://tinc-vpn.org/documentation/tinc_4.html#Example-configuration -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@tinc-vpn.org ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Simple Class A VPN Guide - Problems
Couple thoughts. In my case, I was running tinc in switch mode on a pair of linux hosts. All the hosts within each site's /25 range behaved as peers on a Lan, as far as they were concerned there was no routing involved. So if you want to have a shared subnet across the sites, you'll need to run in switch mode which I didn't see in your configs. The other way to do it is a routed vpn, which is what Rob described. If you go the routed route, the other thing that comes to mind is windows hosts don't permit routing by default. That's something that's separate from anything like windows firewall. Windows calls it tcp/ip forwarding and it's configured in the registry. On Thu, May 2, 2013 at 8:18 PM, Rob Townley rob.town...@gmail.com wrote: If you are new to tinc, i would start with 10.0.0.1/32 and 10.0.0.2/32 When there are two gateways into the same LAN, two with the same subnet would work, but start simple. Start really simple. Once you have both working with /32, then you might want to try 10.0.1.1/24 and 10.0.2.2/24 i wonder how well tinc will parse spaces in folder names. Maybe it works fine, but i would not do it anymore. One way to get rid of spaces on windows is to use the sysinternals tool junction.exe junction.exe C:\APPS32\C:\Program Files (x86\, junction.exe C:\APPS64\C:\Program Files\ then C:\APPS32\ works whereever C:\Program Files (x86)\ resides. PrivateKeyFile = c:\Program Files (x86)\tinc\vpn\rsa_key.priv It is better if private keys are in a non world readable folder, C:\Program Files (x86)\ can be read by any one. On Thu, May 2, 2013 at 6:02 PM, Andrew Armstrong phpla...@gmail.comwrote: Thanks Donald. I'm confused as to why my previous 10/8 range would not work in this case? Surely I'm just asking tinc for a huge address range but only using two addresses, (similar to your example), yet mine does not work. Sent from my iPhone On 03/05/2013, at 1:49 AM, Donald Pearson donaldwhpear...@gmail.com wrote: As an example, one of the setups I ran was 2 sites, reach with a local /24. Tinc subnets were configured on each side with a /25 inside of the local /24. Any devices that you would wish to participate in the VPN, you'd provision with an IP inside of the /25. Otherwise provision it inside of the /24. The devices themselves would still use a /24 mask but the VPN would only expose half of that range due to it's /25 configuration. In that way for any one site, all local devices could communicate with all other local devices, and 1/2 of the IP range of the remote site through the VPN. On Thu, May 2, 2013 at 11:04 AM, Guus Sliepen g...@tinc-vpn.org wrote: On Fri, May 03, 2013 at 12:51:34AM +1000, Andrew Armstrong wrote: Thanks Guus, I will try this shortly. Can you elaborate on when an actual subnet of (say) 10.0.0.0/8 would ever be used (or things other than a /32 address). You typically use things other than a /32 when you have a LAN connected to a node running tinc, and you want to make the whole LAN part of the VPN. See for example the configuration described in the manual: http://tinc-vpn.org/documentation/tinc_4.html#Example-configuration -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@tinc-vpn.org ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: keeping UDP session alive when using NAT
That's strange. You do have a rule to NAT the UDP traffic from outside to your Tinc host inside right? On Tue, Oct 23, 2012 at 3:55 PM, Nathan Stratton Treadway natha...@ontko.com wrote: I'm running Tinc on a Linux machine inside my home network, connecting through a NATing router to a Tinc server out on the Internet. I've noticed that fairly frequently the SSH sessions I leave open (but unused) get aborted with a Connection reset by peer message. When I investigated closely, I found that after a period of inactivity my router times out the UDP session between the remote and local Tinc nodes, and thus any VPN traffic that then attempts to come in from the remote side toward my SSH client gets dropped by the router (because it no longer has a record of where forward the incoming Tinc packets). When this condition lasts long enough, the remote SSH server times out and closes the login session. (During this period, of course, other inbound traffic is also lost, e.g. syslog messages send toward my local machine, etc.) As soon as something on the local side needs to sent traffic to the office side, the local Tinc node sends new outbound UDP packets, the router re-establishes the virtual session between the two nodes, and all traffic resumes passing normally (at least until the next period of inactivity). I see that the PingInterval setting allows me to set a minimum inactivity period on the metadata connection, and that seems to be enough to prevent the TCP session from timing out in the router... but I haven't found any way cause Tinc to ensure the data/UDP session also stays active. (I'm currently using v1.0.x, but I checked the v1.1 documentation on the web site as well and didn't see any new features that appeared to apply to this situation.) So, I'm wondering if I've missed some aspect of the Tinc configuration that would address this issue, and (assuming I haven't) what other people have done when facing this situation? For now I can use a ping command or something running locally to make sure that I have some traffic sent out over the VPN toward to the office side once a minute or so -- but is seems cleaner to have Tinc itself monitor for long stretches of inactivity on the data link. Would it make sense to add functionality to Tinc to accomplish that (i.e. an option named something like DataPingInterval or DataKeepaliveInterval)? Thanks. Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: switch mode, how to give a public IP behing a NAT
2012/3/22 Cédric Lemarchand cedric.lemarch...@ixblue.com Le 22/03/12 17:09, Donald Pearson a écrit : Cédric. When you say GATE, do you mean GATE/NAT or GATE/PUB ? 2012/3/22 Cédric Lemarchand cedric.lemarch...@ixblue.com Le 22/03/12 12:29, Guus Sliepen a écrit : Video (V1) == Node 1 (N1) =GATE / NAT= WWW =GATE / PUB= Node 2 (N2) V1 has fixed public IP in the range of N2, and the ip of GATE has default gateway. Hm, but if you want any host on the internet to be able to reach V1, the default gateway for V1 should be N2, not GATE. This is the goal yes. N2 and GATE PUB are on the same public range, GATE is the default gateway for this public subnet, as i try to extend the ethernet segment of this subnet, V1 should has this default gateway too, right ? I think you mean gate/pub here.. Yes. Only if you want V1 to use gate/pub to reach the internet. V1 will still need it's own normal gateway in order for the VPN to be established over the internet so you will at least need a /32 route for N2's IP address to use V1's normal gateway. Unless you have a very good reason, you will also want V1 to continue to use it's normal gateway to reach other nodes on the internet. You probably want V1 to use the VPN only for access to N2's subnet. The VPN is established by N1 via its interface eth0, providing the ethernet VPN on its interface eth1 (which is bridged with the tinc interface). V1 only see the provided ethernet segment by N1, and got is interface directly configured with a fixed public IP, and the default gateway GATE PUB (the provider's gateway for this publix subnet) Oh I see, sorry that I missed the detail that N1 owns the Tinc interface. So yes the Tinc interface on N1 should be bridged with eth1. N1's eth1 should have a physical connection to V1, either directly or through a switch. If V1 has no other interfaces, and you don't want to multi-home its interface, and you do want it to be able to route out to the internet; Yes it will need to use the IP of gate/pub for its default gateway. So network configurations should look something like this? V1: Eth0 1.0.0.1/24 -- vpn participating, default route 1.0.0.254 (but not necessary) N1: Eth0 10.10.10.1 -- default route 10.10.10.254 Br0 1.0.0.2/24 -- vpn participating - eth1 - tinc Gate/Nat: Eth0 10.10.10.254 Eth1 1.2.3.4 (provided by ISP) --- internet Gate/Pub: Eth0 1.0.0.254/24 N2: Br0 1.0.0.3/24 -- vpn particpating, default route 1.0.0.254 - eth0 - tinc So, V1 will have an interface on the same subnet has gate/nat and it's default gateway will be gate/nat. V1 will also have a tinc interface on the same subnet as N2.Now, if you are trying to extend N2's subnet to multiple node's at V1's physical location, then you will have a 2nd interface on V1, bridged with the tinc interface, and the bridge interface (as well as the interfaces of any other nodes in V1's physical location that you wanted to participate in the VPN) will have an IP on N2's subnet. Like i have tried to explain before, the VPN is established by N1, not V1. V1 has only one interface with the fixed public IP. N1 has eth0 on the lan, br0 is a bridge of eth1 (where i want to plug the video device) and the tinc interface. N2 has is public IP on br0, which is a bridge of eth0 and the tinc interface. [...] When i try to ping GATE from V1, i can see arp request crossing the VPN (on both br0 interfaces), packet capture on GATE show the arp reply, but this arp reply never come back on the bridge br0 of N2. (N2 is using GATE has default gateway too) I think that is normal. The ARP request is a broadcast packet, so you should see that on all the interfaces. But the ARP reply is a unicast packet, so it is only sent to V1. The bridge on N1 should therefore not forward it to the VPN interface, so N2 will never see this ARP reply. Ok, but the thing is i dont anderstand is even if the ARP reply is unicast, it should cross the VPN to go back to the machine that request it ? (i use packet capture on promiscuous mode on the bridge, so i should see it) Yes you should. Ok. But you seem to be implying that you cannot ping GATE from V1. It would help if you could show is the routing tables on V1, N1 and N2, and which IP addresses V1 and GATE have. Has i said, V1 is on the same ethernet segment / same subnet provided by the VPN, so if i am right, routing cannot be a part of the problem, the only needed routes are local and default gateway. When everything works, yes. V1 and N2 will see each-other as members of the same LAN, however we're still doing this over the internet so plenty of routing is still involved and needs to be correct. :) ___ tinc mailing listtinc@tinc-vpn.orghttp://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -- Cédric Lemarchand System Network Engineer iXBlue 52, avenue de l'Europe
Re: iran
Check out corkscrew. http://www.agroman.net/corkscrew/ On Mon, Jan 2, 2012 at 12:42 PM, Siavash Sameni siavash.sam...@gmail.comwrote: Hey everyone , I'm using tinc from iran , and i've been using tinc with tcponly for a few years now , to bypass the filtering , and have access to the free internet , but recently , our government started to apply some sort of exotic filtering scheme , they've completely blocked outgoing and incoming ssh requests , and ssl encrypted packets , and the only thing allowed is https !! , which gives you full speed (like 200K/s ) for trusted websites lets say gmail , and around 3-7 KB/s , for non trusted websites , let's say CIA website . the only vpn that somehow works at the moment is IP-IP tunnel , which doesn't have no encryption , and thus , for instance ssh , inside of the ip ip tunnel doesn't work . at the moment tinc , still works , but as soon as there is some traffic on the tunnel (more than 1KB/s ) it starts to behave weird, and for instance , ssh over it will have hiccups . my idea is right now this , maybe there is a way to mark packets as something known (read it http or ftp) for the layer 7 packet analyzer on the way , so it'd give full bandwidth , and doesn't drop the connection . because in the past we had sort of the same situation , they've limited the connection speed of SSH , but if we used an LSH client (which had a different signature) the problem was not existence no more , the performance was great . or maybe if i can change the cipher , or the encryption algorithm , it'd be perfect . for my line of work , not being able to use ssh , mean that , i cannot possibly work , at the moment , i have three ways to do ssh , 1. shell in a box . 2. tinc with the performance of few hundred bytes a second 3. vpnc in an ipip tunnel !!! with variable performance . anyhelp would be appreciated . sorry for that it's not really related to tinc itself , but if tinc could be used , i'd appreciate it the most :) thank you. ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Once again.Tinc for gaming
The method that I used to accomplish this with some buddies was with some non-standard subnetting. example: Joe configures his house to use 192.168.1.0/24 Tim configures his house to use 192.168.2.0/24 Bob configures his house to use 192.168.3.0/24 All 3 individuals stand up Tinc in switched mode (there is no subnet setting for tinc when in switched mode). Now, any devices that you wish to participate in the VPN, you change their subnet mask from from 255.255.255.0 to 255.255.0.0 (/16 instead of /24). In that way the devices with the /16 subnet mask will consider any 192.168.x.x IP to be on the LAN, and Tinc will provide that switched fabric for them, making it work. Nothing else special needs to be done on anybody's network. Devices that you choose not to reconfigure with the new subnet mask, will still be able to communicate with your modified subnet mask devices. But there is one caveat. All broadcasts will make it across the VPN. I actually had problems where members of the VPN would pull DHCP address from *other members*. So Joe with his 192.168.1.0/24 network would turn on his computer and when it requested DHCP, somehow Tim's router would respond faster, and Joe's computer would receive a 192.168.2.x address. So, any internet traffic from that computer would first traverse the VPN and exit to the internet via Tim's internet gateway. My ultimate solution to this that I liked very much was the ebtables package for linux. It's very much like IP tables but it works on frames at layer 2, and can therefore catch and drop dhcp traffic and any other traffic you may want to stop, such as UPnP requests from your friends poking holes in your firewall. :) On Sat, Oct 1, 2011 at 6:55 AM, Sich s...@cafe-philo.net wrote: Le 30/09/2011 14:48, Leon Merten Lohse a écrit : Howdy, I would like to bring this topic up again. Gaming via tinc. We use tinc-1.0.16 on Linux, Win7 and WinXP so far. Setup was pretty straight forward. All the nodes have mode set to switch and subnet to 10.0.0.0/24. Ping works, smb shares work. Everything seems fine BUT connecting ingame only works with 1 out of 5 games. In some games, we see each other in the lobby. I conclude, that UDP broadcasts work. In some games only the Win7 machine sees the WinXP machine. But even then, most games crash, when we try to actually connect. I doubt this is a limitation of tinc. It's more likely to be a configuration problem, I guess. Any ideas? Thanks in advance. Regards Leon Hello, In some games the broadcast is only send on one interface... If you want to use tinc for gaming you will need to have only 1 ethernet interface. For this you have to build a bridge between your local card and the tinc virtual card. With this you will have to setup all your local lan on the same network that the vpn (in your case 10.0.0.0/24). Take care on duplicate ip on all the network (your but the others to) and for dhcp server... The dhcp will go through the vpn, and your dhcp server can provide ip for people on other network. It's the only way I have found to be able to play on all games through LAN. Sich __**_ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-**bin/mailman/listinfo/tinchttp://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Can I use it to FIX my internet connection?
For Windows you can do this through the command prompt (run as administrator in Vista Win7). First get the current default gateway. Enter the command route print Look for the line where Network Destination and Netmask are 0.0.0.0. The gateway listed on that same line is the current default gateway. The first change is to set a static route to the internet IP of the remote Tinc participant, using your normal default gateway as your next hop using the route ADD command. This will enable us to change our default gateway, without breaking the necessary route to keep the VPN alive. Example: route ADD IP address of remote Tinc participant MASK 255.255.255.255 IP of your normal default gateway Example: route ADD 173.66.67.97 MASK 255.255.255.255 192.168.0.1 Now you change your default gateway to the VPN IP address of the remote Tinc participant. If for example your VPN network is 10.10.10.0/30. You may have the address 10.10.10.1 while the remote side has the address 10.10.10.2. The remote address is what we need. Changing the default gateway is done with the route CHANGE command. Example: route CHANGE 0.0.0.0 MASK 0.0.0.0 VPN IP address of the remote Tinc participant Example: route CHANGE 0.0.0.0 MASK 0.0.0.0 10.10.10.2 You will now be using the remote VPN participant as your default gateway to the internet. The last thing to be verify is that the remote participant is configured to route traffic, so be sure to enable IP routing on the remote node and configure any necessary firewalls. Scripting this would simply be adding these commands to a plain text file with the .bat extension. Windows will recognize it as executable by default. On Sun, May 8, 2011 at 6:51 AM, Guus Sliepen g...@tinc-vpn.org wrote: On Mon, May 02, 2011 at 05:33:57PM +0200, Benjamin Henrion wrote: On Mon, May 2, 2011 at 5:31 PM, ZioPRoTo (Saverio Proto) ziopr...@gmail.com wrote: Yes u can. But Tinc does not have all the right scripts for each platform to do that without any pain. Indeed, only for Linux there are example scripts on the wiki: http://tinc-vpn.org/examples/redirect-gateway/ If anyone knows how to do something similar on *BSD, MacOS/X or Windows, let me know. -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@tinc-vpn.org ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
MTU probes fail on reconnect
I've noticed some inconsistent performance with some of my tunnels and thought I would take some of the spare free time I have over the holidays to try to figure out what the cause of that may be. My environment in this case is my home LAN. Please forgive my use of the terms server and client in this email, I only use these terms to simply explanation. I statically assigned my server with an ip of 10.10.10.1, and my client is set to 10.10.10.2.The rest of my LAN uses 192.168.2.0/24, so in this case I am using Tinc to create a tunnel to access the 192.168.2.0/24 network from my client. This is all on common switch fabric, no in-between firewalls of any kind involved, and no firewalls configured on either Server or Client. On the Server, Tinc is running on stripped down Centos 5.5 as a virtual machine and all numbers given here are in this configuration. I have also tested this on a normal Centos 5.5 install, as well as Ubuntu 9.04, 9.10, 10.04, and 10.10. All with and without vmware tools installed. Although there are performance differences observed between the different builds, the behavior I describe has been the same on all builds. The only thing I haven't tested is a native OS install. Tinc is configured in switch mode. The server virtual adapter is bridged to the physical adapter using brctl. The client receives an address on the 192.168.2.0/24 network via DHCP from my internet router. ifconfig of Tinc server br0 Link encap:Ethernet HWaddr 00:0C:29:58:B5:6B inet addr:192.168.2.4 Bcast:192.168.255.255 Mask:255.255.0.0 inet6 addr: fe80::20c:29ff:fe58:b56b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:21384 errors:0 dropped:0 overruns:0 frame:0 TX packets:23987 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:8452737 (8.0 MiB) TX bytes:23819155 (22.7 MiB) br0:0 Link encap:Ethernet HWaddr 00:0C:29:58:B5:6B inet addr:10.10.10.1 Bcast:10.10.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0 Link encap:Ethernet HWaddr 00:0C:29:58:B5:6B inet6 addr: fe80::20c:29ff:fe58:b56b/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:196191 errors:0 dropped:0 overruns:0 frame:0 TX packets:38068 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:145802768 (139.0 MiB) TX bytes:28914683 (27.5 MiB) Interrupt:177 Base address:0x1424 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:222 errors:0 dropped:0 overruns:0 frame:0 TX packets:222 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:126456 (123.4 KiB) TX bytes:126456 (123.4 KiB) vpn Link encap:Ethernet HWaddr FE:42:68:39:D9:1F inet6 addr: fe80::fc42:68ff:fe39:d91f/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:13890 errors:0 dropped:0 overruns:0 frame:0 TX packets:22405 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:5055429 (4.8 MiB) TX bytes:21399229 (20.4 MiB) [r...@localhost ~]# brctl show bridge name bridge id STP enabled interfaces br0 8000.000c2958b56b no vpn eth0 ipconfig of windows xp client Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : local IP Address. . . . . . . . . . . . . . . . : 10.10.10.2 Subnet Mask . . . . . . . . . . . . . . : 255.0.0.0 Default Gateway . . . . . . . . . . . . : Ethernet adapter Wireless Network Connection 2: Media State . . . . . . . . . . . : Media disconnected Ethernet adapter Tinc: Connection-specific DNS Suffix . : local IP Address. . . . . . . . . . . . . : 192.168.2.246 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1 What I've discovered using level 5 debugging is that often when a connection is made, MTU probes from the client are not responded to. The tell-tail sign I've seen every time is particularly high latency. I've been able to reproduce the condition not every, but nearly every time, if I manually start the client (windows xp client) in a command prompt. Press Ctrl+c to stop the client, and then restart it after approximately 5 seconds. The client will print the message No response to MTU probes from Server And then basically all traffic from then point on carries the message Packet for Server (10.10.10.1 port 8002) larger than minimum MTU, forwarding via TCP From what I
Trouble adding 2nd vpn
So I am attempting to add a 2nd vpn to my existing setup and for some reason I can't seem to get it to work quite right. The issue I'm having right now is successful execution of the tinc-up script. It's probably something obvious but after several days I still don't see what I'm missing. I can see in syslog that Script tinc-up exited with non-zero status 1 Both vpns are definitely running. don...@donald-tincvm:~$ ps -aux | grep tincd Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html root 931 0.0 0.4 3940 1240 ?Ss 16:22 0:00 /usr/sbin/tincd -n vpn root 939 0.0 0.3 3752 956 ?Ss 16:22 0:00 /usr/sbin/tincd -n alan donald1567 0.0 0.3 3044 864 pts/1R+ 16:26 0:00 grep --color=auto tincd Following is some relevant console output. don...@donald-tincvm:/etc/tinc$ ls -la total 32 drwxr-xr-x 4 root root 4096 2010-12-27 16:02 . drwxr-xr-x 130 root root 12288 2010-12-27 16:03 .. drwxr-xr-x 3 root root 4096 2010-12-26 12:26 alan -rw-r--r-- 1 root root92 2010-12-27 16:02 nets.boot -rw-r--r-- 1 root root81 2010-03-07 08:57 nets.boot~ drwxr-xr-x 3 root root 4096 2010-12-27 07:33 vpn don...@donald-tincvm:/etc/tinc$ cat ./nets.boot ## This file contains all names of the networks to be started on system startup. vpn alan # don...@donald-tincvm:/etc/tinc$ ls -la ./vpn total 24 drwxr-xr-x 3 root root 4096 2010-12-27 07:33 . drwxr-xr-x 4 root root 4096 2010-12-27 16:02 .. drwxr-xr-x 2 root root 4096 2010-12-27 07:32 hosts -rwxr-xr-x 1 root root 887 2010-03-07 11:09 rsa_key.priv -rwxr-xr-x 1 root root 138 2010-12-27 07:33 tinc.conf -rwxr-xr-x 1 root root 274 2010-12-26 12:26 tinc-up don...@donald-tincvm:/etc/tinc$ ls -la ./alan total 24 drwxr-xr-x 3 root root 4096 2010-12-26 12:26 . drwxr-xr-x 4 root root 4096 2010-12-27 16:02 .. drwxr-xr-x 2 root root 4096 2010-12-24 15:08 hosts -rw-r--r-- 1 root root 1679 2010-12-24 11:09 rsa_key.priv -rw-r--r-- 1 root root 106 2010-12-24 14:51 tinc.conf -rwxr-xr-x 1 root root 90 2010-12-26 12:26 tinc-up don...@donald-tincvm:/etc/tinc$ cat ./vpn/tinc-up #!/bin/sh modprobe tun ifconfig vpn 0.0.0.0 ifconfig vpn up ifconfig eth1 0.0.0.0 ifconfig eth1 up brctl addbr bridge brctl addif bridge vpn brctl addif bridge eth1 ifconfig bridge 192.168.2.11 netmask 255.255.0.0 route add default gw 192.168.2.1 bridge ifconfig bridge up don...@donald-tincvm:/etc/tinc$ cat ./alan/tinc-up #!/bin/sh ifconfig alan 0.0.0.0 ifconfig alan up brctl addif bridge alan # don...@donald-tincvm:/etc/tinc$ brctl show bridge name bridge id STP enabled interfaces bridge 8000.000c29c79d3a no eth1 vpn don...@donald-tincvm:/etc/tinc$ ifconfig alan Link encap:Ethernet HWaddr 4a:e8:67:f9:a4:36 inet6 addr: fe80::48e8:67ff:fef9:a436/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 B) TX bytes:468 (468.0 B) bridgeLink encap:Ethernet HWaddr 00:0c:29:c7:9d:3a inet addr:192.168.2.11 Bcast:192.168.255.255 Mask:255.255.0.0 inet6 addr: fe80::20c:29ff:fec7:9d3a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:349 errors:0 dropped:0 overruns:0 frame:0 TX packets:362 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:27800 (27.8 KB) TX bytes:39691 (39.6 KB) eth1 Link encap:Ethernet HWaddr 00:0c:29:c7:9d:3a inet6 addr: fe80::20c:29ff:fec7:9d3a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:351 errors:0 dropped:0 overruns:0 frame:0 TX packets:334 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:33210 (33.2 KB) TX bytes:35815 (35.8 KB) Interrupt:18 Base address:0x1400 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:15 errors:0 dropped:0 overruns:0 frame:0 TX packets:15 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1100 (1.1 KB) TX bytes:1100 (1.1 KB) vpn Link encap:Ethernet HWaddr fe:4f:b6:2b:06:d8 inet6 addr: fe80::fc4f:b6ff:fe2b:6d8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:54 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 B) TX bytes:5026 (5.0 KB) ___ tinc mailing list
Re: Windows 7 64-bit clients with high latency
Has anybody done any packet captures of the issue? I checked my users and I have 4 with windows 7 64bit machines and none of them have this problem. On Sun, Nov 14, 2010 at 6:27 AM, Dirk Krause dirk.kra...@confuture.comwrote: On Fri, Nov 5, 2010 at 23:05, Dirk Krause dirk.kra...@confuture.com wrote: I've experienced the same problem with a potential customer of mine. Interestingly, the problem here affected both tinc and openvpn, which suggests that it might be a problem outside of tinc, possibly the tap driver? Is there a solution for the tap device problem? The problem is in the windows tap driver for 64 bit. Windows 7 32 bit version does not have any problem Is a new windows tap driver for 64 bit under development? ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: question from openvpn user, how to redirect-gateway in tincd
To configure clients in OpenVPN there was this directive called: --redirect-gateway that basically (copy and paste from OpenVPN man): 1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop. (2) Delete the default gateway route. (3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified). In know in tinc I can implement this easily using the tinc-up script (when I have Linux/Mac clients), but I have two problems. The current gateway value is in some env variable ? Or I have to write my own script to grep that out or there is something already available ? What if I have windows client ? I have to write a tinc-up script in Windows Style script ? I have no idea how to use windows :( I can try to help with the windows part. Simple Windows scripts are just text files with a .bat file extension. I think the following would work in tinc-up.bat route add remote ip address mask 255.255.255.255 current gateway IP address route change 0.0.0.0 mask 0.0.0.0 tinc server's VPN-reachable ip address Your tinc-down.bat would just reverse this route change 0.0.0.0 mask 0.0.0.0 original gateway IP address route delete remote ip address If you're running tinc on Windows Vista or 7, you might run in to some User Access Control issues with modifying the routing table. In those versions of windows you need to have elevated privileges. If Tinc is running as a service I don't think it would be an issue. If Tinc will be manually run from the command prompt, the command prompt itself will need to be run as administrator in order to have elevated privileges. Thanks Saverio ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: redirect-gateway and other tricks in scripts
Neither my Windows-foo nor my *nix-foo are very strong but I'm happy to help where I can. On Thu, Nov 11, 2010 at 7:24 AM, Guus Sliepen g...@tinc-vpn.org wrote: On Thu, Nov 11, 2010 at 08:57:58AM +0100, albi wrote: I don't want to put options in tincd that could easily be done by external tools or scripts. Thas fine, but it would be nice to have example scripts included in tinc. For some people are easy other tools not so easy. Well, that is a good idea. Perhaps some default scripts that do nothing by default, but that read options from tinc.conf (remember, tincd ignores options it doesn't know about itself) to enable certain things. However, it would help if there were some *BSD, MacOS/X and Windows users who could port these scripts or test them on their systems. Actually, it would help in general if there were dedicated beta testers :). Any volunteers? Also, it would be nice to hear what kinds of things people do with scripts in tinc, maybe certain tricks could be put in these default scripts as well, or be put on the wiki. I can also add a section to the manual with helpful examples. -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@tinc-vpn.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkzb4IoACgkQAxLow12M2nt8BgCfZo5imSkNnQTzaV2V6p5nHeg+ Cd8AoJyGOfJGmwtiyuizaMF+/HeMZn1T =Ien9 -END PGP SIGNATURE- ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Windows subnets
You basically got it! Yes you will be assigning additional IPs in the 10.30.1.0/24 network for each computer that you want to participate in the VPN. On the Tinc gateway PCs, if they're Windows machines, you'll be adding the additional IP to the bridge interface that you will create. In Windows, interfaces that are members of a bridge don't have any TCP/IP configuration, it's all done on the bridge itself. Regards, Donald On Wed, Oct 6, 2010 at 9:26 PM, Andrew Savinykh andr...@brutsoft.comwrote: Awesome! Now I think I finally understand how to do this. Thank you very much. (Just to confirm, I need to assign the new additional IP on physical adapter for each non tinc PC and on tap adapter for tinc gateway PCs, right?) Andrew. On 7/10/2010 2:14 p.m., Donald Pearson wrote: Sure it's possible, you just need to assign each node a new IP in the 10.30.1.0/24 network. It's not part of the Tinc configuration, it's part of the network configuration of each computer. All Tinc is doing, is creating a layer 2 path for them to reach each other. Yes broadcasts will traverse the VPN. It literally is virtual ethernet over the internet. :) ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Windows subnets
Computers on the same subnet don't route to each other. Routing is between different networks. All of your computers will be on the same 10.30.1.0/24network, in additional to their other respective networks. So for example. Computer A has the IPs 192.168.1.2/24 10.30.1.2/24 Computer B has the IPs 10.0.0.2/24 10.30.1.130/24 Computer A will be able to reach computer B using it's 10.30.1.130 IP address, but not its 10.0.0.2 address. From Computer A, when you try to ping 10.0.0.2, it will know that this IP is not on a network computer A belongs to (Not the 192.168.1.0/24 or 10.30.1.0/24 networks) so it will send the packet to its gateway of last resort. That IP space isn't publicly routable however so it's just going to be dropped. From Computer A, when you try to ping 10.30.1.130, it will know that this IP *is* on a network computer A belongs to, the 10.30.1.0/24 network. So it will do an ARP request (broadcast) to get the MAC address associated with the 10.30.1.130 IP. The local Tinc gateway will ultimately (I believe, Guus can speak on this with more authority than I can) perform the job of proxy ARP to get the traffic to the destination on the other side of the VPN. Regards, Donald On Thu, Oct 7, 2010 at 9:57 PM, Andrew Savinykh andr...@brutsoft.comwrote: I'm sorry that I'm asking basic networking question in specialized mailing list, if this is inappropriate please let me know. But there is still something that I don't understand regarding the conversation below. Even if I assign each PC a new IP, how routing will work? I can put new IPs on the computers, but router will know nothing about them and because of it I don't see how PCs can see each other by these new IP addresses. Andrew. On 7/10/2010 2:14 p.m., Donald Pearson wrote: Sure it's possible, you just need to assign each node a new IP in the 10.30.1.0/24 network. It's not part of the Tinc configuration, it's part of the network configuration of each computer. All Tinc is doing, is creating a layer 2 path for them to reach each other. Yes broadcasts will traverse the VPN. It literally is virtual ethernet over the internet. :) ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Windows subnets
Oh okay. Yes you can make it appear as a single LAN. Your Tinc nodes will behave as bridges instead of routers (or gateways as you put it). Your tinc nodes will have the same subnet mask and default router as all your other devices at that location. You will need to run the add-tap script only on the tinc nodes on each side. You will then need to bridge the tap adapter to the local area connection on the tinc nodes on each side. This will create a bridge network object under your network connections. This bridge will have the IP configuration you illustrated. You have the right idea in segregating the IP distribution while still using the 255.255.255.0 subnet mask. One both nodes are up and connected, and the interfaces have been bridged on the Tinc nodes for each location, you will have a virtual LAN between the two locations. Your Tinc configuration will be Switch mode. This means no Subnet configurations are required in your tinc.conf Your tinc.conf will be something like Name = NodeA ConnectTo = NodeB Interface = something Mode = switch PrivateKeyFile = path to the rsa_key.priv Host files will be something like For the host file named NodeA Address = host.dyndns.org PMTUDiscovery = Yes --Begin RSA etc. etc.-- On Wed, Oct 6, 2010 at 6:17 PM, Andrew Savinykh andr...@brutsoft.comwrote: Donald, thank you, while I still have some questions, your answer is definitely a step in the right direction. In the other reply I was asked what I'm trying to achieve. Let's consider the following scenario (which is quite similar to the one that described in the tinc manual). Let's assume we have two households, each has 3-5 computers in it. Both house holds have similar network configuration: They are connected to internet with an ADSL line and a router. The computers in the local network access internet via the router. The router is configured so that one of the computers have port 665 forwarded to be accessible outside. The external IP is changed rarely and there is dynamic DNS service (external) in use to accommodate for the change of IP when it happens. One household has local network addresses of 192.168.1.* and the other has 10.1.1.* I'm installing tinc on one computer in each household. The goal is to let all computers in both house holds to see each other by ip address. Also it is desired that for computer games purposes all computers appear to be on the same LAN (for broadcasts). But this is not mandatory. (it appears that it's not possible without installing tinc on every PC as every tinc daemon serves a subnet and two tinc daemons can't serve a part of subnet each) All computers run different flavours of Windows, most being Windows 7. I have two ideas how to set this up, although I'm not sure if any of these two works: IDEA1. = Household A Gateway IP: 10.30.0.1 Gateway Mask: 255.255.255.0 Gateway Default Gateway: Other PCs IP: 10.30.0.2,3,4 etc Other PCs Mask: 255.255.255.0 Other PCs Deafult Gateway: 10.30.0.1 Tinc Subnet: 10.30.0.0/25 Household B Gateway IP: 10.30.0.129 Gateway Mask: 255.255.255.0 Gateway Default Gateway: Other PCs IP: 10.30.0.130,131,132 etc Other PCs Mask: 255.255.255.0 Other PCs Default Gateway: 10.30.0.129 Tinc Subnet: 10.30.0.128/25 IDEA2. = Household A Gatway IP: 10.30.0.1 Gateway Mask: 255.255.255.0 Gateway Default Gateway: Other PCs IP: 10.30.0.2-255 etc Other PCs Mask: 255.255.255.0 Other PCs Default Gateway: 10.30.0.1 Tinc Subnet: 10.30.0.0/24 Household B Gateway IP: 10.30.1.1 Gateway Mask: 255.255.255.0 Gateway Default Gateway: Other PCs IP: 10.30.1.2-255 etc Other PCs Mask: 255.255.255.0 Other PCs Default Gateway: 10.30.0.129 Tinc Subnet: 10.30.1.0/24 So IDEA 1 probably won't work at all. Will it? And with IDEA 2 the pc's won't appear on the same LAN and their broadcasts won't reach each other. As far as I understand I need to install TAP interface on each of the participating windows PCs, correct? What is specified in default gateway of the gateways? Thank you in advance, Andrew On 7/10/2010 4:36 a.m., Donald Pearson wrote: The PCs that you want to participate need to have a route for the VPN subnet pointing to their local VPN gateway, which would be the local device with Tinc installed on it. Theoretical configuration example. VPN subnet is 10.10.10.0/24 At a location, one computer 192.168.1.254/24 connects to the VPN and serves as the VPN gateway. This gateway needs to be configured for TCP/IP forwarding. http://support.microsoft.com/kb/315236 - windows http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ - linux Other computers local to the gateway need a route to the VPN network added so they know how to get there. In windows. route -p add 10.10.10.0 mask 255.255.255.0 192.168.1.254 This will add the persistent route that remains after reboot. Does that answer your question
Re: Windows subnets
to accommodate for the change of IP when it happens. One household has local network addresses of 192.168.1.* and the other has 10.1.1.* I'm installing tinc on one computer in each household. The goal is to let all computers in both house holds to see each other by ip address. Also it is desired that for computer games purposes all computers appear to be on the same LAN (for broadcasts). But this is not mandatory. (it appears that it's not possible without installing tinc on every PC as every tinc daemon serves a subnet and two tinc daemons can't serve a part of subnet each) All computers run different flavours of Windows, most being Windows 7. I have two ideas how to set this up, although I'm not sure if any of these two works: IDEA1. = Household A Gateway IP: 10.30.0.1 Gateway Mask: 255.255.255.0 Gateway Default Gateway: Other PCs IP: 10.30.0.2,3,4 etc Other PCs Mask: 255.255.255.0 Other PCs Deafult Gateway: 10.30.0.1 Tinc Subnet: 10.30.0.0/25 Household B Gateway IP: 10.30.0.129 Gateway Mask: 255.255.255.0 Gateway Default Gateway: Other PCs IP: 10.30.0.130,131,132 etc Other PCs Mask: 255.255.255.0 Other PCs Default Gateway: 10.30.0.129 Tinc Subnet: 10.30.0.128/25 IDEA2. = Household A Gatway IP: 10.30.0.1 Gateway Mask: 255.255.255.0 Gateway Default Gateway: Other PCs IP: 10.30.0.2-255 etc Other PCs Mask: 255.255.255.0 Other PCs Default Gateway: 10.30.0.1 Tinc Subnet: 10.30.0.0/24 Household B Gateway IP: 10.30.1.1 Gateway Mask: 255.255.255.0 Gateway Default Gateway: Other PCs IP: 10.30.1.2-255 etc Other PCs Mask: 255.255.255.0 Other PCs Default Gateway: 10.30.0.129 Tinc Subnet: 10.30.1.0/24 So IDEA 1 probably won't work at all. Will it? And with IDEA 2 the pc's won't appear on the same LAN and their broadcasts won't reach each other. As far as I understand I need to install TAP interface on each of the participating windows PCs, correct? What is specified in default gateway of the gateways? Thank you in advance, Andrew On 7/10/2010 4:36 a.m., Donald Pearson wrote: The PCs that you want to participate need to have a route for the VPN subnet pointing to their local VPN gateway, which would be the local device with Tinc installed on it. Theoretical configuration example. VPN subnet is 10.10.10.0/24 At a location, one computer 192.168.1.254/24 connects to the VPN and serves as the VPN gateway. This gateway needs to be configured for TCP/IP forwarding. http://support.microsoft.com/kb/315236 - windows http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ - linux Other computers local to the gateway need a route to the VPN network added so they know how to get there. In windows. route -p add 10.10.10.0 mask 255.255.255.0 192.168.1.254 This will add the persistent route that remains after reboot. Does that answer your question? On Wed, Oct 6, 2010 at 6:41 AM, Andrew Savinykh andr...@brutsoft.com wrote: Thank you for your reply. As far as I can see there is no point specifying subnet that consists of more than one PC in tinc config if you are going to install tinc on every PC in the subnet anyway. Correct me if I'm wrong. Now, assuming I'm right, there will be PCs in the subnet that don't have tinc installed on them. How to configure these PCs so they are a part of the subnet and participate in routing? Cheers, Andrew On 6/10/2010 10:13 p.m., Cédric Lemarchand wrote: Hi, I am not sure to understand what you mean with joining a subnet. But if your local computer need to reach the remote subnet served by tinc, you can set the local IP of the local tinc server as the default gateway, or add a route to the remote subnet via the local tinc IP. Of course, computer located on the remote subnet need the same thing. Cédric Le 06/10/10 09:37, Andrew Savinykh a écrit : Hello all, I understand that each tinc daemon corresponds to one or more subnets that it owns a subnet can be a single ip or more. Could you please tell me what do I need to do to join a computer in local network (windows) to a subnet served by tinc? Thank you in advance, Andrew ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -- *Cédric Lemarchand – iXSea SAS* Administrateur Système Réseaux http://www.ixsea.com/ - cedric.lemarch...@ixsea.comcedric.lemarch...@ixsea.com Tel: +33 1 30 08 – GSM: +33 6 37 23 40 93 ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Windows subnets
Sorry you're right. I was looking at the IP address schema where all nodes would use the 10.30.0.0/24 network. There's no need to install tap adapters on the other devices. You have basically 2 realistic options if you want the LAN function You can specify multiple IP addresses for a single interface, even in Windows. You'll find this under the TCP/IP properties of the network adapter. And clicking on the Advanced button on the page where you can set a static IP or designate DHCP. A 2nd option would be to re-ip one of your locations so that they all use the same subnet natively. Bridging the tap adapter allows your network frames received by your physical interface to reach the TAP adapter and therefore traverse the VPN. This enables later 2 connectivity, the same way a real switch does. Virtual Ethernet over the Internet is how I like to describe it. This is how I have my VPN configured personally. Without the bridge, a frame that is received at the physical interface has the frame stripped off and the packet inspected. Now we're talking layer 3. If the packet is destined for a network on the other side of the VPN, your Tinc node frames the packet back up with a new frame, and sends it over the VPN. This act of stripping the frame, reading the packet for the network destination, and applying a new frame to get it there is what Routing is. Without the bridge in place, your Tinc node is literally routing between the physical interface and the tap interface. With the bridge, you're creating a layer 2 pathway so the frames can shoot across directly. Of course this means both sides need to be on the same subnet which you obviously already know. Be warned that this configuration comes with it's drawbacks. DHCP will traverse your VPN. I had location A computers getting addresses from location B which makes for some really inefficient internet traffic. Regards, Donald On Wed, Oct 6, 2010 at 7:57 PM, Andrew Savinykh andr...@brutsoft.comwrote: Donald, thank you for the explanation. I understand the part about the switch mode and absence of subnet in tinc.config. However, could you please explain what bridging the tap adapter will achieve and what kind of ip address will be used on tinc nodes and in the rest of the network. In my example one household has local network addresses of 192.168.1.* and the other has 10.1.1.* If we don't install tap interfaces on other PC's this means that the other PCs won't have another ip address. I understand that bridging is going to solve this somehow, but I still don't see how broadcast from 10.1.1.7 can reach 192.168.1.5 in the other LAN. In short I don't understand how bridging to adapters work. I'll try to google this topic to get a better understanding, meanwhile, could you please explain how this applies to our tinc configuration case. Also can you briefly describe what we achieve by setting PMTUDiscovery = Yes. I read the description in manual but it didn't tell me much. Thank you again for all your help, Andrew On 7/10/2010 11:40 a.m., Donald Pearson wrote: Oh okay. Yes you can make it appear as a single LAN. Your Tinc nodes will behave as bridges instead of routers (or gateways as you put it). Your tinc nodes will have the same subnet mask and default router as all your other devices at that location. You will need to run the add-tap script only on the tinc nodes on each side. You will then need to bridge the tap adapter to the local area connection on the tinc nodes on each side. This will create a bridge network object under your network connections. This bridge will have the IP configuration you illustrated. You have the right idea in segregating the IP distribution while still using the 255.255.255.0 subnet mask. One both nodes are up and connected, and the interfaces have been bridged on the Tinc nodes for each location, you will have a virtual LAN between the two locations. Your Tinc configuration will be Switch mode. This means no Subnet configurations are required in your tinc.conf Your tinc.conf will be something like Name = NodeA ConnectTo = NodeB Interface = something Mode = switch PrivateKeyFile = path to the rsa_key.priv Host files will be something like For the host file named NodeA Address = host.dyndns.org PMTUDiscovery = Yes --Begin RSA etc. etc.-- On Wed, Oct 6, 2010 at 6:17 PM, Andrew Savinykh andr...@brutsoft.comwrote: Donald, thank you, while I still have some questions, your answer is definitely a step in the right direction. In the other reply I was asked what I'm trying to achieve. Let's consider the following scenario (which is quite similar to the one that described in the tinc manual). Let's assume we have two households, each has 3-5 computers in it. Both house holds have similar network configuration: They are connected to internet with an ADSL line and a router. The computers in the local network access internet via the router
Re: Tinc performance on a Dir-300
That device uses the Atheros AR2317 processor which isn't exactly robust at 180Mhz. Have you considered alternative hardware? On Mon, Sep 20, 2010 at 10:37 AM, Clemens John clemens-j...@gmx.de wrote: Hi, we are using Tinc in our Freifunk Network in Oldenburg for internode connections over the internet. So Tinc is running on OpenWrt 10.03 on Dlink Dir-300 Routers. We all have enough internet bandwith (1,6 MB/sec and more) but we only get a maximum speed of ~350KB/sec between two tinc nodes because then tinc uses 99% of the cpu. Is it possible to get more Speed with tinc on this machines? I think we have compression and encryption already turned off so what is using the cpu? Our Tinc configuration looks like this: - Name = 0014224074A7 Mode = Switch Port = 655 #PingTimeout = 30 Hostnames=yes PMTUDiscovery=yes Cipher = none Compress = 0 Digest = none IndirectData = yes ConnectTo=0021912CF309 ConnectTo=00240117B755 ConnectTo=batgw ConnectTo=0022B0967CD7 ConnectTo=0014224074A7 -- If there is no way to get more speed, do you know another VPN-Solution which is better concerning speed? We dont need security because the network is completely open, but we need speed. Thank you Clemens ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Timeout from server ... during authentication
Can you post your tinc.conf and contents of the host file? On Tue, Aug 10, 2010 at 1:23 PM, Diego Pasqualin dg...@c3sl.ufpr.br wrote: Hello, I'm trying to create a vpn using TINC with a WindowsServer2003 as client, but I'm receiving the following messaging when running tincd -n vpn -D -d5 ... Trying to connect to server ... Timeout from server ... during authentication Could not set up a meta connection to server ... I tried the same tinc configuration in a win7 and it works fine. The firewall is disabled in ws2003, but I'm a linux user and it is possible that I'm missing some configuration to allow the connection. Any suggestion could be usefull. Thanks, Diego G. Pasqualin Brazil -- Diego G. Pasqualin UFPR - Universidade Federal do Paraná C3SL - Centro de Computação Científica e Software Livre ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Timeout from server ... during authentication
Glad you got it sorted! On Wed, Aug 11, 2010 at 10:15 AM, Diego Pasqualin dg...@c3sl.ufpr.brwrote: Hi Donald, thanks for the answer but the problem was solved. I discovered that a firewall (on another machine) was blocking the connection attempts. Em 11-08-2010 09:57, Donald Pearson escreveu: Can you post your tinc.conf and contents of the host file? On Tue, Aug 10, 2010 at 1:23 PM, Diego Pasqualin dg...@c3sl.ufpr.brwrote: Hello, I'm trying to create a vpn using TINC with a WindowsServer2003 as client, but I'm receiving the following messaging when running tincd -n vpn -D -d5 ... Trying to connect to server ... Timeout from server ... during authentication Could not set up a meta connection to server ... I tried the same tinc configuration in a win7 and it works fine. The firewall is disabled in ws2003, but I'm a linux user and it is possible that I'm missing some configuration to allow the connection. Any suggestion could be usefull. Thanks, Diego G. Pasqualin Brazil -- Diego G. Pasqualin UFPR - Universidade Federal do Paraná C3SL - Centro de Computação Científica e Software Livre ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing listt...@tinc-vpn.orghttp://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -- Diego G. Pasqualin UFPR - Universidade Federal do Paraná C3SL - Centro de Computação Científica e Software Livre ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Installing Tinc on Windows Server
Don, I am afraid that's backwards. If it installed in the Program Files (x86) directory, it is the 32 bit version. Best, Donald On Mon, Jun 7, 2010 at 5:31 PM, Miller, Don dmil...@trane.com wrote: Rob, Yes, I am certain that I installed the 64 bit version of tinc, because it was installed in the program files (x86) folder. I also ran addtap.bat from both the cmd window and from explorer. Both did the same thing. Regards Don -- *From:* tinc-boun...@tinc-vpn.org [mailto:tinc-boun...@tinc-vpn.org] *On Behalf Of *Rob Townley *Sent:* Monday, June 07, 2010 4:15 PM *To:* tinc@tinc-vpn.org *Subject:* Re: Installing Tinc on Windows Server On Mon, Jun 7, 2010 at 3:20 PM, Miller, Don dmil...@trane.com wrote: I recently tried to install tinc on a Windows Server Enterprise machine. This is a 64 bit OS. When I run addtap.bat or the tapinstall.exe program, I get a “tapinstall.exe failed” error message. Is there a way to get more information about what the cause of the failure is from the tapinstall program? Thanks Donald J Miller Software Engineer Trane Ingersoll Rand 3600 Pammel Creek Road La Crosse, WI 54601 USA Office: 608.787.2759 Email: dmil...@trane.com Website: www.trane.com -- The information contained in this message is privileged and intended only for the recipients named. If the reader is not a representative of the intended recipient, any review, dissemination or copying of this message or the information it contains is prohibited. If you have received this message in error, please immediately notify the sender, and delete the original message and attachments. ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc IIRC, there are two subfolders. One is for 64bit, the other 32bit. Sure you ran the correct one? Did you run addtap.bat from cmd.exe or explorer.exe? Run it from cmd.exe. -- The information contained in this message is privileged and intended only for the recipients named. If the reader is not a representative of the intended recipient, any review, dissemination or copying of this message or the information it contains is prohibited. If you have received this message in error, please immediately notify the sender, and delete the original message and attachments. ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Broadcast-Storm
Let me be the first to encourage you. filtering would be an outstanding feature. On 3/16/10, Markus Dangl s...@q1cc.net wrote: Hi, I've got a small tinc network (switched) set up and it usually works fine. But sometimes i get echos from my own broadcasts and sometimes this even leads to a broadcast storm (two nodes forwarding the broadcasts in circle, thus flooding the whole network with copies of the same packet). I'm currently unsure on how to debug this using tinc. So my questions are: - How does tinc handle broadcasts when in switching mode? Does tinc understand STP? (I usually enable STP on all my linux bridges). - Not all of the clients update their tinc clients regularly, so i might have several tinc versions from 1.0.9 to 1.0.12 in my net. Could it be that incompatibilities between these versions are responsible for this? B.t.w.: Sadly not all of the installations are maintained by people that actually know a lot about network stuff. Also, a lot of the nodes run on Windows :/ so i don't have a portable way to use packet filtering on all nodes. A nice-to-have feature for tinc would be to have some filtering options, maybe even a real packet filter (like those *-tables tools on linux). I see that that's not really tincs job, but there currently is no portable way of packet filtering, but tinc could do it :) If there are more people that could make good use of such a feature i might just start experimenting a little with the tinc sources. With kind regards, Markus Dangl ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -- Sent from my mobile device ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: multiple addresses and multiple ports in Switch mode
Typically you can do port translation on your firewall to map the 28655 port to 655 internally. Alternatively I believe you can run 2 Tinc instances if 1 Tinc instance will not bind to multiple sockets. It would simply require a 2nd virtual adapter. You would then have 2 public keys or host files. Connecting nodes would need the host file relative to their connecting internally or externally. On Fri, Feb 12, 2010 at 1:49 PM, Rob Townley rob.town...@gmail.com wrote: this node doesnt have two nics, the public address is for those connecting from the public side of the NAT. As far as that tinc node knows, it is using 655. i will look elsewhwere for the connection problem. dynamic dns of port number could help tinc get better meta knowledge about itself. What was the name of the dns library you recommended? Does it work with dnsmasq? Do you use gdb debugger? On 2/12/10, Guus Sliepen g...@tinc-vpn.org wrote: On Thu, Feb 11, 2010 at 03:06:17PM -0600, Rob Townley wrote: i have a switched and bridged tincd node with two addresses, each with a different port. Address = 37.70.156.168 28655 Address = 192.168.2.228 655 Tinc itself will only listen on one port. By default 655, if you want another port you can use the Port statement. It will also use this port to send packets from. -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@tinc-vpn.org ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Can I pass 802.1q (VLAN tagged) through a VPN Tinc in HUB/Switch mode?.
You may also need to add modprobe tun to the top of your tinc-up.I also found that I needed to add the default route for the bridge interface. here is my tinc-up, perhaps it may help you. this is on Ubuntu don...@donaldtincvm:/etc/tinc/vpn$ cat tinc-up #!/bin/sh modprobe tun ifconfig vpn 0.0.0.0 ifconfig vpn up ifconfig eth0 0.0.0.0 ifconfig eth0 up brctl addbr bridge brctl addif bridge vpn brctl addif bridge eth0 ifconfig bridge 192.168.2.11 netmask 255.255.0.0 route add default gw 192.168.2.1 bridge ifconfig bridge up On Thu, Feb 11, 2010 at 5:00 AM, Guus Sliepen g...@tinc-vpn.org wrote: On Thu, Feb 11, 2010 at 10:55:33AM +0100, Ramses II wrote: Both Tinc Server starts and both connects but it tell me the next error when I try to execute the tinc-up script: r...@vpn-01:/etc/tinc# ./tinc-up ifconfig: SIOCSIFADDR: No such device interface vpn does not exist! ifconfig: SIOCGIFFLAGS: No such device r...@vpn-01:/etc/tinc# The tinc-up script contain this: #!/bin/sh ifconfig vpn 0.0.0.0 brctl addif br-lan vpn ifconfig vpn up Your virtual network interface may have another name than vpn. Replace vpn with $INTERFACE in the scripts, so that it will automatically use the right name. I'll update the example. -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@tinc-vpn.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAktz1SIACgkQAxLow12M2nsFtgCfb3bXv+y2Ll3YfExGtG0u2m+V GdQAniVHgw7KtkLSf6DXXZr+1iOhZN3z =lnt6 -END PGP SIGNATURE- ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Only reaching one machine at network
I'm doing exactly what I think you're trying to do. You are using switched mode, so you can remove the Subnet statements. Otherwise, if you mean to have your VPN routed instead of switched, you need to remove the mode=switch statements. I recommend keeping switch mode, and removing the un-necessary Subnet statements. Now, you need to bridge your tun interface with your physical interface at home. This will open the rest of your home network to your VPN provided all hosts use the same network and netmask. You say you are using Ubuntu, so you can do apt-get install bridge utils You will need your tinc-up script to be something like this; #!/bin/sh modprobe tun ifconfig vpn 0.0.0.0 ifconfig vpn up ifconfig eth0 0.0.0.0 ifconfig eth0 up brctl addbr bridge brctl addif bridge vpn brctl addif bridge eth0 ifconfig bridge 10.10.0.30 netmask 255.255.255.0 route add default gw 10.10.0.254 bridge ifconfig bridge up Here's my tinc.conf. it's *very* simple. don...@donaldtincvm:/etc/tinc/vpn$ cat tinc.conf Name = Donald ConnectTo = Pat Device = /dev/net/tun Mode = switch PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv And here's my host files. don...@donaldtincvm:/etc/tinc/vpn/hosts$ cat Donald Address = Port = 8002 IndirectData = Yes Compression = 0 PMTUDiscovery = Yes RSA stuff. don...@donaldtincvm:/etc/tinc/vpn/hosts$ cat Pat Address = nixon.endoftheinternet.org Port = 8003 IndirectData = Yes Compression = 0 PMTUDiscovery = Yes RSA stuff. On Sun, Feb 7, 2010 at 5:26 PM, M.Farghaly m...@farghaly.com wrote: Hi there, I am using tinc since some monthes. I think the basic idea of extending vpn to a mesh of systems via tun/tap is great. And I think it is one of the useable developments compared to the much more complex vpn solutions I had used in the past. Great work. Setting up tinc I have fought with the configuration (and with the concepts) for a while as I have found no example that covers my special setup until I reached this fairly minimal config below. The setup is as follows: Home network is 10.10.0.x/24, Ubuntu Unix Server has internal IP 10.10.0.30, Gateway is 10.10.0.254 I have a dynamic ip on this network and a masquerading firewall router. I am accessing home network via Ubuntu linux laptop via UMTS which means dynamic IP-Address, normally also in the 10.x.y.z Range (can this be a problem ?). From the forum answers I think I can delete the entries PrivateKeyFile as this is default, otherwise configuration is quite minimal. === Configuration = Server Side === # cat tinc.conf Name = fsvpns3f30 Mode = switch Device = /dev/net/tun AddressFamily = ipv4 PingInterval = 30 PrivateKeyFile = /etc/tinc/fsvpn/rsa_key.priv # cat tinc-up #!/bin/sh ifconfig $INTERFACE 10.10.100.30 netmask 255.255.0.0 # cat hosts/fsvpns3f30 Address = xyz.dyndns.org Port=655 Compression=9 Subnet=10.10.0.0/16 TCPonly=yes http://10.10.0.0/16%0ATCPonly=yes -BEGIN RSA PUBLIC KEY- ... -END RSA PUBLIC KEY- Client Side # cat tinc.conf Name = fsvpnmf Mode = switch Device = /dev/net/tun AddressFamily = ipv4 PingInterval = 30 ConnectTo = fsvpns3f30 PrivateKeyFile=/etc/tinc/fsvpn/rsa_key.priv # cat tinc-up #!/bin/sh ifconfig $INTERFACE 10.10.101.1 netmask 255.255.0.0 # cat fsvpnmf Port = tinc Compression = 9 Subnet = 10.10.101.1/32 TCPonly=yes http://10.10.101.1/32%0ATCPonly=yes ConnectTo = xyz.dyndns.org -BEGIN RSA PUBLIC KEY- ... -END RSA PUBLIC KEY- This setup works now for a while with the restriction that I can directly only reach one machine on my network. I can ssh through it to reach the other machines in the network, but this is not ideal (e.g. if I want to directly reach windows machines). That means from my laptop I can only directly reach the 10.10.0.30/10.10.100/30 machine. It looks like a routing problem. I guess I will have to add on tinc-up script on both sides but in combination with the vpn device I need some guidance. Can you see how the configuration can be enhanced to reach the whole network of machines on the home network from laptops directly ? Any suggestions are welcome. Mansour Farghaly ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Simple Dial In Setup
I have nothing to add to this but I do have a question. Would the IP provided via DHCP after the tunnel is up be applied to the client's virtual adapter? Or can DHCP append an additional IP address to the already configured bridge on the client's computer? Or does it work some other way entirely? On Mon, Nov 16, 2009 at 9:23 AM, Guus Sliepen g...@tinc-vpn.org wrote: On Mon, Nov 16, 2009 at 09:02:33AM +0100, Matthias Redl wrote: From what I've read so far I believe that the VPN must always have a different IP Subnet than the private LAN itself, and therefor use routing. That is not true. The only problem is when you want clients use IP addresses from the private LAN in router mode, that is difficult to set up. Is that correct? But I would actually prefer to assign IPs from our current LAN to the VPN Clients. Our current ip setup: Local servers and printers: 192.168.139.1 - 192.168.139.99 Local DHCP range for workstations: 192.168.139.100 - 192.168.139.200 My wish would be to assign IPs starting with 192.168.139.201 to VPN users (either manually or better also via DHCP / tinc). From what I have read maybe the switch setup might fit, but I'm currently a bit lost. Is that possible? If yes, is one of the sample setups adequate for me?. Yes, that is possible. Indeed, you want to use switch mode, and on the server bridge the VPN interface to the private LAN interface. This is described in http://tinc-vpn.org/examples/bridging/. On the client side you can then use DHCP to get an IP address from the DHCP server on the private LAN. You do have to make sure that the default gateway provided by the DHCP server on the VPN does not get a higher priority than that of the LAN the clients are on. -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@tinc-vpn.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAksBYFoACgkQAxLow12M2nvDxwCfcEQ7JEvaR/TfUEu6YkbvBpRQ oPcAni6bsmJlN0Svq4RG4LTVp1LeDEzf =iTc1 -END PGP SIGNATURE- ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: need help with tinc windows service
run; tincd -n test -d5 -D this will just run tinc from the command prompt, and you'll be able to see what any errors are. On Sat, Apr 18, 2009 at 10:08 AM, Dayal Ramachandran dayal.ramachand...@gmail.com wrote: hi im a newbie to networking and vpns.so plz pardon my mistakes. i installed tinc 1.0.9 and followed the tinc setup instructions as in the tinc-windows example. after i hav started the tinc service with tincd -n command the service starts and then stops abrupty giving the message the tinc.test service on the local computer has started and then stopped.Some services stop automatically if they hav no work to do for example the performance logs and alerts when i try to restart the service it gives the same msg and stops. could anyone plz help me. ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: need help with tinc windows service
have you named the tap interface to tinc under the network connections area of the control panel? On Sat, Apr 18, 2009 at 10:51 AM, Dayal Ramachandran dayal.ramachand...@gmail.com wrote: thanks for the help. i tried it .the debug message is some numbers (tinc) is not a usable windows tap device: the system cannot find the file specified.terminating the tap interface i used was named tinc. im using windows xp sp3. what could the problem be. On Sat, Apr 18, 2009 at 7:53 PM, Donald Pearson donaldwhpear...@gmail.com wrote: run; tincd -n test -d5 -D this will just run tinc from the command prompt, and you'll be able to see what any errors are. On Sat, Apr 18, 2009 at 10:08 AM, Dayal Ramachandran dayal.ramachand...@gmail.com wrote: hi im a newbie to networking and vpns.so plz pardon my mistakes. i installed tinc 1.0.9 and followed the tinc setup instructions as in the tinc-windows example. after i hav started the tinc service with tincd -n command the service starts and then stops abrupty giving the message the tinc.test service on the local computer has started and then stopped.Some services stop automatically if they hav no work to do for example the performance logs and alerts when i try to restart the service it gives the same msg and stops. could anyone plz help me. ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: need help with tinc windows service
I would try deleting your current win32 tap adapter from the device manager, and re-installing it through the add tap batch file in the tinc directory. On Sat, Apr 18, 2009 at 11:37 AM, Dayal Ramachandran dayal.ramachand...@gmail.com wrote: yes, i renamed it from the network connections. this is my tinc.conf. --- Name = dmachine Connectto = VASU Interface = tinc On Sat, Apr 18, 2009 at 8:59 PM, Donald Pearson donaldwhpear...@gmail.com wrote: have you named the tap interface to tinc under the network connections area of the control panel? On Sat, Apr 18, 2009 at 10:51 AM, Dayal Ramachandran dayal.ramachand...@gmail.com wrote: thanks for the help. i tried it .the debug message is some numbers (tinc) is not a usable windows tap device: the system cannot find the file specified.terminating the tap interface i used was named tinc. im using windows xp sp3. what could the problem be. On Sat, Apr 18, 2009 at 7:53 PM, Donald Pearson donaldwhpear...@gmail.com wrote: run; tincd -n test -d5 -D this will just run tinc from the command prompt, and you'll be able to see what any errors are. On Sat, Apr 18, 2009 at 10:08 AM, Dayal Ramachandran dayal.ramachand...@gmail.com wrote: hi im a newbie to networking and vpns.so plz pardon my mistakes. i installed tinc 1.0.9 and followed the tinc setup instructions as in the tinc-windows example. after i hav started the tinc service with tincd -n command the service starts and then stops abrupty giving the message the tinc.test service on the local computer has started and then stopped.Some services stop automatically if they hav no work to do for example the performance logs and alerts when i try to restart the service it gives the same msg and stops. could anyone plz help me. ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: dynamic-ip clients?
I would suggest then a static domain name that will follow your dynamic IP. dyndns.org is one free provider of that service On Sat, Mar 21, 2009 at 6:55 PM, lizard liz...@furcon.de wrote: no no ... client1 --- server --- client2 client[12] are dynamic, server is static i want to connect client1 to client2 so i can switchoff the serve without affacting the rest of the vpn. On Sat, 2009-03-21 at 18:55 +0100, Ivo Smits wrote: You should not add a ConnectTo line on the server (static IP), only add it on the client system (dynamic IP). ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Problems with UDP frame size??
Hi AlBI, Well TCPOnly = yes assumes IndirectData = yes so you actually only need to set the TCPData flag. TCP does work, but the throughput is cut significantly. I don't have packet loss so TCP is extra traffic and overhead that I don't need. The problem I'm receiving now is not a NAT problem. Regards, Donald On Fri, Mar 6, 2009 at 2:17 AM, Albi Rebmann a...@life.de wrote: For months I've been using tinc in TCPOnly because I always received the unknown host error when using UDP. On Monday, i set the flag IndirectData = yes in my host files, and removed the TCPOnly line. I have simple rule for using tcponly and indirectaata. If the computer has externl ip, no NAT router between, remove them and use udp. If you have NAT router between tinc server/computer and internet, use both flags (set yes). This works for 5 years now :-) ALBI... ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Problems with UDP frame size??
Does this mean I will need to manually set the PMTU value, or is the default value of 1518 (I think?) okay? If not, do you have a suggested value? Thank you for your help as always, Donald On Fri, Mar 6, 2009 at 5:53 PM, Guus Sliepen g...@tinc-vpn.org wrote: On Thu, Mar 05, 2009 at 07:02:53PM -0500, Donald Pearson wrote: [...] I removed the Compression line from the hosts files, and went back to the working UDP configuration that gave me 2MB/sec. However the problem did not go away. I say I think there is an IP/UDP frame size issue because the firewall software I use, SoftPerfect Personal Firewall, is reporting this error in it's logs when I try to do something like a file transfer. I am able to ping between hosts with packet sizes up to 1417 bytes. I did some testing with setting the PMTU value and setting PMTUDiscover = no, however it had no affect. It seems there is a problem if both PMTUDiscovery and Compression is used. Another problem is that both sides must have PMTUDiscovery = no, otherwise it will still be enabled anyway. Michael Tokarev has also seen this problem. I'll have a better look at the code and I'll try to reproduce it myself, and see if I can fix it. In the mean time, the workaround is to explicitly disable PMTUDiscovery and Compression. -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@tinc-vpn.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmxqW4ACgkQAxLow12M2nvDxQCdFh/IIe4G2ot4K9lf4xGpG9bz hr4An3KYIh8t5DWQ2EiMqmnaG0DSuL2o =frbL -END PGP SIGNATURE- ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Problems with UDP frame size??
Great, that sounds good. Last question just to be sure. In order to explicitly turn off compression, do I need to set; Compression = 0 ? Regards, Donald On Fri, Mar 6, 2009 at 6:10 PM, Guus Sliepen g...@tinc-vpn.org wrote: On Fri, Mar 06, 2009 at 06:05:39PM -0500, Donald Pearson wrote: Does this mean I will need to manually set the PMTU value, or is the default value of 1518 (I think?) okay? If not, do you have a suggested value? Try the default first. If PMTUDiscovery is disabled, tinc does not set the Don't Fragment bit in the outgoing UDP packets, and then the router can fragment packets that are too large as it sees fit. -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@tinc-vpn.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmxrXsACgkQAxLow12M2ntfGACePqnT7+gb8Z3xidTpeoIUgL6z qRoAnA0DmfQqADeE6JWO6FcEg8i5FT3q =qiSm -END PGP SIGNATURE- ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: Problems with UDP frame size??
Well with a change in the host files, I can now file transfer in only one direction. Argyle can upload to Nixon.However Nixon cannot upload to Argyle. I also tried with and without PMTU = 1000 with no apparent difference. I can only figure there's more going on here than just Tinc because the configurations are identical yet traffic only flows correctly in one direction. Address = argyle.thruhere.net Port = 8002 IndirectData = yes Compression = 0 PMTUDiscovery = no PMTU = 1000 # TCPOnly = Yes -BEGIN RSA PUBLIC KEY- Address = nixon.endoftheinternet.org Port = 8003 IndirectData = yes Compression = 0 PMTUDiscovery = no PMTU = 1000 # TCPOnly = Yes -BEGIN RSA PUBLIC KEY- On Fri, Mar 6, 2009 at 6:22 PM, Donald Pearson donaldwhpear...@gmail.comwrote: Great, that sounds good. Last question just to be sure. In order to explicitly turn off compression, do I need to set; Compression = 0 ? Regards, Donald On Fri, Mar 6, 2009 at 6:10 PM, Guus Sliepen g...@tinc-vpn.org wrote: On Fri, Mar 06, 2009 at 06:05:39PM -0500, Donald Pearson wrote: Does this mean I will need to manually set the PMTU value, or is the default value of 1518 (I think?) okay? If not, do you have a suggested value? Try the default first. If PMTUDiscovery is disabled, tinc does not set the Don't Fragment bit in the outgoing UDP packets, and then the router can fragment packets that are too large as it sees fit. -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@tinc-vpn.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmxrXsACgkQAxLow12M2ntfGACePqnT7+gb8Z3xidTpeoIUgL6z qRoAnA0DmfQqADeE6JWO6FcEg8i5FT3q =qiSm -END PGP SIGNATURE- ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Problems with UDP frame size??
Well this has had me stumped for days now. For months I've been using tinc in TCPOnly because I always received the unknown host error when using UDP. On Monday, i set the flag IndirectData = yes in my host files, and removed the TCPOnly line. Initially, everything worked great. My throughput increased from 600KB/sec to 2MB/sec between the sites. However, I also did some testing with compression settings in the host files. On the first test after setting Compression = 10, I lost full functionality. I can still establish the VPN, and hosts are able to ping between eachother, but if I try to transfer a file for example, it will not work. I removed the Compression line from the hosts files, and went back to the working UDP configuration that gave me 2MB/sec. However the problem did not go away. I say I think there is an IP/UDP frame size issue because the firewall software I use, SoftPerfect Personal Firewall, is reporting this error in it's logs when I try to do something like a file transfer. I am able to ping between hosts with packet sizes up to 1417 bytes. I did some testing with setting the PMTU value and setting PMTUDiscover = no, however it had no affect. Both hosts are running Windows XP. Host files; Address = argyle.thruhere.net Port = 8002 IndirectData = yes # PMTU = 1024 # PMTUDiscovery = no #TCPOnly = Yes -BEGIN RSA PUBLIC KEY- Address = nixon.endoftheinternet.org Port = 8003 IndirectData = yes # PMTU = 1024 # PMTUDiscovery = no #TCPOnly = Yes -BEGIN RSA PUBLIC KEY- tinc.conf for both is very simple; Name = Argyle | Nixon ConnectTo = Argyle | Nixon Interface = Tinc Mode = switch # # Thoughts? Thanks! Donald ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Re: ping between nated hosts
Can you give some more detail about the specifics of the network? Such as the subnetting? Is the Tinc interface on A bridged? On Mon, Feb 16, 2009 at 10:23 PM, Christian Lyra l...@pop-pr.rnp.br wrote: Hi there, I´m trying to use tinc to solve this scenario: Host A has public/know ip address Hosts B and C are behind nat I´m using switch mode, and hosts B and C has IndirectMode enabled. Host A is in listen only mode (no ConnectTo set), hosts B and C connects to A. Everything works almost as expected... B and C connects to A, and they can ping each other, but ONLY after each other learns the other MAC thru A. What I mean is: if I start A, B, C, and try to ping C from B, ping will fail, but if I send a ping to A from C, then B will be able to ping C as it will learn the MAC of C thru A. If there´s no traffic between the hosts for a while, then the arp entries will expire from arp tables and the problem will happen again. Is there a way to solve this with a tinc configuration? leaving a cron job to make nated hosts ping A is not a elegant option :-( -- Christian Lyra PoP-PR/RNP ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Virtual LAN over Tinc?
I actually sent this to Guus directly before realizing I could send it to this mailing list. So, Sorry about that Guus!! I'm trying to connect two remote networks together with Tinc. I have Tinc installed on a host (host name is donald) at location A, and Tinc installed on a host (host name is irfan) at location B. Right now, donald and irfan can talk to eachother. However, donald cannot talk to anything on irfan's lan. And irfan cannot talk to anything on donald's lan. For the life of me I can not figure out what the next step is. Each site has a tap adapter. Adapters on Donald Ethernet adapter Tinc: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Win32 Adapter V9 #2 Physical Address. . . . . . . . . : 00-FF-3B-30-70-81 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.2.0 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC Physical Address. . . . . . . . . : 00-40-2B-60-C2-AB Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.2.11 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1 Adapters on Irfan Ethernet adapter Tinc: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Win32 Adapter V9 #2 Physical Address. . . . . . . . . : 00-FF-91-78-9E-7A DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::5c44:853f:c710:67d3%12(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.222.0(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : Ethernet adapter Network Bridge: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : MAC Bridge Miniport Physical Address. . . . . . . . . : 02-11-43-AC-52-ED DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::3172:6147:f1fa:f349%15(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.222.12(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.222.1 You can see that Irfan has a bridge adapter. It is bridged only to a single Local Area Connection. I created the bridge because I thought I would need to bridge the local area connection with the Tinc connection, to expose the networks behind eac host. However, when I bridge them, I get Loopback errors. Here are my configuration files. The name and connectto are opposite for each site. tinc.conf Name = Donald ConnectTo = Irfan Interface = Tinc Mode = switch Donald host file; Address = argyle.thruhere.net Compression = 0 Port = 8002 Subnet = 192.168.2.0/24 -BEGIN RSA PUBLIC KEY- ... -END RSA PUBLIC KEY- Irfan Host file; Address = irfan.selfip.net Compression = 0 Port = 8222 Subnet = 192.168.222.0/24 TCPOnly = yes -BEGIN RSA PUBLIC KEY- ... -END RSA PUBLIC KEY- thanks for any help you can offer. ___ tinc mailing list tinc@tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc