Re: VPN - almost got it

2017-09-13 Thread Andy Ruhl 
On Wed, Sep 13, 2017 at 8:59 AM, D'Arcy Cain  wrote:
> ifconfig tun0 create
> ifconfig tun0 10.0.0.1 10.0.0.2 netmask 0xfffc
> route add 10.0.0.2/32 10.0.0.1 # should this be necessary?
> route add 192.168.215.0/24 10.0.0.2
>
> On the internal machine I do this:
>
> ifconfig tun0 create
> ifconfig tun0 10.0.0.2 10.0.0.1 netmask 0xfffc
> route add 10.0.0.1/32 10.0.0.2 # should this be necessary?
> route add 192.168.0.0/24 10.0.0.1
> /usr/bin/ssh -f -w 0:0 queen.vex.net true

Those static routes shouldn't be necessary, the 2 tun interfaces are
in the same subnet so no routing is needed.

Sorry, can't help with the rest, I haven't done this in NetBSD.

Andy

Re: VPN - almost got it

2017-09-13 Thread gary 
"D'Arcy Cain"  wrote:
=> I am trying to set up a VPN between two NetBSD boxes, one of which has a
=> public address.  Here is what I do on the public machine in rc.local:
=>
=> ifconfig tun0 create
=> ifconfig tun0 10.0.0.1 10.0.0.2 netmask 0xfffc
=> route add 10.0.0.2/32 10.0.0.1 # should this be necessary?
=> route add 192.168.215.0/24 10.0.0.2
=>
=> On the internal machine I do this:
=>
=> ifconfig tun0 create
=> ifconfig tun0 10.0.0.2 10.0.0.1 netmask 0xfffc
=> route add 10.0.0.1/32 10.0.0.2 # should this be necessary?
=> route add 192.168.0.0/24 10.0.0.1
=> /usr/bin/ssh -f -w 0:0 queen.vex.net true
=>
=> The IP address of the first machine is 192.168.0.57 and I can get there
=> fine from any machine in the 215 network.  However I can't get to any
=> other machine on the 0 side.  Both machines show "net.inet.ip.forwarding
=> = 1".  Am I missing something else?

   Do the other machines on the 0 side have a route through their tunnel
endpoint machine?

   Gary Duzan

VPN - almost got it

2017-09-13 Thread D'Arcy Cain 
I am trying to set up a VPN between two NetBSD boxes, one of which has a 
public address.  Here is what I do on the public machine in rc.local:


ifconfig tun0 create
ifconfig tun0 10.0.0.1 10.0.0.2 netmask 0xfffc
route add 10.0.0.2/32 10.0.0.1 # should this be necessary?
route add 192.168.215.0/24 10.0.0.2

On the internal machine I do this:

ifconfig tun0 create
ifconfig tun0 10.0.0.2 10.0.0.1 netmask 0xfffc
route add 10.0.0.1/32 10.0.0.2 # should this be necessary?
route add 192.168.0.0/24 10.0.0.1
/usr/bin/ssh -f -w 0:0 queen.vex.net true

The IP address of the first machine is 192.168.0.57 and I can get there 
fine from any machine in the 215 network.  However I can't get to any 
other machine on the 0 side.  Both machines show "net.inet.ip.forwarding 
= 1".  Am I missing something else?


Cheers.

--
D'Arcy J.M. Cain 
http://www.NetBSD.org/ IM:da...@vex.net

Re: dhcpcd and multiple IPv6 gateways on one interface

2017-09-13 Thread Andy Ruhl 
On Tue, Sep 12, 2017 at 10:37 AM, Roy Bixler  wrote:
> I'm pretty sure that our network does not use Cisco as the router.  I
> think that the admin. uses some kind of a Linux distribution which he
> then sets up with an OSPF daemon and so forth.

I'll say it another way: Once you put an IPv6 address onto some
devices, Cisco in particular, they "just decide" to become a router
and do router advertisements. This is probably the case on your
network.

> Fair enough.  I've tried to do a little research myself and my
> understanding of Linux is that it sets up the multiple IPv6 default
> routes on the same interface when it gets advertisements from
> different routers which have the same preference.  Some folks may say
> that's not recommended, but I could see using it if load balancing is
> a consideration.  Otherwise, I would think it would be unnecessary.
> Why not just set one router to have a higher preference?  Then I'd
> imagine failover would occur if that router went down.  My only
> experience with setting up a network is with a small SOHO LAN, so I
> may easily be missing something.
>
> The routing table looks like this:
>
> % ip -f inet6 r
> 
> fe80::/64 dev br0  proto kernel  metric 256
> default via fe80::nnn:::2e47 dev br0  proto ra  metric 1024 expires 
> 1783sec hoplimit 64
> default via fe80::nnn:::2d5b dev br0  proto ra  metric 1024 expires 
> 1783sec hoplimit 64
> default via fe80::nnn:::2df3 dev br0  proto ra  metric 1024 expires 
> 1783sec hoplimit 64
>
> So there are 3 default IPv6 routes on the same interface.

So really, you have 2 issues here:

1. Who is sending out router advertisements? You can probably find
that out easily enough since the MAC is embedded in these link local
addresses. Might want to find out if those machines should be doing
that. Probably not.

2. How does a machine properly handle this situation? Linux seems to
just put in equal cost routes for all of them, so either they are load
balancing or they have some other selection criteria. Based on the
behavior of machines doing router advertisements, I would hope that
reachability is being done somehow, but maybe this is wishful
thinking. (Again, unresearched.)

Andy