I cannot understand why you say the configuration for B will be tricky. If you select the switch mode, and some machine can initiate a connection to some other machine, until
there is a path, the whole net will behave as all the tap device were connected to a single switch. Is not a vpn in the strict ipsec meaning, you should see it more like an encrypted VLAN. On 05/01/2017 12:00 PM, Bright Zhao wrote: > Hi, Tinc experts > > Diagram as below, A is trying to access host X behind C: > > A >> B >> C — “host X" > > B is the tinc server for A, but also B is the tinc client to connect to C. > > My question is, if I only use one VPN (/etc/tinc/myvpn), then the host > configuration for B will be tricky. > > As the tinc server to A, B’s host config (/etc/tinc/myvpn/hosts/B) needs have > the Subnet = X/32, which indicate the VPN serve for this host. > But as the tinc client to C, B’s host config shouldn’t include Subnet = X/32, > because X/32 is behind C. > > If not direct connection available from A to C, the only way I can figure it > out is to setup two VPNs, /etc/tinc/vpn1 and /etc/tinc/vpn2: > > A >> vpn1 >> B >> vpn2 >> C — “host X” > > If so, the /etc/tinc/vpn1/hosts/B can have Subnet =X/32; but the > /etc/tinc/vpn2/hosts/B can exclude Subnet =X/32 since it’s the client side > for C. > > Let me know if there’s any other simple way to achieve this. > _______________________________________________ > tinc mailing list > [email protected] > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
