Hi, Guus I don’t quite understand what you describe below, to me, no matter tinc or any other router/PC get an IP packet, it will go to check with its route table, to match the destination IP against the route table for the next hop, if I put "ip route add default via <C’s VPN IP address> dev $INTERFACE", I thought tinc will match the packet’s destination IP to the “default”, and then send the traffic through $INTERFACE to the next hop <C’s VPN IP address>.
And when it found the next hop is an virtual interface (instead of ethernet where arp can handle the layer 2), it will then maps to the physical tinc connection where how A to C’s tunnel been built, and put the packet inside that connection to forward. Those understanding is my knowledge from traditional IPSec VPN, let me know if there’s anything wrong for tinc, and BTW, do we have any training / technical intro for the tinc besides the documentation part from tinc-von.org? > On 2 May 2017, at 1:43 PM, Guus Sliepen <[email protected]> wrote: > > On Tue, May 02, 2017 at 09:16:53AM +0800, Bright Zhao wrote: > >> In this case, A's traffic route to Internet is go through C to D to >> internet, but If I add Subnet =0.0.0.0/0 on B, the traffic seems go directly >> from A to B to internet. > [...] >> During the whole process, A's default gateway point to C. > > It might look that way, but it doesn't. I assume you did something like > this on A: > > ip route add default via <C's VPN IP address> dev $INTERFACE > > However, the "via <some address>" part is only something that has any > effect on Ethernet networks. If tinc is in router mode, your VPN is a > pure layer 3 network. There are no Ethernet headers, only IP headers. IP > headers only have a source and destination IP address, they don't > contain any information about a gateway. So when tinc gets a packet, it > can only route based on the final destination. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <[email protected]> > _______________________________________________ > tinc mailing list > [email protected] > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc _______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
