On Sat, Mar 31, 2018 at 12:00:57PM +0000, John Radley (yahoo) wrote: > I have a three tinc server setup, similar to "4.3 How Connections > Work" using the configuration mostly like > http://ostolc.org/site-to-site-vpn-with-tinc.html > > The clients (Ubuntus, Debians and Windows 10s) can all ping (and SSH) > to each other remotely. As far as that is concerned it's working great > - thanks so much for some great software. > > However, on each of the Tinc servers (A and C) neither of them can > ping other remote clients. Of course, A and C can ping each other. If > I use tcpdump -nni tun0 icmpI can see the echo packets leave the > server, and on a remote client see the request received and the reply > sent. However the server never gets the reply. It seems that on each > server there is no internal routing between enp1s0 and tun0 for IPs > that are not server IPs. I guess I can live with such a limitation, > but would still like to know why!!
Tinc itself doesn't take of that routing outside of the VPN itself, so
it is up to you to configure it correctly.
> TINC-UP
> ip link set $INTERFACE up
> ip addr add 192.168.20.3/24 dev $INTERFACE
> route add -net 192.168.14.0/24 gw 192.168.20.3
> route add -net 192.168.6.0/24 gw 192.168.4.99
First, if you are already using "ip" to assign an address, then instead of the
"route" command, use the "ip route" command to configure extra routes, like so:
ip route add 192.168.14.0/24 via 192.168.20.3
ip route add 192.168.6.0/24 via 192.168.4.99
Note that the first route command is equivalent to:
ip route add 192.168.14.0/24 dev $INTERFACE
> ROUTE TABLE on A
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> default 192.168.4.1 0.0.0.0 UG 100 0 0 enp1s0
> link-local * 255.255.0.0 U 1000 0 0 enp1s0
> 192.168.4.0 * 255.255.255.0 U 100 0 0 enp1s0
> 192.168.6.0 192.168.4.99 255.255.255.0 UG 0 0 0 enp1s0
> 192.168.14.0 192.168.20.3 255.255.255.0 UG 0 0 0 tun0
> 192.168.20.0 * 255.255.255.0 U 0 0 0 tun0
[...]
> Net 192.168.4.0 is the A local network
> IP of A is 192.168.4.30, IP of C is 192.168.14.20
[...]
> Only thing wrong is, for example on A, ping 192.168.14.60 does not work
> On C, ping 192.168.4.26 does not work
The problem is most likely with the hosts 192.168.14.60 and
192.168.4.26. What does their routing table look like? If 192.168.4.26
just has:
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.4.1 0.0.0.0 UG 100 0 0 enp1s0
link-local * 255.255.0.0 U 1000 0 0 enp1s0
192.168.4.0 * 255.255.255.0 U 100 0 0 enp1s0
Then packets for 192.168.20.* or 192.168.14.* will go the the default
gateway 192.168.4.1, and will not go to your host running tinc. A ping
packet from C might reach host 192.168.14.26, but that host will send
the return packet in the wrong direction.
To fix this, you must either add a route that looks like this to each
host on A:
192.168.14.0 192.168.4.30 255.255.255.0 UG 0 0 0 enp1s0
Or you have to tell the router (192.168.4.1) that packets for
192.168.14.0/24 should be forwarded to 192.168.4.30. And you have to do
something similar on the other sites.
> But on clients 192.168.14.60 and 192.168.4.26 can ping each other.
Ok, that is weird... if those can ping each other, they should both be
able to ping A and C as well.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <[email protected]>
signature.asc
Description: PGP signature
_______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
