Hello again :)
Thank you all for your reply's. Below are the config files of the 3 hosts.
I use tinc in router mode. I do not have a kernel mode config lines
anywhere so tinc must be using the default settings here.
I added the ipaddressx to subnets on hostc and this works. Traffic to
that ip is now routed via hostc.
But since this ipaddressx address changes often I need to resolve it
automaticaly and change the iptable rules that mark the packets. I was
really hoping to have to do this at one location (at hosta) and not
update the subnets on hostc. (and I also would like to understand how
this works with tinc)
If I use the old route command I can tell it to route traffic for a
certain ip to a certain gateway. (without tinc)
ie: route add -host 192.168.0.16 gw 10.0.0.1 eth0
I always assumed packets were specifically send to 10.0.0.1 if packets
with destination 192.168.0.16 arrived on this his host.
But Guus says the VIA option has no effect. So is there a way to send
packets to a specific gateway ip using ip route?
I do have a subnet 0.0.0.0 at hostb so that is probably why traffic goes
out via hostb when I do not have the specific subnet/ip at hostc
Regards
Hans de Groot
configs at hosta
tinc.conf
Name = hosta
Device =/dev/net/tun
Hostnames = No
connectto = hostb
Mode = Router
KeyExpire = 3600
PingInterval = 10
PingTimeout = 15
PrivateKeyFile = /etc/tinc/tincnet/rsa_key.priv
ProcessPriority = high
PMTUDiscovery = yes
tinc-up
#!/bin/bash
ifconfig $INTERFACE 192.168.230.21 netmask 255.255.255.0
route add -net 192.168.230.0 netmask 255.255.255.0 gw 192.168.230.1
ip route add default via 192.168.230.160 dev tincnet table hostc
ip rule add from 0.0.0.0/0 fwmark 1 table hostc
hosta
Address = x.x.x.x
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 110
Subnet = 192.168.230.21/32
TCPonly = yes
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
hostb
Address = x.x.x.x
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 110
Subnet = 192.168.230.1/32
Subnet = 0.0.0.0/0
TCPonly = yes
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
-------------------------------------------------
configs at hostb
tinc.conf
AddressFamily = ipv4
Name = hostb
Device =/dev/net/tun
Hostnames = No
Mode = Router
KeyExpire = 3600
PingInterval = 30
PingTimeout = 60
PrivateKeyFile = /usr/local/etc/tinc/tincnet/rsa_key.priv
ProcessPriority = high
PMTUDiscovery = yes
tinc-up
#!/bin/bash
ifconfig $INTERFACE 192.168.230.1 netmask 255.255.255.0
route add -net 192.168.230.0 netmask 255.255.255.0 gw 192.168.230.1
ip route add default via 192.168.230.160 dev tincnet table hostc
ip rule add from 0.0.0.0/0 fwmark 1 table hostc
hostb
Address = x.x.x.x
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 110
Subnet = 192.168.230.1/32
Subnet = 0.0.0.0/0
TCPonly = No
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
hostc
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 655
Subnet = 192.168.230.160/32
Subnet = 10.100.1.241/32
TCPonly = Yes
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
-----------------------------------------------------------
config at hostc
tinc.conf
AddressFamily = ipv4
Name = hostc
ConnectTo = hostb
Interface = tincnet
Hostnames = No
Mode = Router
KeyExpire = 3600
PingInterval = 10
PingTimeout = 10
tinc-up
#!/bin/bash
ifconfig $INTERFACE 192.168.230.160 netmask 255.255.255.0
hostb
Address = x.x.x.x
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 110
Subnet = 192.168.230.1/32
Subnet = 0.0.0.0/0
TCPonly = Yes
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
hostc
Address = x.x.x.x
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 655
Subnet = 192.168.230.160/32
Subnet = 10.100.2.2/32
Subnet = 10.100.1.236/32
TCPonly = Yes
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
On 4/10/2018 11:18 PM, Guus Sliepen wrote:
On Tue, Apr 10, 2018 at 03:36:08PM +0200, Hans de Groot wrote:
hosta <--> hostb <--> hostc
Hosta and hostc are not directly connected via tinc. But both are conncted
via hostb (I called my network tincnet). This works fine I can ssh from
hosta to hostc and vice versa without any problems.
hostc is in a whitelisted iprange at some service provider.
I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc.
I added the iptables mangle rule to mark all traffic to ipaddressx at port
700.
-A OUTPUT -p 6 -m tcp -d ipaddressx/255.255.255.255 --dport 700 -j MARK
--set-mark 0x1
I added:
ip route add default via iphostc dev tincnet table hostc
ip rule add from 0.0.0.0/0 fwmark 1 table hostc
If you are running tinc in router mode (which is the default), then the
"via iphostc" option does not have any effect. The packets will go to
dev tincnet, but there is nothing in the header of IP packets that
contains the address of the gateway.
Also, if you are using router mode, then you must inform tinc about
which peer to send packets with destination address ipaddressx to. So
you can add "Subnet = ipaddressx/" to hostc's hosts/hostc. But tinc only
routes on address, not on ports.
Now when I try this:
traceroute -T -n ipaddressx -p 700
The route goes via the ip of hostb and not via the ip of hostc as I would
have expected.
There are two possibilities for this: one is that tinc thinks the
packets with destination address ipaddressx should go to hostb (because
of what is in the Subnet statements), the other is that hosta and hostc
cannot directly communicate with each other, and traffic is routed via
hostb, and you have Forwarding = kernel in your tinc.conf. The latter
will force the packets to be sent to the tun interface on hostb, and if
you don't have any rules on hostb to send packets for ipaddressx port
700 to hostc, they will not be forwarded the way you want.
A weird thing is when I try the add route with any ip in the tincnet subnet
the route gets added even if that ip is not in use and all traffic still
goes via the ip of hostb.
ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet table
hostc
Again, in router mode, the "via ..." option has no effect at all.
Is it tincd at hostb that intercepts the traffic actually meant for hostc
and thinks it's meant for hostb and rewrites stuff automaticaly? Or am I
missing something in the ip route / ip rules part?
Tinc itself does not rewrite anything.
But I really would like to understand how to do this via mangle/fwmark and
ip route / ip rule way.
It would help if you could show us your tinc.conf from hostb, and all
hosts/* files, so we can check how you configured tinc exactly.
_______________________________________________
tinc mailing list
tinc@tinc-vpn.org
https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
_______________________________________________
tinc mailing list
tinc@tinc-vpn.org
https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
