tinc - Mar 2002 - tinc vs. ipchains masquerading

Howdy,

I tried tackling this on irc with Ivo, but I suspect that irc may really
not be the best medium for technical discussions, so I'll reprise it here.

I am trying to duplicate the "tinc from behind a masquerading
firewall"
example from the tinc web site:

  (home)       <--> (masquerading firewall) <--> (office)
  192.168.1.21      192.168.1.1/1.2.3.4          4.3.2.1

I've encountered some sticky bits to which I was hoping someone here could
offer a solution..  The symptom is messages similar to the following in the
logs on the "office" side of the connection:

  Received UDP packet on port 655 from unknown source 1.2.3.4:63791

Which is, of course, true.  One end of the vpn is behind a masquerading
firewall, so outbound packets from my house get rewritten at the firewall.
I haven't yet figured out a way around this problem.

The example (and Ivo) suggests the use of the ipmasqadm 'portfw' module,
but this would appear to only help for inbound connections -- e.g.,
forwarding connections to 1.2.3.4:655 to 192.168.1.21:655.  In fact, if I
were to initiate the connection from (home), this would appear to be
completely unnecessary, but for the sake of matching the online example
I'll leave it for now.

I may be missing something terribly obvious here, but I'm not sure how to
fix the source port of outbound packets while still allowing the firewall
to masquerade connections.

In the hope that someone on this list can set me straight I've included
details of my configuration below:

(1) The firewall is currently running a very permissive configuration
    that boils down to:

      ipchains -A forward -s 192.168.1.0/24 -j MASQ
      ipmasqadm portfw -a -P tcp -L 1.2.3.4 655 -R 192.168.1.21 655
      ipmasqadm portfw -a -P udp -L 1.2.3.4 655 -R 192.168.1.21 655

    Where 1.2.3.4 is the externally visible address of the firewall.

(2) I am initiating the connection from the "office" side of things
(which
    for this example has the ip address 4.3.2.1).  That
    is, /etc/tinc/vpn/tinc.conf contains:

      At the office:

	tinc.conf:

	Device = /dev/net/tun
	Name = atwork
	PrivateKeyFile = /etc/tinc/LARSSHACK/rsa_key.priv
	ConnectTo = athome

	tinc-up:

	ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
	ifconfig $INTERFACE inet 10.0.0.1 netmask 255.0.0.0 -arp

      At my house:

        tinc.conf:

	Device = /dev/misc/net/tun
	Name = athome
	PrivateKeyFile = /etc/tinc/LARSSHACK/rsa_key.priv

        tinc-up:

	ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
	ifconfig $INTERFACE inet 10.1.0.1 netmask 255.0.0.0 -arp

    hosts/athome contains:

      address = 1.2.3.4
      subnet = 10.1.0.0/16

    hosts/atwork contains:

      Address = 4.3.2.1
      Subnet = 10.0.0.1/32

Thanks in advance,

-- Lars

-- 
Lars Kellogg-Stedman <lars@larsshack.org>


Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://tinc.nl.linux.org/

At 13:25 2002-03-03 -0500, you wrote:
>I am trying to duplicate the "tinc from behind a masquerading
firewall"
>example from the tinc web site:
>
>   (home)       <--> (masquerading firewall) <--> (office)
>   192.168.1.21      192.168.1.1/1.2.3.4          4.3.2.1
>...
>Which is, of course, true.  One end of the vpn is behind a masquerading
>firewall, so outbound packets from my house get rewritten at the firewall.
>I haven't yet figured out a way around this problem.

One way to get around it is to upgrade to kernel 2.4 and use iptables which 
doesn't change the source port unless necessary.

I'm working on a mini-HOWTO for the exact same setup, and if you wish, I 
can mail it to you. It doesn't cover iptables in detail, but gives you an 
example of how to solve the above problem.

/Fredrik

Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://tinc.nl.linux.org/