Hi, I'm currently trying to setup a VPN with tinc, which allows employees to dial into our company LAN (private IPs) with their company laptop. What I have done: - read the tinc documentation - read the faqs - read the samples - installed tinc with an ubuntu package on a virtual machine inside our lan (but not configured it yet)>From what I've read so far I believe that the VPN must always have adifferent IP Subnet than the private LAN itself, and therefor use routing. Is that correct? But I would actually prefer to assign IPs from our current LAN to the VPN Clients. Our current ip setup: Local servers and printers: 192.168.139.1 - 192.168.139.99 Local DHCP range for workstations: 192.168.139.100 - 192.168.139.200 My wish would be to assign IPs starting with 192.168.139.201 to VPN users (either manually or better also via DHCP / tinc). From what I have read maybe the switch setup might fit, but I'm currently a bit lost. Is that possible? If yes, is one of the sample setups adequate for me?. Thanks for your help, Matthias
On Mon, Nov 16, 2009 at 09:02:33AM +0100, Matthias Redl wrote:> From what I've read so far I believe that the VPN must always have a > different IP Subnet than the private LAN itself, and therefor use > routing.That is not true. The only problem is when you want clients use IP addresses from the private LAN in router mode, that is difficult to set up.> Is that correct? But I would actually prefer to assign IPs from > our current LAN to the VPN Clients. > > Our current ip setup: > Local servers and printers: 192.168.139.1 - 192.168.139.99 > Local DHCP range for workstations: 192.168.139.100 - 192.168.139.200 > > My wish would be to assign IPs starting with 192.168.139.201 to VPN > users (either manually or better also via DHCP / tinc). From what I have > read maybe the switch setup might fit, but I'm currently a bit lost. > > Is that possible? If yes, is one of the sample setups adequate for me?.Yes, that is possible. Indeed, you want to use switch mode, and on the server bridge the VPN interface to the private LAN interface. This is described in http://tinc-vpn.org/examples/bridging/. On the client side you can then use DHCP to get an IP address from the DHCP server on the private LAN. You do have to make sure that the default gateway provided by the DHCP server on the VPN does not get a higher priority than that of the LAN the clients are on. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20091116/29327aa2/attachment.pgp>
OK, thanks for your help Donald! On the "server" it seems to work (at least partially. the tinc.conf is: Name=dialinserver Mode=switch Device = /dev/net/tun my host file: Address=192.168.139.49 (will be changed to the external ip as soon as it works) Subnet=192.168.139.0/24 -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- I also installed the tinc-up script, which adds the dialinserver interface to the bridge. Server starting up: $ tincd 1.0.8 (Nov 4 2007 09:57:13) starting, debug level 5 $ /dev/net/tun is a Linux tun/tap device (tap mode) $ Executing script tinc-up $ Listening on 0.0.0.0 port 655 $ Can't bind to :: port 655/tcp: Address already in use What I don't understand here is only the last row. Why can't it bind? There is no other tincd running. After that I get a lot of: $ Read packet of 60 bytes from Linux tun/tap device (tap mode) $ Learned new MAC address 0:80:87:34:5a:68 $ Broadcasting packet of 60 bytes from dialinserver (MYSELF) $ ... This looks good to me. Now the client side. This is the tinc.conf there: Name=mezzubook ConnectTo = dialinserver Device = /dev/net/tun My hosts file: -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- the tinc-up script looks like that: #!/bin/sh ifconfig $INTERFACE 192.168.139.55 netmask 255.255.255.0 (in the future this should be changed to DHCP I guess) I did not install a bridge or anything there. Just a modprobe tun. That's all. When I start tincd there I get this: tincd -n dialin -d5 -D tincd 1.0.8 (Nov 2 2007 17:40:21) starting, debug level 5 /dev/net/tun is a Linux tun/tap device (tun mode) Executing script tinc-up Listening on :: port 655 Can't bind to 0.0.0.0 port 655/tcp: Address already in use Ready Trying to connect to dialinserver (192.168.139.49 port 655) Read packet of 74 bytes from Linux tun/tap device (tun mode) Cannot route packet from mezzubook (MYSELF): unknown IPv4 destination address 192.168.139.49 Writing packet of 102 bytes to Linux tun/tap device (tun mode) Here I'm lost again. Why can't it route to 192.168.139.49. Is it because I'm using the same subnet for vpn and normal network at the moment? My routes looks like that, when tincd is up: 192.168.139.0 0.0.0.0 255.255.255.0 U 0 0 0 dialin 192.168.139.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0 192.168.139.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0 0.0.0.0 192.168.139.11 0.0.0.0 UG 0 0 0 eth0 Thanks again for helping out! Matthias