Hi, I am using Tinc as a VPN for an association, and I want use one of the node of the VPN as an internet gateway. I have added a route entry on the client side so that packets goes to the exit node, and added Masquerading and IP forwarding, but pings does not go through, though I see the ping requests on the "myassociation" interface. Any idea? Best, -- Benjamin Henrion <bhenrion at ffii.org> FFII Brussels - +32-484-566109 - +32-2-4148403 "In July 2005, after several failed attempts to legalise software patents in Europe, the patent establishment changed its strategy. Instead of explicitly seeking to sanction the patentability of software, they are now seeking to create a central European patent court, which would establish and enforce patentability rules in their favor, without any possibility of correction by competing courts or democratically elected legislators."
Has this problem been solved in your most recent email to this list? The exit node must have ip forwarding enabled, as well as appropriate masquerading. The client node must have the default gateway set to the exit node. Could you please provide more information including ifconfig, route and iptables output for both machines. Mike On 3/11/2010 19:47 PM, Benjamin Henrion wrote:> Hi, > > I am using Tinc as a VPN for an association, and I want use one of the > node of the VPN as an internet gateway. > > I have added a route entry on the client side so that packets goes to > the exit node, and added Masquerading and IP forwarding, but pings > does not go through, though I see the ping requests on the > "myassociation" interface. > > Any idea? > > Best, > > -- > Benjamin Henrion<bhenrion at ffii.org> > FFII Brussels - +32-484-566109 - +32-2-4148403 > "In July 2005, after several failed attempts to legalise software > patents in Europe, the patent establishment changed its strategy. > Instead of explicitly seeking to sanction the patentability of > software, they are now seeking to create a central European patent > court, which would establish and enforce patentability rules in their > favor, without any possibility of correction by competing courts or > democratically elected legislators." > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
On Wed, Nov 3, 2010 at 11:54 AM, Mike Bentzen <mike at goodlook.com.au> wrote:> ?Has this problem been solved in your most recent email to this list? > > The exit node must have ip forwarding enabled, as well as appropriate > masquerading. > The client node must have the default gateway set to the exit node.I have on the client side a machine (b2) with an OpenVZ container (fsbuild 192.168.20.98), where I added a rule to forward the traffic through the tinc interface "mycompany" to another node on the vpn which should be used as a gateway (192.168.11.2): ============================================================root at b2 /root [9]# ip rule add from 192.168.20.98 table 7 root at b2 /root [10]# ip route add default dev mycompany via 192.168.11.2 table 7 root at b2 /root [11]# vzctl enter 998 entered into CT 998 root at fsbuild / [2]# ping 130.104.1.1 PING 130.104.1.1 (130.104.1.1) 56(84) bytes of data. [no answer here...] ============================================================ On my laptop (192.168.11.2), I see packets: ============================================================root at buzek /home/zoobab [3]# tshark -i mycompany -R icmp Running as user "root" and group "root". This could be dangerous. Capturing on mycompany 0.466522 192.168.20.98 -> 130.104.1.1 ICMP Echo (ping) request 1.468486 192.168.20.98 -> 130.104.1.1 ICMP Echo (ping) request ============================================================ But not icmp packets appear on the wlan0 interface, even when I have the iptables rule on: iptables -t nat -A POSTROUTING -j MASQUERADE -o wlan0 echo 1 > /proc/sys/net/ipv4/ip_forward Any idea what I should add? -- Benjamin Henrion <bhenrion at ffii.org> FFII Brussels - +32-484-566109 - +32-2-4148403 "In July 2005, after several failed attempts to legalise software patents in Europe, the patent establishment changed its strategy. Instead of explicitly seeking to sanction the patentability of software, they are now seeking to create a central European patent court, which would establish and enforce patentability rules in their favor, without any possibility of correction by competing courts or democratically elected legislators."
On Wed, Nov 03, 2010 at 10:47:27AM +0100, Benjamin Henrion wrote:> I am using Tinc as a VPN for an association, and I want use one of the > node of the VPN as an internet gateway. > > I have added a route entry on the client side so that packets goes to > the exit node, and added Masquerading and IP forwarding, but pings > does not go through, though I see the ping requests on the > "myassociation" interface.Can you send the output of these commands on both the client and the exit node, when tinc is running: ifconfig -a route -n iptables -L -vxn iptables -t nat -L -vxn Also, can you send a copy of tinc.conf and the host config files for the client and exit node? -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20101104/4aeeffb3/attachment.pgp>