ZioPRoTo (Saverio Proto)
2010-Nov-09 17:11 UTC
question from openvpn user, how to "redirect-gateway" in tincd
Hello, today I was trying to do something easy I did with openvpn before. I have a server, and a few clients will connect to the server and route their internet traffic into the tunnel. The server then makes NAT. To configure clients in OpenVPN there was this directive called: --redirect-gateway that basically (copy and paste from OpenVPN man): 1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop. (2) Delete the default gateway route. (3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified). In know in tinc I can implement this easily using the tinc-up script (when I have Linux/Mac clients), but I have two problems. The current gateway value is in some env variable ? Or I have to write my own script to grep that out or there is something already available ? What if I have windows client ? I have to write a tinc-up script in Windows Style script ? I have no idea how to use windows :( Thanks Saverio
Guus Sliepen
2010-Nov-10 23:01 UTC
question from openvpn user, how to "redirect-gateway" in tincd
On Tue, Nov 09, 2010 at 06:11:48PM +0100, ZioPRoTo (Saverio Proto) wrote:> To configure clients in OpenVPN there was this directive called: > --redirect-gateway[...]> In know in tinc I can implement this easily using the tinc-up script > (when I have Linux/Mac clients), but I have two problems. > > The current gateway value is in some env variable ? Or I have to write > my own script to grep that out or there is something already available > ?You grep it out of the current routing table. I have added an example to the wiki: http://tinc-vpn.org/examples/redirect-gateway/ There are other ways to do it, but this is fairly simple and robust, I think.> What if I have windows client ? I have to write a tinc-up script in > Windows Style script ? I have no idea how to use windows :(I have no idea either. You can use the netsh command to get and manipulate the routing table. On Windows, tinc expects tinc-up.bat, hosts/server-up.bat, et cetera. I have no idea if Style scripts would work. If anyone using Windows has an idea, please tell us. Also, if there are BSD or MacOS/X users: many examples on the wiki contain Linux specific scripts, it would help if these were ported to other platforms as well. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20101111/577c5d4a/attachment.pgp>
Benjamin Henrion
2010-Nov-10 23:03 UTC
question from openvpn user, how to "redirect-gateway" in tincd
On Thu, Nov 11, 2010 at 12:01 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:> On Tue, Nov 09, 2010 at 06:11:48PM +0100, ZioPRoTo (Saverio Proto) wrote: > >> To configure clients in OpenVPN there was this directive called: >> --redirect-gateway > [...] >> In know in tinc I can implement this easily using the tinc-up script >> (when I have Linux/Mac clients), but I have two problems. >> >> The current gateway value is in some env variable ? Or I have to write >> my own script to grep that out or there is something already available >> ? > > You grep it out of the current routing table. I have added an example to the > wiki: > > http://tinc-vpn.org/examples/redirect-gateway/ > > There are other ways to do it, but this is fairly simple and robust, I think. > >> What if I have windows client ? I have to write a tinc-up script in >> Windows Style script ? I have no idea how to use windows :( > > I have no idea either. You can use the netsh command to get and manipulate the > routing table. On Windows, tinc expects tinc-up.bat, hosts/server-up.bat, et > cetera. I have no idea if Style scripts would work. If anyone using Windows has > an idea, please tell us. > > Also, if there are BSD or MacOS/X users: many examples on the wiki contain > Linux specific scripts, it would help if these were ported to other platforms > as well.It looks fairly complicated compared to the OpenVPN way. -- Benjamin Henrion <bhenrion at ffii.org> FFII Brussels - +32-484-566109 - +32-2-4148403 "In July 2005, after several failed attempts to legalise software patents in Europe, the patent establishment changed its strategy. Instead of explicitly seeking to sanction the patentability of software, they are now seeking to create a central European patent court, which would establish and enforce patentability rules in their favor, without any possibility of correction by competing courts or democratically elected legislators."
Julian Bäume
2010-Nov-10 23:22 UTC
question from openvpn user, how to "redirect-gateway" in tincd
Am Donnerstag, 11. November 2010, 00:01:25 schrieb Guus Sliepen:> On Tue, Nov 09, 2010 at 06:11:48PM +0100, ZioPRoTo (Saverio Proto) wrote: > > The current gateway value is in some env variable ? Or I have to write > > my own script to grep that out or there is something already available > > ? > > You grep it out of the current routing table. I have added an example to > the wiki: > > http://tinc-vpn.org/examples/redirect-gateway/ > > There are other ways to do it, but this is fairly simple and robust, I > think.Yay, cool! :) Didn?t know about the 128.0.0.0/1-trick, yet.> Also, if there are BSD or MacOS/X users: many examples on the wiki contain > Linux specific scripts, it would help if these were ported to other > platforms as well.AFAIR, you will mostly be fine, when using the ip command, since it should be available in *bsd, too. Everything else should just be posix compatible and should run just fine or will at least be portable with not much effort. As for windows, this is not that easy, I guess. bye then julian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20101111/800b70e8/attachment.pgp>
Julian Bäume
2010-Nov-10 23:31 UTC
question from openvpn user, how to "redirect-gateway" in tincd
Am Donnerstag, 11. November 2010, 00:03:40 schrieb Benjamin Henrion:> On Thu, Nov 11, 2010 at 12:01 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:[...]> It looks fairly complicated compared to the OpenVPN way.I like the tinc-way better. Because it doesn?t rely on proprietary options I have to learn, when configuring stuff. It feels more natural to setup things as I do in my natural "sysadmin environment". As most use-cases are covered in the wiki and users would only need to copy and use provided scripts, I don?t think, this is unnecessarily complicated. It might be more complex, but there are also some benefits. If you know what you are doing, you are more fexible. bye then julian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20101111/063d1482/attachment.pgp>
Donald Pearson
2010-Nov-11 13:15 UTC
question from openvpn user, how to "redirect-gateway" in tincd
To configure clients in OpenVPN there was this directive called:> --redirect-gateway > > that basically (copy and paste from OpenVPN man): > 1) Create a static route for the --remote address which forwards to > the pre-existing default gateway. This is done so that (3) will not > create a routing loop. > (2) Delete the default gateway route. > (3) Set the new default gateway to be the VPN endpoint address > (derived either from --route-gateway or the second parameter to > --ifconfig when --dev tun is specified).> In know in tinc I can implement this easily using the tinc-up script > (when I have Linux/Mac clients), but I have two problems. > > The current gateway value is in some env variable ? Or I have to write > my own script to grep that out or there is something already available > ? > > What if I have windows client ? I have to write a tinc-up script in > Windows Style script ? I have no idea how to use windows :( >I can try to help with the windows part. Simple Windows scripts are just text files with a ".bat" file extension. I think the following would work in tinc-up.bat route add <remote ip address> mask 255.255.255.255 <current gateway IP address> route change 0.0.0.0 mask 0.0.0.0 <tinc server's VPN-reachable ip address> Your tinc-down.bat would just reverse this route change 0.0.0.0 mask 0.0.0.0 <original gateway IP address> route delete <remote ip address> If you're running tinc on Windows Vista or 7, you might run in to some User Access Control issues with modifying the routing table. In those versions of windows you need to have elevated privileges. If Tinc is running as a service I don't think it would be an issue. If Tinc will be manually run from the command prompt, the command prompt itself will need to be "run as administrator" in order to have elevated privileges.> > Thanks > > Saverio > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20101111/4e9b17f7/attachment.htm>
> I can try to help with the windows part. Simple Windows scripts arejust> text files with a ".bat" file extension. > > I think the following would work in tinc-up.batPlease use .cmd and no longer .bat cmd has more options and .bat is only needed for old dos windows. ALBI...