tinc - Apr 2011 - tinc bridge inner amazon ec2 local segments

Hi tinc team,

 I am a new user of tinc, and wanna use it inner amazon ec2 for bridging
different network segments.
 First, I wanna try the most simple things, just build a p2p tunnel between
two ec2 instance with segment 10.0.101.0/24.

 I can see the tunnel is established by doing

 lsof -i:655
##############
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
tincd   2893 root    7u  IPv4  11489      0t0  TCP
ip-10-146-74-200.ap-northeast-1.compute.internal:34504->ip-10-146-159-245.ap-northeast-1.compute.internal:tinc
(ESTABLISHED)

and

 tail /var/log/syslog
##############
 Connection with vpn2 (10.146.159.245 port 655) activated (vpn1 server)

 but I can not ping each other with ip 10.0.101.10(vpn1 server),
10.0.101.12(vpn2 server)

 hope anybody can provide some advice.
 Thank you in advance.



 #################################
 my configurations are as below.

/etc/tinc/vpn1/tinc.conf  (vpn1 server)
AddressFamily = ipv4
Device = /dev/net/tun
Name = vpn1
tinc-up: ifconfig $INTERFACE 10.0.101.10 netmask 255.255.255.0

/etc/tinc/vpn1/tinc.conf  (vpn2 server)
AddressFamily = ipv4
Device = /dev/net/tun
Name = vpn2
ConnectTo = vpn1
tinc-up: ifconfig $INTERFACE 10.0.101.12 netmask 255.255.255.0

cat vpn1/hosts/vpn{1,2}
---- vpn1
Address = 10.146.74.200
Subnet = 10.0.101.0/24

-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

------ vpn2
Address = 10.146.159.245
Subnet = 10.0.101.12/32

-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
#################################


-- 
----
???
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20110412/5b626814/attachment.html>

On Tue, Apr 12, 2011 at 11:29:39PM +0900, ? ?[ wrote:
>  I am a new user of tinc, and wanna use it inner amazon ec2 for bridging
> different network segments.
>  First, I wanna try the most simple things, just build a p2p tunnel between
> two ec2 instance with segment 10.0.101.0/24.
> 
>  I can see the tunnel is established by doing
[...]
>  but I can not ping each other with ip 10.0.101.10(vpn1 server),
> 10.0.101.12(vpn2 server)
> 
>  hope anybody can provide some advice.
> 
>  #################################
>  my configurations are as below.
[...]
> tinc-up: ifconfig $INTERFACE 10.0.101.10 netmask 255.255.255.0
The configuration files look fine, but did you ensure the tinc-up scripts are
executable, and have "#!/bin/sh" on the first line?

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20110413/5d9a2471/attachment.pgp>

guus,

 thank you for your comment first.

 my ifconfig of tun device outputs following:
 ifconfig vpn1
vpn1      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.0.101.10  P-t-P:10.0.101.10  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:168 (168.0 B)

 tunc-up/down can be executed, vpn1 has 10.0.101.10 ip address.
 and when I stop tinc vpn1 is also disappear.
 (#!/bin/bash is not written though. the OS is ubuntu lucid 10.04)

 I have tested my config in a local environment. working fine in local but
not in ec2....
 very weird, i think.


2011/4/13 Guus Sliepen <guus at tinc-vpn.org>
> On Tue, Apr 12, 2011 at 11:29:39PM +0900, ? ?[ wrote:
>
> >  I am a new user of tinc, and wanna use it inner amazon ec2 for
bridging
> > different network segments.
> >  First, I wanna try the most simple things, just build a p2p tunnel
> between
> > two ec2 instance with segment 10.0.101.0/24.
> >
> >  I can see the tunnel is established by doing
> [...]
> >  but I can not ping each other with ip 10.0.101.10(vpn1 server),
> > 10.0.101.12(vpn2 server)
> >
> >  hope anybody can provide some advice.
> >
> >  #################################
> >  my configurations are as below.
> [...]
> > tinc-up: ifconfig $INTERFACE 10.0.101.10 netmask 255.255.255.0
>
> The configuration files look fine, but did you ensure the tinc-up scripts
> are
> executable, and have "#!/bin/sh" on the first line?
>
> --
> Met vriendelijke groet / with kind regards,
>     Guus Sliepen <guus at tinc-vpn.org>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>

-- 
----
???
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20110413/07f5d81e/attachment.html>

On Wed, Apr 13, 2011 at 05:44:39PM +0900, ? ?[ wrote:
>  my ifconfig of tun device outputs following:
>  ifconfig vpn1
> vpn1      Link encap:UNSPEC  HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>           inet addr:10.0.101.10  P-t-P:10.0.101.10  Mask:255.255.255.0
>           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
Ok, it looks like the tinc-up script worked fine. Can you show me the output of
"route -n" on both VPN servers?

Are you using iptables or other forms of firewalling? Also, you can start tinc
with the extra options "-d5 -D", which will cause it to run in the
foreground
and log almost everything that is going on. Try to ping while you are running
tinc like that, and see what it logs. 

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20110413/95d7bccb/attachment.pgp>

Guus,

 I restarted my two instances in ec2 and found all working now.
 It is weird, I still do not know which part goes wrong, but it is working
for me now.

 BTW, can you tell me how to figure out what can of packets from log files?

Apr 15 05:55:39 jp-cloud-aws-vpn1 tinc.vpn1[1006]: Writing packet of 786
bytes to Linux tun/tap device (tun mode)
Apr 15 05:55:39 jp-cloud-aws-vpn1 tinc.vpn1[1006]: Read packet of 66 bytes
from Linux tun/tap device (tun mode)
Apr 15 05:55:39 jp-cloud-aws-vpn1 tinc.vpn1[1006]: Sending packet of 66
bytes to vpn2 (175.41.249.177 port 655)

 if you have some document about log file, please let me know.

 Thank you very much for your help.


2011/4/14 Guus Sliepen <guus at tinc-vpn.org>
> On Wed, Apr 13, 2011 at 05:44:39PM +0900, ? ?[ wrote:
>
> >  my ifconfig of tun device outputs following:
> >  ifconfig vpn1
> > vpn1      Link encap:UNSPEC  HWaddr
> > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> >           inet addr:10.0.101.10  P-t-P:10.0.101.10  Mask:255.255.255.0
> >           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>
> Ok, it looks like the tinc-up script worked fine. Can you show me the
> output of
> "route -n" on both VPN servers?
>
> Are you using iptables or other forms of firewalling? Also, you can start
> tinc
> with the extra options "-d5 -D", which will cause it to run in
the
> foreground
> and log almost everything that is going on. Try to ping while you are
> running
> tinc like that, and see what it logs.
>
> --
> Met vriendelijke groet / with kind regards,
>     Guus Sliepen <guus at tinc-vpn.org>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>

-- 
----
???
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20110415/dd4a6c38/attachment.html>

Guus,

 Sorry, I mis-spelled.

 > can you tell me how to figure out what kind of packets from log files?
 I tried tcpdump vpn1 icmp before to test ping between the two instances.

 I can confirm vpn1(server side) can not reply to vpn1(client side) that
time.
 I restarted them and fixed...

Hao

2011/4/15 ? ? <xsunsmile at gmail.com>
>
> Guus,
>
>  I restarted my two instances in ec2 and found all working now.
>  It is weird, I still do not know which part goes wrong, but it is working
> for me now.
>
>  BTW, can you tell me how to figure out what can of packets from log files?
>
> Apr 15 05:55:39 jp-cloud-aws-vpn1 tinc.vpn1[1006]: Writing packet of 786
> bytes to Linux tun/tap device (tun mode)
> Apr 15 05:55:39 jp-cloud-aws-vpn1 tinc.vpn1[1006]: Read packet of 66 bytes
> from Linux tun/tap device (tun mode)
> Apr 15 05:55:39 jp-cloud-aws-vpn1 tinc.vpn1[1006]: Sending packet of 66
> bytes to vpn2 (175.41.249.177 port 655)
>
>  if you have some document about log file, please let me know.
>
>  Thank you very much for your help.
>
>
> 2011/4/14 Guus Sliepen <guus at tinc-vpn.org>
>
>> On Wed, Apr 13, 2011 at 05:44:39PM +0900, ? ?[ wrote:
>>
>> >  my ifconfig of tun device outputs following:
>> >  ifconfig vpn1
>> > vpn1      Link encap:UNSPEC  HWaddr
>> > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>> >           inet addr:10.0.101.10  P-t-P:10.0.101.10 
Mask:255.255.255.0
>> >           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500 
Metric:1
>>
>> Ok, it looks like the tinc-up script worked fine. Can you show me the
>> output of
>> "route -n" on both VPN servers?
>>
>> Are you using iptables or other forms of firewalling? Also, you can
start
>> tinc
>> with the extra options "-d5 -D", which will cause it to run
in the
>> foreground
>> and log almost everything that is going on. Try to ping while you are
>> running
>> tinc like that, and see what it logs.
>>
>> --
>> Met vriendelijke groet / with kind regards,
>>     Guus Sliepen <guus at tinc-vpn.org>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>
>
> --
> ----
> ???
>


-- 
----
???
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20110415/f5c0cd79/attachment.html>

Sorry, another mistake.
>  I can confirm vpn1(server side) can not reply to vpn2(client side) that
time.

2011/4/15 ? ? <xsunsmile at gmail.com>
>
> Guus,
>
>  Sorry, I mis-spelled.
>
>  > can you tell me how to figure out what kind of packets from log
files?
>  I tried tcpdump vpn1 icmp before to test ping between the two instances.
>
>  I can confirm vpn1(server side) can not reply to vpn1(client side) that
> time.
>  I restarted them and fixed...
>
> Hao
>
> 2011/4/15 ? ? <xsunsmile at gmail.com>
>
>>
>> Guus,
>>
>>  I restarted my two instances in ec2 and found all working now.
>>  It is weird, I still do not know which part goes wrong, but it is
working
>> for me now.
>>
>>  BTW, can you tell me how to figure out what can of packets from log
>> files?
>>
>> Apr 15 05:55:39 jp-cloud-aws-vpn1 tinc.vpn1[1006]: Writing packet of
786
>> bytes to Linux tun/tap device (tun mode)
>> Apr 15 05:55:39 jp-cloud-aws-vpn1 tinc.vpn1[1006]: Read packet of 66
bytes
>> from Linux tun/tap device (tun mode)
>> Apr 15 05:55:39 jp-cloud-aws-vpn1 tinc.vpn1[1006]: Sending packet of 66
>> bytes to vpn2 (175.41.249.177 port 655)
>>
>>  if you have some document about log file, please let me know.
>>
>>  Thank you very much for your help.
>>
>>
>> 2011/4/14 Guus Sliepen <guus at tinc-vpn.org>
>>
>>> On Wed, Apr 13, 2011 at 05:44:39PM +0900, ? ?[ wrote:
>>>
>>> >  my ifconfig of tun device outputs following:
>>> >  ifconfig vpn1
>>> > vpn1      Link encap:UNSPEC  HWaddr
>>> > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>>> >           inet addr:10.0.101.10  P-t-P:10.0.101.10 
Mask:255.255.255.0
>>> >           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500 
Metric:1
>>>
>>> Ok, it looks like the tinc-up script worked fine. Can you show me
the
>>> output of
>>> "route -n" on both VPN servers?
>>>
>>> Are you using iptables or other forms of firewalling? Also, you can
start
>>> tinc
>>> with the extra options "-d5 -D", which will cause it to
run in the
>>> foreground
>>> and log almost everything that is going on. Try to ping while you
are
>>> running
>>> tinc like that, and see what it logs.
>>>
>>> --
>>> Met vriendelijke groet / with kind regards,
>>>     Guus Sliepen <guus at tinc-vpn.org>
>>>
>>> _______________________________________________
>>> tinc mailing list
>>> tinc at tinc-vpn.org
>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>>
>>>
>>
>>
>> --
>> ----
>> ???
>>
>
>
>
> --
> ----
> ???
>


-- 
----
???
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20110415/bca01e5f/attachment.html>

Not sure if you got this to work....
> Ok, it looks like the tinc-up script worked fine. Can you show me the
output of
> "route -n" on both VPN servers?
What is the subnet of your native interface - 10.0.0.0/8?
While learning, i would change the host file SUBNET mask for host vpn1
to 10.0.101.10/32.
i know that is not what you want, but do host-to-host first, then
host-to-network.


host 1 tinc-up may need:
ip route add 10.0.101.0/24 dev $INTERFACE via 10.0.101.10

host 2 tinc-up may need:
ip route add 10.0.101.0/24 dev $INTERFACE via 10.0.101.12