tinc - Jun 2014 - VPN address of the remote host

Hello,

Please bear with my inexperience ;)

Some tinc configuration examples available on the Internet include a
statement like this:
"route add -net $subnet netmask $netmask gw $remote_ip", where
$remote_IP is the VPN address of the remote host.

Q1:
Does this statement modify the behaviour of tinc (as compared to
"ifconfig $interface $local_ip netmask $netmask")?

Q2:
If it does, is there a way to determine the VPN address of the remote
host, as this would simplify configuration of tinc a lot, i.e.
configuration could become automatic/dynamic rather than
manual/static?

Q3:
Isn't setting up a routing daemon just to get that information (i.e.
the VPN address of the remote host) a bit overkill?

Thank you for your attention, and regards,

Jean-Charles

On Wed, Jun 18, 2014 at 09:22:16AM +0200, Jean-Charles Andlauer wrote:
> Some tinc configuration examples available on the Internet include a
> statement like this:
> "route add -net $subnet netmask $netmask gw $remote_ip", where
> $remote_IP is the VPN address of the remote host.
> 
> Q1:
> Does this statement modify the behaviour of tinc (as compared to
> "ifconfig $interface $local_ip netmask $netmask")?
No, neither ifconfig nor "route add" modify the behaviour of tinc
itself, it merely changes the way the kernel routes packets. You have to
make sure that you give the right commands in the tinc-up script to have
the kernel route packets that have to go via the VPN to the virtual
network interface.
> Q2:
> If it does, is there a way to determine the VPN address of the remote
> host, as this would simplify configuration of tinc a lot, i.e.
> configuration could become automatic/dynamic rather than
> manual/static?
You can write a subnet-up script, which is called whenever an IP range
becomes reachable on the VPN. An example script for Linux:

#!/bin/sh
ip route replace $SUBNET dev $INTERFACE
> Q3:
> Isn't setting up a routing daemon just to get that information (i.e.
> the VPN address of the remote host) a bit overkill?
You can make your VPN setup as simple or as complex as you want. Tinc
does not enforce any particular way. The simplest way is to assign a
single large subnet to the whole VPN, say 192.168.0.0/16, and have each node
take a smaller piece of that large subnet. You tell tinc about the
smaller pieces by adding statements like "Subnet = 192.168.1.2/32" or
"Subnet = 192.168.3.0/24" to the host config file of the node that
owns
that piece. Then, in their tinc-up scripts you just have (respectively):

#!/bin/sh
ifconfig $INTERFACE 192.168.1.2 netmask 255.255.0.0 dev $INTERFACE

or

#!/bin/sh
ifconfig $INTERFACE 192.168.3.1 netmask 255.255.0.0 dev $INTERFACE

Note that the netmask in the tinc-up script is 255.255.0.0, so that the
kernel will route all packets in the 192.168.0.0/16 range to the VPN
interface. As long as you didn't use the whole /16, then you can add new
nodes without having to change the tinc-up script on any of the existing
nodes.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20140618/4a20f4c5/attachment.sig>