Is it possible to use different port numbers for UDP and TCP? I'd like to open the TCP connection to one port on the remote server and stream the UDP packets to a different port. I've tried specifying both as BindToAddress and Address lines but it always just uses TCP. On 2 May 2017 17:36, "Guus Sliepen" <guus at tinc-vpn.org> wrote: On Tue, May 02, 2017 at 09:53:15PM +0800, Bright Zhao wrote:> When tinc daemon get up on A(together with some manual scripts fordestination to 8.8.8.8), the route table looks like below:> 10.0.0.0/24 dev tun0 > 10.0.0.3 dev tun0 > 8.8.8.8 via 10.0.0.3 dev tun0IPv4 packets have only two addresses in their header: the source and the destination address. If you want to send a packet to 8.8.8.8, the destination address of the packet will always be 8.8.8.8, regardless of how it is forwarded via the network. Imagine that your local node would replace the destination address with 10.0.0.3, then the information about the final destination (8.8.8.8) would be lost. The "via 10.0.0.3" only has an effect on Ethernet networks. Ethernet doesn't know about IPv4 or IPv6, it only knows about MAC addresses. What "via 10.0.0.3" does is that when it has to send a packet to 8.8.8.8, it sets the IPv4 header's destination address to 8.8.8.8, but it sets the Ethernet header's destination address to the MAC address of the host which has the address 10.0.0.3. It figured out the last part by doing ARP resolution. It's perhaps a bit confusing that there is no error message when you try to add such a route, even though the "via 10.0.0.3" part doesn't do anything. It's just ignored for non-Ethernet networks. Also, on some (older) BSD platforms, you could not add a route to a "dev tun0", you could only identify interfaces by their IP address. So there the equivalent of "via" would have an effect, but also not the one you intended. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> _______________________________________________ tinc mailing list tinc at tinc-vpn.org https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170502/4acdea01/attachment.html>
On Tue, May 02, 2017 at 05:40:40PM +0100, Peter Whisker wrote:> Is it possible to use different port numbers for UDP and TCP? I'd like to > open the TCP connection to one port on the remote server and stream the UDP > packets to a different port. I've tried specifying both as BindToAddress > and Address lines but it always just uses TCP.It's not directly supported by tinc, but maybe you can trick it to. Here are some pointers: You can have multiple BindToAddress lines. For outgoing UDP packets, tinc will *initially* use the first matching one for a given address family (IPv4 or IPv6). Other tinc nodes will *initially* try to send UDP packets to this node on the same port. However, to help NAT traversal, tinc will allow packets from different ports. If you really want to allow UDP packets on only one specific port, you might want to add firewall rules to block UDP packets from the other port(s), both incoming and outgoing. Since tinc does not care about the port, you might instead try to add NAT rules that change the source port of outgoing UDP packets to the desired one (and also the destination port of incoming UDP packets). But I wonder why you want to split this? -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170502/a8bbda33/attachment.sig>
It's down to corporate firewall rules I can't control. I've tried tricking it like you suggested but it didn't work. I guess iptables is the next port if call. It might be a useful addition to tinc. Thanks Petdf On 2 May 2017 17:50, "Guus Sliepen" <guus at tinc-vpn.org> wrote:> On Tue, May 02, 2017 at 05:40:40PM +0100, Peter Whisker wrote: > > > Is it possible to use different port numbers for UDP and TCP? I'd like to > > open the TCP connection to one port on the remote server and stream the > UDP > > packets to a different port. I've tried specifying both as BindToAddress > > and Address lines but it always just uses TCP. > > It's not directly supported by tinc, but maybe you can trick it to. Here > are some pointers: > > You can have multiple BindToAddress lines. For outgoing UDP packets, > tinc will *initially* use the first matching one for a given address > family (IPv4 or IPv6). > > Other tinc nodes will *initially* try to send UDP packets to this node > on the same port. > > However, to help NAT traversal, tinc will allow packets from different > ports. If you really want to allow UDP packets on only one specific > port, you might want to add firewall rules to block UDP packets from > the other port(s), both incoming and outgoing. > > Since tinc does not care about the port, you might instead try to add > NAT rules that change the source port of outgoing UDP packets to the > desired one (and also the destination port of incoming UDP packets). > > But I wonder why you want to split this? > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170502/83775914/attachment-0001.html>