similar to: FW: Help with 'switch' mode

Hello, I've been using tinc v1.0 for the last few weeks in router mode - to great success. It's EXACTLY what I was looking for in a VPN at the time - most of the security of IPSEC with none of the interoperability issues. However, a few days ago, I got a VOIP phone that doesn't use IP without paying several thousand extra dollars on top of what we've already spent on the phone

Guus Sliepen, I am working in a zeroconf setup for tinc called tzk, that could allow you to make this easily https://github.com/NebTex/tzk/ it will make better readme this weekend but you need a public machine with a public domain - subdomain pointed to it, the script will install tinc, consul (that is used for coordinate the vpn), and caddy a small reverse proxy for expose consul to the public

Sorry, Guus I know how to bridge an internal adapter to a tap device. My problem is that this box only has one physical interface. Internet ----->[Cisco router]------------[network switch]--------{PCs, Linux VPN server} A typical server bridge setup is for the LAN side of the adapter to be bridged to the tap, and the external client connecting to its external adapter be serviced by the vpn

hi It was not working when i applied the rules on the vpn card. But I wondered if maybe bridging of vpn and eth0 was messing this up. I thought it was enough to only apply it to the vpn card root at JOTVPN:~# brctl show bridge name bridge id STP enabled    interfaces bridge 8000.000c29638a7e no           eth0                                                                   vpn so I tried the

Thanks Guus for the quick answer, I will give a try now. Рысь, In my case we don't want to restart tinc "server" at all, therefore what might happen is that the client is still connected to server while its public key was already removed from server. I will try the signal approach. Heng On Mon, Jul 25, 2016 at 12:42 PM, <tinc-request at tinc-vpn.org> wrote: > Send tinc

No, this would in fact operate as a routing mode instead of bridging. TAP would be used as a means to push routing to where it belongs, the linux/bsd/... kernel. Consider the challenge of having completely dynamic routing between vpn peers. In one minute I might have 10000 routes towards one specific peer, and hour latter I might have NONE. And I need to diferentiate each peer at the kernel

I see what you want me to do. But it does incur an extra MAC layer header to each VPN packet, more fragmentation. And broadcasts leak to all peers. It sure saves you from doing any improvements, but there are side effects that are undesirable to many customers. This is specially a problem if I want two VPN connections between two sites using redundant connections, we get an instant L2 loop. With

On Tue, Jan 06, 2015 at 12:31:20PM +0100, Michael Braun wrote: > I'm inter-connecting AccessPoints using a tinc mesh and have bridge-nodes to bridge this vpn into some existing backbone. > The AccessPoints bridge their users into 802.1q VLANs (per WiFi-Client, there can be multiple VLANs active on each AP) in the tinc mesh, and the bridge nodes bridge some vlans into the backbone. >

You have a typo in your routes: fd80:2015:2105:adcd::/6 abcd vs. adcd On 21 May 2015, at 19:35, Martin <martinmoen at gmail.com<mailto:martinmoen at gmail.com>> wrote: I have 2 nodes nodeA and nodeB I'm using tinc 1.1pre11 -- nodeA(fd80:2015:2105:abcd::1) : $ ip -6 route fd80:2015:2105:abcd::1 dev tun0 proto kernel metric 256 fd80:2015:2105:adcd::/64 dev tun0 metric 1024

Thanks Guus. Appreciate the help. What's the purpose of SUBNET msg? Is it even useful in switch mode? I tweaked the code to disable SUBNET msg, because I thought they weren't useful when it comes to switch mode. Which caused the UDP connection got blocked apparently. If I re-enable SUBNET msg, the udp connection starts to work fine. I don't see any forwarding traffic any more. On

Earlier, my tinc topology is this: https://ibb.co/bP1EJa <https://ibb.co/bP1EJa>, let me explain a little bit: client configuration: Name = client AddressFamily = ipv4 ProcessPriority = high PingTimeout = 10 TunnelServer = yes 1. All tinc nodes configured with “IndirectData = yes”, and the lines shown on the picture with arrow means the directional “ConnectTo”, so all the tinc traffic will

Hi, Guus I referre to the two separate tinc process/network(received same subnet), not Sunbet selection within one tinc process/network. My understanding is if different tinc process comes with exact subnet, as they are not related with each other(they have no idea regarding weights with each other), I guess the routing depends on the host's main routing table, for specific route it depends

Ah, fantastic. With the following config I get a usable tap0: $ sudo cat /etc/tinc/robotvpn/tinc.conf Name = elendur Mode = switch AddressFamily = ipv4 Device = /dev/tap0 Compression = 1 ConnectTo = robot_ph_cpe22_04 Still need to figure out the Avahi side of things for name resolution, but thanks all! On 26 February 2016 at 11:04, Guus Sliepen <guus at tinc-vpn.org> wrote: > On Thu,

Would it not make more sense to have this on packagers responsiblity instead like you were saying adding it into the upstream repo. Maybe have a secondary repo that people can contribute to for distribution specific files and install scripts. On 24 September 2015 at 21:30, Guus Sliepen <guus at tinc-vpn.org> wrote: > On Thu, Sep 24, 2015 at 05:45:36PM +0200, Guus Sliepen wrote: >

So as best practice running tinc I should include it ? Regards Yazeed Fataar <yazeedfataar at hotmail.com> On Sun, Feb 14, 2016 at 1:08 PM, Guus Sliepen <guus at tinc-vpn.org> wrote: > On Sun, Feb 14, 2016 at 10:53:19AM +0300, Yazeed Fataar wrote: > > > Going through the options tinc has . Can someone explain exactly what the > > purpose is for -L option for the

Something to add. When this happened, it looks like tinc shutdown gracefully(not seg fault ..), because I can tell tinc-down script got implemented. Heng On Wed, Nov 25, 2015 at 6:00 AM, <tinc-request at tinc-vpn.org> wrote: > Send tinc mailing list submissions to > tinc at tinc-vpn.org > > To subscribe or unsubscribe via the World Wide Web, visit >

Thanks for the reply. I am running tinc (1.0.24) in an embedded linux environment, with a pretty old kernel (2.6). I have let tinc run for almost 24 hours with internet and can't reproduce the issue. Heng On Wed, Nov 25, 2015 at 6:00 AM, <tinc-request at tinc-vpn.org> wrote: > Send tinc mailing list submissions to > tinc at tinc-vpn.org > > To subscribe or

Hi Guus Can you recommend a good strategy in securely managing the config and hosts files please? <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> This email has been sent from a virus-free computer protected by Avast. www.avast.com

yes, ip_forward was turned on. iptables is defaulted to ACCEPT policy on all the 3 chains. On Sat, May 14, 2016 at 1:24 AM, Guus Sliepen <guus at tinc-vpn.org> wrote: > On Sat, May 14, 2016 at 12:06:51AM +0800, Terry T wrote: > > > I have a Debian 8 64-bit machine set up as a server and apt-got the tinc > > package. I configured tinc as a bridge and everything seems

Thanks for the answer Guus, One more thing. I can run two tinc daemons one for each group, but I sill need to communicate clients from one group to the other. Clients from group 2 (admin group) need to reach clients from group 1 (remote server group), but clients from group 1 must not be able to reach each other nor the server. If I'm not using TunnelServer and Forwarding, How can I setup