I have now got the tinc demons (on network OFFICES) on BranchB and BranchA talking to each other, see below for log from BranchB. For some trouble shouting issues relating to OsX see at the end of my e-mail. However, I have not yet achieved the network connectivity/routing that I would like. The aim is: BranchB is a laptop I would like to connect it (via tinc) to my office network, so that the laptop appears to be a genuine member of the Office network, like an extension of the office network. I am happy if ALL traffic from and to the laptop goes through the tinc connection (i.e. no split routing is required, at least not for the moment). Thus at the moment I am unclear which configuration to add / change. For specific questions see below. Any help is appreciated. ------------------------------------- My current configuration BranchB The laptop, with fixed IP, 222.222.222.3, (configured from OsX GUI System Preference:Network) tinc.conf Name = BranchB ConnectTo = BranchA Device = /dev/tun0 Host file Subnet = 192.168.2.1/32 Address = 222.222.222.203 TCPOnly = yes -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- tinc-up #!/bin/sh ifconfig $INTERFACE 192.168.2.1 192.168.2.1 netmask 255.255.0.0 BrancA The CPU with the tinc demon on the office network. The office network is behind a mascarading firewall with public IP 123.123.123.7 The tinc host has a static IP of 10.20.30.1 (configured from OsX GUI System Preference:Network) The firewall is setup to forward all traffic to 123.123.123.7 to 10.20.30.1, on port 655 Furthermore, the preexisting office network is 192.168.3.0/24 The tinc host is physically connected to this network, one physical ethernet interface tinc.conf Name = BranchA Device = /dev/tun0 Host file Subnet = 192.168.0.0/16 Address = 123.123.123.7 TCPOnly = yes -----BEGIN RSA PUBLIC KEY----- ..... -----END RSA PUBLIC KEY----- tinc-up #!/bin/sh ifconfig $INTERFACE 192.168.3.1 192.168.3.1 netmask 255.255.0.0 ------------------------------------- Specific questions: The tinc demon is running of the laptop (BranchB), and has connected to the demon in the office (BranchA) - As the laptop should route only itself through the vpn (and not other CPUs on 222.222.222.x is it correct to configure subnet in the BranchB hostfile as Subnet = 192.168.2.1/32, i.e. with a /32 mask - Despite the running demons if I open an Browser on the laptop the browser connects though the public IP 222.222.222.3, and not through the vpn. Which routing info is missing and how do I add this under OsX? - How do I configure BranchB so that in the remote laptop is part of the preexisting net? ------------------------------------- Log of Branch B (the laptop) 1101125071 tinc.OFFICES[922]: tincd 1.0.3 (Nov 11 2004 05:07:05) starting, debug level 3 1101125071 tinc.OFFICES[922]: /dev/tun0 is a Generic BSD tun device 1101125071 tinc.OFFICES[922]: Executing script tinc-up 1101125071 tinc.OFFICES[922]: Script tinc-up exited with non-zero status 126 1101125071 tinc.OFFICES[922]: Listening on :: port 655 1101125071 tinc.OFFICES[922]: Listening on 0.0.0.0 port 655 1101125071 tinc.OFFICES[922]: Ready 1101125071 tinc.OFFICES[922]: Trying to connect to BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Connected to BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Sending ID to BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Got ID from BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Sending METAKEY to BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Got METAKEY from BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Sending CHALLENGE to BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Got CHALLENGE from BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Sending CHAL_REPLY to BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Got CHAL_REPLY from BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Sending ACK to BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Got ACK from BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Connection with BranchA (123.123.123.7 port 655) activated 1101125071 tinc.OFFICES[922]: Sending ADD_SUBNET to BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Sending ADD_EDGE to everyone (BROADCAST) 1101125071 tinc.OFFICES[922]: Got ADD_SUBNET from BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Forwarding ADD_SUBNET from BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Got ADD_EDGE from BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Forwarding ADD_EDGE from BranchA (123.123.123.7 port 655) 1101125133 tinc.OFFICES[922]: Sending PING to BranchA (123.123.123.7 port 655) 1101125133 tinc.OFFICES[922]: Got PONG from BranchA (123.123.123.7 port 655) 1101125224 tinc.OFFICES[922]: Got PING from BranchA (123.123.123.7 port 655) 1101125224 tinc.OFFICES[922]: Sending PONG to BranchA (123.123.123.7 port 655) 1101125316 tinc.OFFICES[922]: Sending PING to BranchA (123.123.123.7 port 655) ------------------------------------- Hints for running the tinc binary on OsX Attempts of running tinc 1.0.3 returns "can't open library: /sw/lib/libdl.0.dylib (No such file or directory, errno = 2)" To solve this install Fink. On the laptop (iBook G4, OsX 10.3.5) I installed version 0.7.1 Then using FinkCommander installed the binary dlcompat-shlibs 20030629-15 On the Branch A CPU (beige G3 OsX 10.2.8) I install 0.6.3 Then using FinkCommander installed the binaries dlcompat 20030629-5 dlcompat-dev 20030629-5 dlcompat-shlibs 20030629-5
On Mon, Nov 22, 2004 at 03:07:09PM +0000, Tincer wrote:> I have now got the tinc demons (on network OFFICES) on BranchB and > BranchA talking to each other, see below for log from BranchB. For > some trouble shouting issues relating to OsX see at the end of my > e-mail. > > However, I have not yet achieved the network connectivity/routing > that I would like. > > The aim is: > BranchB is a laptop > I would like to connect it (via tinc) to my office network, so that > the laptop appears to be a genuine member of the Office network, like > an extension of the office network.You can do that if you set up proxy arp on the office side, or if you use bridging. I wouldn't know how to do that on MacOS/X, but I'm sure it is possible. However, do you really need the laptop to appear like a member of the Office network?> I am happy if ALL traffic from and to the laptop goes through the > tinc connection (i.e. no split routing is required, at least not for > the moment).Split routing is the "default" with tinc.> My current configuration[...] Looks good to me.> The tinc demon is running of the laptop (BranchB), and has connected > to the demon in the office (BranchA) > > - As the laptop should route only itself through the vpn (and not > other CPUs on 222.222.222.x is it correct to configure subnet in the > BranchB hostfile as Subnet = 192.168.2.1/32, i.e. with a /32 maskYes.> - Despite the running demons if I open an Browser on the laptop the > browser connects though the public IP 222.222.222.3, and not through > the vpn. > Which routing info is missing and how do I add this under OsX?If you want to browse webpages on the VPN, then you have to use the VPN IP addresses in the URL. If you want to route everything through the VPN, then you have to add a route that tells MacOS/X that all packets should go via tun0. Something like this should do that: route add 0.0.0.0/0 192.168.2.1 However, you should also make sure that tinc still connects to the office via the public IP, so you have to add another route like this: route add 123.123.123.7/32 222.222.222.3 But I don't see the point in routing everything through the VPN.> Hints for running the tinc binary on OsX[...] The binaries we provide on the download page are not supported. They are just proof for us and you that tinc compiles on that platform. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20041123/ea99fd85/attachment.pgp