Hello!
I'm trying to make a wireless mesh network with b.a.t.m.a.n. protocol,
and I would like to secure the wireless links with tinc. My test network
is 2 wireless routers with OpenWRT Kamikaze firmware, and the network
topology is the following:
|CLIENT|eth0: 192.168.180| <--> |eth0: 192.168.1.1|MESH-NODE|ath0:
192.168.5.54| <~~> |ath0: 192.168.5.51|GW|eth1: 192.168.1.51| <-->
|INTERNET|
|eth0: 192.168.2.50|
|
?
|eth0: 192.168.2.135|
|SERVER|
My aim is to protect only the wireless links (the tow router) and the
server with the VPN, but not the client node wich connects to the
mesh-node by UTP. So far, I've made aVPN link with the 2 touters and the
server, and at the mesh-node's tinc-up script, every traffic is goning
through the VPN from the mesh-node, but the client can't reach the
internet (as I saw from the tinc's logs, the traffinc goes to the
gateway, but then stops).
I'm attaching my configuration, please, take a look at it, and tell me
what's missing.
Regards,
David
PS: ifconfig and route was make before tinc VPN was up.
Konfiguration:
-------
server:
-------
root at server:/etc/tinc/vpn# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1d:7d:71:45:bd
inet addr:192.168.2.135 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::21d:7dff:fe71:45bd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:94657 errors:0 dropped:202613106 overruns:0 frame:0
TX packets:84621 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28777000 (27.4 MB) TX bytes:10903255 (10.3 MB)
Interrupt:221 Base address:0x6000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2710 errors:0 dropped:0 overruns:0 frame:0
TX packets:2710 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:106545 (104.0 KB) TX bytes:106545 (104.0 KB)
root at server:/etc/tinc/vpn/hosts# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
root at server:/etc/tinc/vpn# cat tinc.conf
Name = server
AddressFamily = ipv4
Device = /dev/net/tun
Interface = tap0
Mode = switch
#Mode = router
PrivateKeyFile = /etc/tinc/vpn/server_priv.key
#ConnectTo = gw
root at server:/etc/tinc/vpn# cat tinc-up
#!/bin/sh
ifconfig $INTERFACE 192.168.11.1 netmask 255.255.255.0
----
gw:
----
root at GW:/etc/tinc/vpn# ifconfig
ath0 Link encap:Ethernet HWaddr 00:1D:0F:B1:73:38
inet addr:192.168.5.51 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2251862 errors:0 dropped:0 overruns:0 frame:0
TX packets:573308 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2644318856 (2.4 GiB) TX bytes:55110670 (52.5 MiB)
eth0 Link encap:Ethernet HWaddr 00:0D:B9:13:A7:FC
inet addr:192.168.1.51 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:10 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0D:B9:13:A7:FD
inet addr:192.168.2.50 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4219579 errors:0 dropped:0 overruns:0 frame:0
TX packets:4378485 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2363009463 (2.2 GiB) TX bytes:1904172856 (1.7 GiB)
Interrupt:12 Base address:0x6000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4494 errors:0 dropped:0 overruns:0 frame:0
TX packets:4494 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:323618 (316.0 KiB) TX bytes:323618 (316.0 KiB)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:104.255.255.254 P-t-P:104.255.255.254
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1472 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wifi0 Link encap:UNSPEC HWaddr
00-1D-0F-B1-73-38-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:52168663 errors:0 dropped:14124 overruns:0 frame:966104
TX packets:20197711 errors:5370 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:395
RX bytes:574939056 (548.3 MiB) TX bytes:3661444004 (3.4 GiB)
Interrupt:9
root at GW:/etc/tinc/vpn# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.5.54 0.0.0.0 255.255.255.255 UH 0 0 0 ath0
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 ath0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1
root at GW:/etc/tinc/vpn# cat tinc.conf
Name = gw
AddressFamily = ipv4
Device = /dev/net/tun
Interface = tap0
Mode = switch
#Mode = router
PrivateKeyFile = /etc/tinc/vpn/gw_priv.key
ConnectTo = server
root at GW:/etc/tinc/vpn# cat tinc-up
#!/bin/sh
ifconfig $INTERFACE 192.168.11.2 netmask 255.255.255.0
-----------
meshnode:
-----------
root at meshnode:/etc/tinc/vpn# ifconfig
ath0 Link encap:Ethernet HWaddr 00:1D:0F:B1:91:1F
inet addr:192.168.5.54 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:71752 errors:0 dropped:0 overruns:0 frame:0
TX packets:9708 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3364524 (3.2 MiB) TX bytes:723743 (706.7 KiB)
eth0 Link encap:Ethernet HWaddr 00:0D:B9:13:86:68
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:287 errors:0 dropped:0 overruns:0 frame:0
TX packets:181 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:85004 (83.0 KiB) TX bytes:47965 (46.8 KiB)
Interrupt:10 Base address:0x6000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wifi0 Link encap:UNSPEC HWaddr
00-1D-0F-B1-91-1F-0A-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48680 errors:0 dropped:0 overruns:0 frame:876
TX packets:9973 errors:33 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:195
RX bytes:3991092 (3.8 MiB) TX bytes:963341 (940.7 KiB)
Interrupt:9
root at meshnode:/etc/tinc/vpn# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.5.51 0.0.0.0 255.255.255.255 UH 0 0 0 ath0
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 ath0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.5.51 0.0.0.0 UG 0 0 0 ath0
root at meshnode:/etc/tinc/vpn# cat tinc.conf
Name = meshnode
AddressFamily = ipv4
Device = /dev/net/tun
Interface = tap0
Mode = switch
#Mode = router
PrivateKeyFile = /etc/tinc/vpn/meshnode_priv.key
ConnectTo = gw
root at meshnode:/etc/tinc/vpn# cat tinc-up
#!/bin/sh
ifconfig $INTERFACE 192.168.11.3 netmask 255.255.255.0
route add default gw 192.168.11.2 $INTERFACE
route del default gw 192.168.5.51 ath0
------
client:
------
OS: Windows XP
IP: 192.168.1.180
Gateway: 192.168.1.1
Netmask: 255.255.255.0
-------------
/hosts files:
-------------
root at server:/etc/tinc/vpn/hosts# cat server
Address = 192.168.2.135
Subnet = 192.168.11.1/32
Compression = 9
IndirectData = yes
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
root at server:/etc/tinc/vpn/hosts# cat gw
Address = 192.168.5.51
Subnet = 192.168.11.2/32
Compression = 9
IndirectData = yes
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
root at server:/etc/tinc/vpn/hosts# cat meshnode
Address = 192.168.5.54
Subnet = 192.168.11.3/32
Compression = 9
IndirectData = yes
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
On Wed, Jul 30, 2008 at 08:49:57AM +0200, Szili D?vid wrote:> I'm trying to make a wireless mesh network with b.a.t.m.a.n. protocol, > and I would like to secure the wireless links with tinc. My test network > is 2 wireless routers with OpenWRT Kamikaze firmware, and the network > topology is the following:[...]> My aim is to protect only the wireless links (the tow router) and the > server with the VPN, but not the client node wich connects to the > mesh-node by UTP. So far, I've made aVPN link with the 2 touters and the > server, and at the mesh-node's tinc-up script, every traffic is goning > through the VPN from the mesh-node, but the client can't reach the > internet (as I saw from the tinc's logs, the traffinc goes to the > gateway, but then stops).Could you also send those logs? Anyway, most of the configuration looks fine. However, you wrote that the client uses IP address 192.168.1.180. Although the mesh node is properly set up to forward everything to the gateway node, the gateway does not know that traffic for 192.168.1.180 should be sent back to the mesh node. The gateway's routing table says packets for all 192.168.1.* addresses should go to eth0. You either need to add an extra route on the gateway, set up proxy-arp or bridge the eth0 interfaces of the mesh and gateway node to their tap0 interfaces. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://www.tinc-vpn.org/pipermail/tinc/attachments/20080730/c1b67a59/attachment.pgp