tinc - Nov 2008 - Subnet / routing question

Hi,

I have been messing arroudn with tinc for a while and now I got a
configuration working like the example (4.7) from the manual

I have 3 systems, in my case system a is the only one that can be
accessed directly.

B and C connect to A

I have 3 subnets

A 5.1.0.0  gw 5.1.0.1
B 5.2.0.0  gw 5.2.0.1
C 5.3.0.0  gw 5.3.0.1

This work fine and the gateways are ip number son t he interfaces of the
3 servers.

I can connect to any of the gateways from all the computers.

So I can ping from 5.3.0.1(C) to 5.2.0.1(B) and 5.1.0.1(A) and vice
versa. So I got this working.

When reading the manual I was under the impression that tincd knows
about the existing local subnets that are running/accesible on each
individual computer as long as you add the subnet lines to the hostfile
of the host that has that subnet..

The config of system A looks like this

Address = xxx.xxx.xxx.xxx
Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 655
Subnet = 5.1.0.0/16
Subnet = 192.168.0.0/24
TCPonly = Yes

-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----


The config on system C looks like this

Cipher = blowfish
Compression = 0
Digest = sha1
IndirectData = Yes
Port = 655
Subnet = 5.3.0.0/16
Subnet = 192.168.200.0/24 
TCPonly = Yes
-----BEGIN RSA PUBLIC KEY-----
....
-----END RSA PUBLIC KEY-----


So I thought that  this was al that is neccesary to beable to connect
from system C to the 192.168.0.0 subnet on system A

But when I ping or traceroute on system C to 192.168.0.16 (an existing
ip on the subnet of system A)  it simply uses the default gw on system C
which of course cannot find that ip.

So, my question is, Do I have to manually add routes in all systems
involved? Or am I missing something here? 
If I have to add routes, why do I have to Add the extra Subnet lines
telling tinc which subnet resides on which tincd?

Thanks for you help

Hans de Groot












--- 
Hans de Groot 
Email: hansg at dandy.nl   www: http://www.dandy.nl

On Wed, Nov 12, 2008 at 11:33:46AM +0100, Hans de Groot wrote:

[...]
> Subnet = 5.1.0.0/16
> Subnet = 192.168.0.0/24
[...]
> So I thought that  this was al that is neccesary to beable to connect
> from system C to the 192.168.0.0 subnet on system A
> 
> But when I ping or traceroute on system C to 192.168.0.16 (an existing
> ip on the subnet of system A)  it simply uses the default gw on system C
> which of course cannot find that ip.
>
> So, my question is, Do I have to manually add routes in all systems
> involved? Or am I missing something here? 
> If I have to add routes, why do I have to Add the extra Subnet lines
> telling tinc which subnet resides on which tincd?
The kernel needs to know where packets for your VPN have to go to, so in the
tinc-up script you'd put something like:

#!/bin/sh
ifconfig $INTERFACE 5.1.0.1 netmask 255.0.0.0
route add -net 192.168.0.0 netmask 255.255.0.0 dev $INTERFACE

However, tinc needs to know to which other tinc daemon it has to send packets.
It needs to know which subnet of your VPN belongs to which tinc daemon. So your
host config files will contain Subnet statements for subnets with a smaller
netmask than you provide your kernel with.

If you have a very complex network and adding routes with large netmasks
isn't
an option, you can use the subnet-up and subnet-down scripts to automatically
add routes based on the Subnets you configured. Another option is to use Mode
switch, which causes tinc to function like a layer 2 switch instead of a layer
3 router (and hence it doesn't need to know about Subnets at all), however
then
you have to use bridging or proxy-arp to make your local networks visible on
the VPN.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url :
http://www.tinc-vpn.org/pipermail/tinc/attachments/20081112/f430f9cb/attachment.pgp