On Wed, May 20, 2009 at 06:58:23PM +0200, Ricardo Belin wrote:
> My problem is that in order to run a simple VPN between two machines I
> had to manually add the "route add -net <ip>/24 $INTERFACE"
statement on
> hosts' tinc-up files.
Suppose you have two nodes, A and B, and A has 192.168.1.0/24, and B has
192.168.2.0/24. If you then put "ifconfig $INTERFACE 192.168.x.1 netmask
255.255.0.0" in the tinc-up files, then you would not need extra route add
commands, since the whole 192.168.0.0/16 is routed to the VPN. However, if you
use netmask 255.255.255.0 in tinc-up, then yes, you need to add extra routes.
> I came accross a lot of messages in the archive saying that tinc
doesn't
> handle routing and that it's my job to configure the routes manually.
Yes, tinc does not automatically configure the VPN interface and does not add
routes, you need to create tinc-up and possibly other scripts to do that.
> But according to the website :
> 1) http://www.tinc-vpn.org/documentation/tinc_3.html#SEC37
>
> "An example 'tinc-up' script:
>
> #!/bin/sh
> ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0
>
>
> This script gives the interface an IP address and a netmask. The
> kernel _will also automatically add a route to this interface_ , so
> normally you _don't need to add route commands_ to the
'tinc-up'
> script. The kernel will also bring the interface up after this
> command. The netmask is the mask of the /entire/ VPN network, not
> just your own subnet."
The example is correct, the netmask is so large that it encompasses the whole
VPN, so you don't need to add more routes. The ifconfig command in the
example
configures the interface, but also adds a route for 192.168.0.0/16 to the
kernel's routing table.
If you do not want to use such a large netmask, you can create a subnet-up
script that contains the following:
#!/bin/sh
ip route add $SUBNET dev $INTERFACE
And a corresponding subnet-down of course. But you're free to do something
else.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url :
http://www.tinc-vpn.org/pipermail/tinc/attachments/20090520/00cdcf95/attachment.pgp