Many thanks for the help to date. I now have a working vpn with three nodes: 10.20.30.1 10.20.40.1 10.20.50.1 Each machine can see each other machine 100's of miles apart from each other. Each machine is behind its own router. The machines are on their own subnets, as well, of course. The individual IP's on the lans of the nodes are: 192.168.0.155 (corresponds to 10.20.30.1) 192.168.1.155 (corresponds to 10.20.40.1) 192.168.2.155 (corresponds to 10.20.50.1) I have another computer on the 192.168.0.x LAN, with IP address 192.168.0.188. 192.168.0.188 can ping 192.168.0.155 with no problem (and vice versa). But it can't ping 10.20.30.1 (or any of the others). So, I either need to install a TAP interface on 192.168.0.188 and give it an IP address of something like 10.20.60.1 and then run tinc on it (thereby treating it as a new node on the vpn - I've tried this, and it seems to work) or I need to bridge the 192.168.0.x LAN to the 10.20.30.1 node. The problem is that I don't want to do the first option (configure each machine as a tinc node) and I'm therefore hopeful that bridging is less difficult to maintain. Of course, I don't know how to accomplish the second option (bridge the LAN to the vpn). Is it supposed to be as simple as selecting both network connections in Network Connections on the 192.168.0.155 (10.20.30.1) machine, right clicking and selecting "Bridge Connections"? I tried that and the IP address of the bridged connection was a new DHCP address (192.168.0.175) and it could no longer ping the vpn. So I didn't try to ping 10.20.30.1 from 192.168.0.188. Am I missing something simple? (I hope so) Thanks again. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100131/6a146a5d/attachment.htm>
> 192.168.0.155 (corresponds to 10.20.30.1) > 192.168.1.155 (corresponds to 10.20.40.1) > 192.168.2.155 (corresponds to 10.20.50.1)Why don't you use the LAN IPs (same IPs) for the vpn, it will be much easier. Then you only have to set routing other computers in your lan via tinc computer. SOmetimes it is enouth to set the routing on your gateway. ALBI...
>>* 192.168.0.155 (corresponds to 10.20.30.1)*>>* 192.168.1.155 (corresponds to 10.20.40.1) *>>* 192.168.2.155 (corresponds to 10.20.50.1) *>Why don't you use the LAN IPs (same IPs) for the vpn, it will be much >easier. Then you only have to set routing other computers in your lan via >tinc computer. SOmetimes it is enouth to set the routing on your gateway.I tried to do what you say and Windows complains when I try to set the TAP interface to the same IP address as the one in use by the LAN IP interface. Did you mean that I should set my vpn IP addresses as being on the same 192.168.x.0 set? Hence, I would show the above as: *192.168.0.155 (corresponds to 1.2.168.0.200) **192.168.1.155 (corresponds to **1.2.168.1.200**) **192.168.2.155 (corresponds to **1.2.168.2.200**) If so, then I can change the DHCP server to only serve up through 199. I'm not sure about how to set routing the way you are describing. If you are saying to set every other computer such that the Gateway is the tinc computer, I don't think that will work for me, will it? Maybe I'm not understanding what you want me to do. * -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100201/1503932a/attachment.htm>
> I tried to do what you say and Windows complains when I try to set theTAP interface to the same IP address as the one in use by the LAN IP interface.> Did you mean that I should set my vpn IP addresses as being on the same192.168.x.0 set? Hence, I would show the above as: Yes. Sorry, didn't know that windows doesn't allow this. I normally use linux and there this is no problem. When I used windows, it was another network, so I never had this problem. Ok, lets try another way. Leave all as it works now. If you use switch mode, I prefer router mode in tinc.conf Don't know it will work in switch mode too. Add your local subnet in your hosts files: At tinc host 10.20.30.1 Subnet = 192.168.0.0/24 At tinc host 10.20.40.1 Subnet = 192.168.1.0/24 At tinc host 10.20.50.1 Subnet = 192.168.2.0/24 Add static route to your tinc and other computers at local network for 192.168.0.0/255.255.0.0 For lan1 this should be something like: route ADD 192.168.0.0 MASK 255.255.0.0 192.168.0.155 Maybe you need to add 10.20.0.0/255.255.0.0 too. Add it, should be better. route ADD 10.20.0.0 MASK 255.255.0.0 192.168.0.155 On lan2 replace 192.168.1.155 for 192.168.0.155 Check if your tinc host has routing actvated. Try to ping 10.20.30/40/50.1 from local computer in lan1 Try to ping 192.168.1.xxx from local computer in lan1 I hope it works. Now that I see what to do, I would not use 10.* network at all. Would be easier to use on network for transfer (tinc hosts) maybe in 192.168.255.0/24 network and just use one ip for every tinc host. Rest via routing like above. ALBI...
ALBI, Thanks for the help. Nothing I'm trying is working, yet. Perhaps we can simplify it? Let's bridge only one network, but leave the other two nodes (and their respective networks) alone. Hence, the IP addresses of the four computers I'm trying to put on a single vpn would be 10.20.30.1/192.168.0.155 xxxxxxxxxx/192.168.0.168 10.20.40.1/192.168.1.155 10.20.50.1/192.168.2.155 Based on what you wrote, I should add the following to 192.168.0.168: route ADD 10.20.0.0 MASK 255.255.0.0 192.168.0.155 I should then modify all three hosts file on 10.20.30.1/192.168.0.155 to add: Subnet 192.168.0.0/24 I prefer to do things one step at a time (connect one LAN to the existing vpn). That way I understand the process a little better. I think I'm close, but the above doesn't work. :( *********************************************************************** ***********************************************************************>* I tried to do what you say and Windows complains when I try to set the*TAP interface to the same IP address as the one in use by the LAN IP interface.>* Did you mean that I should set my vpn IP addresses as being on the same*192.168.x.0 set? Hence, I would show the above as: Yes. Sorry, didn't know that windows doesn't allow this. I normally use linux and there this is no problem. When I used windows, it was another network, so I never had this problem. Ok, lets try another way. Leave all as it works now. If you use switch mode, I prefer router mode in tinc.conf Don't know it will work in switch mode too. Add your local subnet in your hosts files: At tinc host 10.20.30.1 Subnet = 192.168.0.0/24 At tinc host 10.20.40.1 Subnet = 192.168.1.0/24 At tinc host 10.20.50.1 Subnet = 192.168.2.0/24 Add static route to your tinc and other computers at local network for 192.168.0.0/255.255.0.0 For lan1 this should be something like: route ADD 192.168.0.0 MASK 255.255.0.0 192.168.0.155 Maybe you need to add 10.20.0.0/255.255.0.0 too. Add it, should be better. route ADD 10.20.0.0 MASK 255.255.0.0 192.168.0.155 On lan2 replace 192.168.1.155 for 192.168.0.155 Check if your tinc host has routing actvated. Try to ping 10.20.30/40/50.1 from local computer in lan1 Try to ping 192.168.1.xxx from local computer in lan1 I hope it works. Now that I see what to do, I would not use 10.* network at all. Would be easier to use on network for transfer (tinc hosts) maybe in 192.168.255.0/24 network and just use one ip for every tinc host. Rest via routing like above. ALBI... -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100201/e1c42034/attachment.htm>
I don't think adding IP forwarding will help, will it? I added it through modifying the registry, but it doesn't have any impact. Based on the below, I'm trying to ping 10.20.40.1 from 192.168.0.168, but since I can't even ping 10.20.30.1 from 192.168.0.168 (although I can ping 192.168.0.1 from 192.168.0.168, of course) I think I'm stuck. Once I can ping 10.20.30.1 from 192.168.0.168 I can then worry about getting to 10.20.40.1, which, if it requires TCP/IP forwarding, I'll do that. Thanks ******************************************************************** Hi, Do you have activated the ip forwarding on the tinc Server? Regards, Ramses _____ De: tinc-bounces at tinc-vpn.org <http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc> [mailto:tinc-bounces at tinc-vpn.org <http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc>] En nombre de Anon Enviado el: lunes, 01 de febrero de 2010 18:34 Para: tinc at tinc-vpn.org <http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc> Asunto: Bridging on windows networks ALBI, Thanks for the help. Nothing I'm trying is working, yet. Perhaps we can simplify it? Let's bridge only one network, but leave the other two nodes (and their respective networks) alone. Hence, the IP addresses of the four computers I'm trying to put on a single vpn would be 10.20.30.1/192.168.0.155 xxxxxxxxxx/192.168.0.168 10.20.40.1/192.168.1.155 10.20.50.1/192.168.2.155 Based on what you wrote, I should add the following to 192.168.0.168: route ADD 10.20.0.0 MASK 255.255.0.0 192.168.0.155 I should then modify all three hosts file on 10.20.30.1/192.168.0.155 to add: Subnet 192.168.0.0/24 I prefer to do things one step at a time (connect one LAN to the existing vpn). That way I understand the process a little better. I think I'm close, but the above doesn't work. :( -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100201/aae115cf/attachment-0001.htm>
> I don't think adding IP forwarding will help, will it? I added itthrough modifying the registry, but it doesn't have any impact. Yes shure, you must have forwaring/routing activated on every tinc host, or he can't gate your packets to the other network. Sorry, don't know the exact names, should be in services - routing and ras. I have German XP ;-)> Based on the below, I'm trying to ping 10.20.40.1 from 192.168.0.168,but since I can't> even ping 10.20.30.1 from 192.168.0.168 (although I can ping > 192.168.0.1 from 192.168.0.168, > of course) I think I'm stuck. Once I can ping 10.20.30.1 from > 192.168.0.168 > I can then worry about getting to 10.20.40.1, which, if it requiresTCP/IP forwarding,> I'll do that.Yes exactly, first get ping from 192.168.0168 to 10.20.30.1, until this does not work, check ip routing/forwarding and your static routing on 192.168.0.155+168 Can you send "route print" from this two computers? ALBI...
> I should then modify all three hosts file on > 10.20.30.1/192.168.0.155 to add: > > Subnet 192.168.0.0/2410.20.30.1: Subnet = 192.168.0.0/24 10.20.40.1: Subnet = 192.168.1.0/24 10.20.50.1: Subnet = 192.168.2.0/24> I prefer to do things one step at a time (connect one LAN to the existing > vpn). That way I understand the process a little better.Yes you are right. As I told you already, first ping 10.20.30.1, if this works we can ping 10.20.40.1 ALBI...
>> I don't think adding IP forwarding will help, will it? I added it >> through modifying the registry, but it doesn't have any impact.>> Yes shure, you must have forwaring/routing activated on every tinc host, >> or he can't gate your packets to the other network. >> Sorry, don't know the exact names, should be in services - routing and >> ras. I have German XP ;-)My paragraph above says that I did find how to add forwarding. I confirmed that it was not activated, yet the vpn worked fine. I then activated it, and the vpn continues to work fine. In both states, non-host computers can not access the vpn.>> Based on the below, I'm trying to ping 10.20.40.1 from 192.168.0.168, >> but since I can't >> even ping 10.20.30.1 from 192.168.0.168 (although I can ping >> 192.168.0.1 from 192.168.0.168, >> of course) I think I'm stuck. Once I can ping 10.20.30.1 from >> 192.168.0.168 >> I can then worry about getting to 10.20.40.1, which, if it requires >> TCP/IP forwarding, >> I'll do that.> Yes exactly, first get ping from 192.168.0168 to 10.20.30.1, until this > does not work, check ip routing/forwarding and your static routing on > 192.168.0.155+168 > Can you send "route print" from this two computers?10.20.30.1/192.168.0.155 ==========================================================================Interface List 0x3 ...00 ff 03 32 1e 50 ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport ====================================================================================================================================================Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.155 20 10.20.0.0 255.255.0.0 10.20.30.1 10.20.30.1 30 10.20.30.1 255.255.255.255 127.0.0.1 127.0.0.1 30 10.255.255.255 255.255.255.255 10.20.30.1 10.20.30.1 30 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.255.0 192.168.0.155 192.168.0.155 20 192.168.0.155 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.0.255 255.255.255.255 192.168.0.155 192.168.0.155 20 224.0.0.0 240.0.0.0 10.20.30.1 10.20.30.1 30 224.0.0.0 240.0.0.0 192.168.0.155 192.168.0.155 20 255.255.255.255 255.255.255.255 10.20.30.1 10.20.30.1 1 255.255.255.255 255.255.255.255 192.168.0.155 192.168.0.155 1 Default Gateway: 192.168.123.1 ==========================================================================Persistent Routes: None xxx.xxx.xxx.xxx/192.168.0.155 ==========================================================================Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.168 25 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.255.0 192.168.0.168 192.168.0.168 25 192.168.0.168 255.255.255.255 127.0.0.1 127.0.0.1 25 192.168.0.255 255.255.255.255 192.168.0.168 192.168.0.168 25 224.0.0.0 240.0.0.0 192.168.0.168 192.168.0.168 25 255.255.255.255 255.255.255.255 192.168.0.168 192.168.0.168 1 255.255.255.255 255.255.255.255 192.168.0.168 2 1 255.255.255.255 255.255.255.255 192.168.0.168 10006 1 255.255.255.255 255.255.255.255 192.168.0.168 20004 1 Default Gateway: 192.168.0.1 ==========================================================================Persistent Routes: None Just to recap. 168 can ping 155 just fine. 155 can ping 10.20.40.1 and 10.20.50.1 (both distant nodes of the vpn) just fine and they can ping 10.20.30.1 just fine. But since 168 can't ping 10.20.30.1, it obviously can't find 10.20.40.1 or 10.20.50.1. I should also note that when I say that it *can* ping a computer, it also sees all windows shares just fine. Thanks for looking at this.
On Sun, Jan 31, 2010 at 11:27:34PM -0800, Anon wrote:> 192.168.0.155 (corresponds to 10.20.30.1) > 192.168.1.155 (corresponds to 10.20.40.1) > 192.168.2.155 (corresponds to 10.20.50.1) > > I have another computer on the 192.168.0.x LAN, with IP address > 192.168.0.188. 192.168.0.188 can ping 192.168.0.155 with no problem (and > vice versa). But it can't ping 10.20.30.1 (or any of the others).It will be much easier if you could just use 192.168.x.y addresses for the VPN as well. But first let me tell you what needs to be done to get it working with 10.20.x.y addresses on the VPN. HARD WAY: When 192.168.0.188 sends a packet to 10.20.x.y, it needs to have an entry in its routing table that says that packets for 10.20.0.0/16 should go to 192.168.0.155. Then, you should be able to ping 10.20.30.1. However, pinging any other node on the VPN will not work yet. Suppose 192.168.0.188 tries to ping 10.20.40.1. Tinc on 192.168.0.155 will pick the ping packets up and forward them to 10.20.40.1. There, the kernel will generate an ICMP reply, and will try to send it back to 192.168.0.188. For that, it needs to have an entry in its routing table that says packets for 192.168.0.0/16 should go to the VPN adapter. Tinc on 192.168.1.155 will then pick it up, but it needs to know where to send packets with destination address 192.168.0.188 to. For that, the tinc daemon on 192.168.0.155 should have Subnet = 192.168.0.0/24 in its host config file. Suppose there are more hosts on the other LANs as well, and 192.168.0.188 wants to ping 192.168.1.199. Then 192.168.0.188 must have an entry in its routing table that says packets for 192.168.0.0/16 should go via the VPN, 192.168.1.155 must have Subnet = 192.168.1.0/24 in its host config file, and 192.168.1.199 must also have an entry in its routing table that says packets for 192.168.0.0/16 should go via the VPN. If any host should be able to communicate with any other host on the VPN, you are going to have to add a lot of routes... If you can control the routing table of the gateway of each LAN (I assume having IP address 192.168.0.1, 192.168.1.1 and 192.168.2.1), you can add an entry in each of them directing packets with destination 10.20.0.0/16 and 192.168.0.0/16 to the host running tinc on each LAN. But, then packets will be sent twice over the LAN, which is not so efficient. EASIER WAY: It is much easier to use tinc's switch mode, and to bridge the LAN to the VPN interface on each host running tinc. Then, you don't need to configure Subnets and you don't need to add any routes. You also won't get any address conflicts. You will only use 192.168.x.y addresses this way. However, you need to change the netmask of the LAN interface of all the hosts from 255.255.255.0 to 255.255.0.0, otherwise they will still send packets for a different LAN to their default gateway instead of to the local tinc node. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100203/29d193cc/attachment.pgp>
WOW! What a great tutorial. Thanks. I'm probably going to end up going the easy way, but I'm learning so much that I'm chomping on the bit to make the hard way work, just as an exercise, with a limited portion of my network, for educational purposes. Of course, I get stuck right out of the gate. I tried adding a route on 192.168.0.188 so that 10.20.30.1 would ping, and it doesn't. This is what I tried: route ADD 10.20.0.0 MASK 255.255.0.0 192.168.0.155 This added the following line to the route table: 10.20.0.0 255.255.0.0 192.168.0.155 192.168.0.188 1 But ping fails. Is there a step I've missed? Thanks, again. Give me a day or two to digest the "easier way" and I'll try and implement it. ************************************************************************************ It will be much easier if you could just use 192.168.x.y addresses for the VPN as well. But first let me tell you what needs to be done to get it working with 10.20.x.y addresses on the VPN. HARD WAY: When 192.168.0.188 sends a packet to 10.20.x.y, it needs to have an entry in its routing table that says that packets for 10.20.0.0/16 should go to 192.168.0.155. Then, you should be able to ping 10.20.30.1. However, pinging any other node on the VPN will not work yet. Suppose 192.168.0.188 tries to ping 10.20.40.1. Tinc on 192.168.0.155 will pick the ping packets up and forward them to 10.20.40.1. There, the kernel will generate an ICMP reply, and will try to send it back to 192.168.0.188. For that, it needs to have an entry in its routing table that says packets for 192.168.0.0/16 should go to the VPN adapter. Tinc on 192.168.1.155 will then pick it up, but it needs to know where to send packets with destination address 192.168.0.188 to. For that, the tinc daemon on 192.168.0.155 should have Subnet = 192.168.0.0/24 in its host config file. Suppose there are more hosts on the other LANs as well, and 192.168.0.188 wants to ping 192.168.1.199. Then 192.168.0.188 must have an entry in its routing table that says packets for 192.168.0.0/16 should go via the VPN, 192.168.1.155 must have Subnet = 192.168.1.0/24 in its host config file, and 192.168.1.199 must also have an entry in its routing table that says packets for 192.168.0.0/16 should go via the VPN. If any host should be able to communicate with any other host on the VPN, you are going to have to add a lot of routes... If you can control the routing table of the gateway of each LAN (I assume having IP address 192.168.0.1, 192.168.1.1 and 192.168.2.1), you can add an entry in each of them directing packets with destination 10.20.0.0/16 and 192.168.0.0/16 to the host running tinc on each LAN. But, then packets will be sent twice over the LAN, which is not so efficient. EASIER WAY: It is much easier to use tinc's switch mode, and to bridge the LAN to the VPN interface on each host running tinc. Then, you don't need to configure Subnets and you don't need to add any routes. You also won't get any address conflicts. You will only use 192.168.x.y addresses this way. However, you need to change the netmask of the LAN interface of all the hosts from 255.255.255.0 to 255.255.0.0, otherwise they will still send packets for a different LAN to their default gateway instead of to the local tinc node.
> xxx.xxx.xxx.xxx/192.168.0.158 > > ==========================================================================Active Routes: > Network Destination Netmask Gateway Interface Metric > 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.168 > 25 > 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 > 1 > 192.168.0.0 255.255.255.0 192.168.0.168 192.168.0.168 > 25 > 192.168.0.168 255.255.255.255 127.0.0.1 127.0.0.1 > 25 > 192.168.0.255 255.255.255.255 192.168.0.168 192.168.0.168 > 25 > 224.0.0.0 240.0.0.0 192.168.0.168 192.168.0.168 > 25 > 255.255.255.255 255.255.255.255 192.168.0.168 192.168.0.168 > 1 > 255.255.255.255 255.255.255.255 192.168.0.168 2 > 1 > 255.255.255.255 255.255.255.255 192.168.0.168 10006 > 1 > 255.255.255.255 255.255.255.255 192.168.0.168 20004 > 1 > Default Gateway: 192.168.0.1On .168 you need to add route 10.20.0.0 mask 255.255.0.0 192.168.0.155 This need to be done persistent (-p) or after every boot. Then try again ping 10.20.30.1 ALBI...
> On .168 you need to add route 10.20.0.0 mask 255.255.0.0 192.168.0.155 > This need to be done persistent (-p) or after every boot.> Then try again ping 10.20.30.1Did you see my latest message? It read: "This is what I tried: route ADD 10.20.0.0 MASK 255.255.0.0 192.168.0.155 This added the following line to the route table: 10.20.0.0 255.255.0.0 192.168.0.155 192.168.0.188 1 But ping fails." Is there a step I've missed?