thr3ads.net - tinc - Basic configuration problem [Sep 2012]

If this information is useful, please help other people find it:
Share via:

Ryan Rustong

2012-Sep-14 22:37 UTC

Basic configuration problem

Hello,

I have been reading through the documentation and trying to set up a very
small VPN as a test for a larger rollout that I would like to complete in
the future but cannot get this working.  The configuration seems like it
should be relatively simple, so I'm most likely missing something basic but
I just cannot see what I'm doing wrong.  At the moment I am trying to get
this working between 2 CentOS servers, but will eventually scale to many
more (and using IPv6).  I am setting it up in a "client/server" mode
as my
clients will not be opening firewall rules to allow incoming connections,
they will all connect back to my "server."

Both sides of the tunnel are behind a NAT'd address, the public IP of each
server is what I have added as the "Address" variable in the host
files.
 After starting tinc, I am able to see that the tun0 interface comes up and
the 192.168.0.0/16 route is added to both route tables.  I added
10.18.73.0/24 to my "client" route table pointing to the tun0
interface as
a route is not being created for that (which to my understanding is my
responsibility as tinc does not take care of that).  With the daemon
running attached in debug mode, I see that they two devices see each other
and immediately establish the tunnel, but I am unable to ping any of the
addresses on the remote end of the tunnel.

If I try to ping the remote tun0 interface, I receive the following output:

[root at tinc-server tinc]# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.>From 192.168.1.2 icmp_seq=1 Destination Net Unknown
>From 192.168.1.2 icmp_seq=2 Destination Net Unknown
Using tcpdump on the remote server, I do not see any packets making it to
my tun0 interface.

However, if I try to ping the eth1 interface of the remote server I do not
get any output on the local server, but do see the following in a tcpdump
on the remote server:

[root at localhost tinc]# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
22:25:11.660009 IP 192.168.1.1 > 192.168.56.101: ICMP echo request, id
34573, seq 14, length 64
22:25:11.660125 IP 192.168.56.101 > 192.168.1.1: ICMP echo reply, id 34573,
seq 14, length 64
22:25:11.660167 IP 192.168.1.1 > 192.168.56.101: ICMP net 192.168.1.1
unreachable - unknown, length 92
22:25:12.658727 IP 192.168.1.1 > 192.168.56.101: ICMP echo request, id
34573, seq 15, length 64
22:25:12.658907 IP 192.168.56.101 > 192.168.1.1: ICMP echo reply, id 34573,
seq 15, length 64
22:25:12.659493 IP 192.168.1.1 > 192.168.56.101: ICMP net 192.168.1.1
unreachable - unknown, length 92
22:25:13.657558 IP 192.168.1.1 > 192.168.56.101: ICMP echo request, id
34573, seq 16, length 64
22:25:13.657679 IP 192.168.56.101 > 192.168.1.1: ICMP echo reply, id 34573,
seq 16, length 64

Here is some output from the "server" upon starting the daemon:

[root at localhost hosts]# tincd -D -d3
tincd 1.0.19 (Jul 31 2012 18:48:38) starting, debug level 3
/dev/net/tun is a Linux tun/tap device (tun mode)
Executing script tinc-up
Listening on 0.0.0.0 port 655
Listening on :: port 655
Ready
Connection from 2.2.2.2 port 35031
Sending ID to <unknown> (2.2.2.2 port 35031)
Got ID from <unknown> (2.2.2.2 port 35031)
Sending METAKEY to client1 (2.2.2.2 port 35031)
Got METAKEY from client1 (2.2.2.2 port 35031)
Sending CHALLENGE to client1 (2.2.2.2 port 35031)
Got CHALLENGE from client1 (2.2.2.2 port 35031)
Sending CHAL_REPLY to client1 (2.2.2.2 port 35031)
Got CHAL_REPLY from client1 (2.2.2.2 port 35031)
Sending ACK to client1 (2.2.2.2 port 35031)
Got ACK from client1 (2.2.2.2 port 35031)
Connection with client1 (2.2.2.2 port 35031) activated
Sending ADD_SUBNET to client1 (2.2.2.2 port 35031)
Sending ADD_EDGE to everyone (BROADCAST)
Got ADD_SUBNET from client1 (2.2.2.2 port 35031)
Forwarding ADD_SUBNET from client1 (2.2.2.2 port 35031)
Got ADD_SUBNET from client1 (2.2.2.2 port 35031)
Forwarding ADD_SUBNET from client1 (2.2.2.2 port 35031)
Got ADD_EDGE from client1 (2.2.2.2 port 35031)
Forwarding ADD_EDGE from client1 (2.2.2.2 port 35031)
UDP address of client1 set to 2.2.2.2 port 655
Sending ANS_KEY to client1 (2.2.2.2 port 35031)
UDP address of client1 set to 2.2.2.2 port 19446
Sending REQ_KEY to client1 (2.2.2.2 port 35031)
Sending PACKET to client1 (2.2.2.2 port 35031)
Sending PACKET to client1 (2.2.2.2 port 35031)
Got ANS_KEY from client1 (2.2.2.2 port 35031)
Got ANS_KEY from client1 (2.2.2.2 port 35031)
Got PING from client1 (2.2.2.2 port 35031)
Sending PONG to client1 (2.2.2.2 port 35031)
Sending PING to client1 (2.2.2.2 port 35031)

And the same output from the "client":

[root at localhost tinc]# tincd -D -d3
tincd 1.0.19 (Jul 31 2012 18:48:38) starting, debug level 3
/dev/net/tun is a Linux tun/tap device (tun mode)
Executing script tinc-up
Listening on 0.0.0.0 port 655
Listening on :: port 655
Ready
Trying to connect to server1 (1.1.1.1 port 655)
Connected to server1 (1.1.1.1 port 655)
Sending ID to server1 (1.1.1.1 port 655)
Got ID from server1 (1.1.1.1 port 655)
Sending METAKEY to server1 (1.1.1.1 port 655)
Got METAKEY from server1 (1.1.1.1 port 655)
Sending CHALLENGE to server1 (1.1.1.1 port 655)
Got CHALLENGE from server1 (1.1.1.1 port 655)
Sending CHAL_REPLY to server1 (1.1.1.1 port 655)
Got CHAL_REPLY from server1 (1.1.1.1 port 655)
Sending ACK to server1 (1.1.1.1 port 655)
Got ACK from server1 (1.1.1.1 port 655)
Connection with server1 (1.1.1.1 port 655) activated
Sending ADD_SUBNET to server1 (1.1.1.1 port 655)
Sending ADD_SUBNET to server1 (1.1.1.1 port 655)
Sending ADD_EDGE to everyone (BROADCAST)
Got ADD_SUBNET from server1 (1.1.1.1 port 655)
Forwarding ADD_SUBNET from server1 (1.1.1.1 port 655)
Got ADD_EDGE from server1 (1.1.1.1 port 655)
Forwarding ADD_EDGE from server1 (1.1.1.1 port 655)
UDP address of server1 set to 1.1.1.1 port 655
Sending ANS_KEY to server1 (1.1.1.1 port 655)
Got ANS_KEY from server1 (1.1.1.1 port 655)
Got REQ_KEY from server1 (1.1.1.1 port 655)
Sending ANS_KEY to server1 (1.1.1.1 port 655)
Got PACKET from server1 (1.1.1.1 port 655)
Got PACKET from server1 (1.1.1.1 port 655)
Sending PING to server1 (1.1.1.1 port 655)
Got PONG from server1 (1.1.1.1 port 655)
Got PING from server1 (1.1.1.1 port 655)
Sending PONG to server1 (1.1.1.1 port 655)
Got PING from server1 (1.1.1.1 port 655)
Sending PONG to server1 (1.1.1.1 port 655)

So obviously at least some of my traffic is getting through the tunnel, but
it appears that it doesn't know how to get back.  Is there something that I
am missing or not understanding about how tinc works?

Below is my setup and relavant configs:
"Server" configs:

tinc.conf (CentOS 6.2):

Name = server1

Device = /dev/net/tun


tinc-up:

ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0


ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:0C:29:8C:FB:F4

          inet addr:10.18.73.23  Bcast:10.18.73.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fe8c:fbf4/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:26352 errors:0 dropped:0 overruns:0 frame:0

          TX packets:18080 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:10267976 (9.7 MiB)  TX bytes:3116783 (2.9 MiB)


tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:192.168.1.1  P-t-P:192.168.1.1  Mask:255.255.0.0

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:13 errors:0 dropped:0 overruns:0 frame:0

          TX packets:473 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:500

          RX bytes:1456 (1.4 KiB)  TX bytes:39732 (38.8 KiB)

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface

10.18.73.0      *               255.255.255.0   U     1      0        0 eth0

192.168.0.0     *               255.255.0.0     U     0      0        0 tun0

default         10.18.73.1      0.0.0.0         UG    0      0        0 eth0



"Client" configs (CentOS 6.3):

tinc.conf:

Name = client1
ConnectTo = server1
Device = /dev/net/tun


tinc-up:

ifconfig $INTERFACE 192.168.1.2 netmask 255.255.0.0

ifconfig:

eth0      Link encap:Ethernet  HWaddr 08:00:27:D9:9E:5F
          inet addr:10.0.2.15  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fed9:9e5f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11199 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7632 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12593716 (12.0 MiB)  TX bytes:2086945 (1.9 MiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:7C:40:5D
          inet addr:192.168.56.101  Bcast:192.168.56.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe7c:405d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15975 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8828 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1517895 (1.4 MiB)  TX bytes:880057 (859.4 KiB)

tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.1.2  P-t-P:192.168.1.2  Mask:255.255.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:916 errors:0 dropped:0 overruns:0 frame:0
          TX packets:458 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:89768 (87.6 KiB)  TX bytes:38472 (37.5 KiB)

.Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface

10.0.2.0        *               255.255.255.0   U     1      0        0 eth0

192.168.56.0    *               255.255.255.0   U     1      0        0 eth1

192.168.0.0     *               255.255.0.0     U     0      0        0 tun0

default         10.0.2.2        0.0.0.0         UG    0      0        0 eth0



Common files on both hosts:

hosts/server1:

Address = 1.1.1.1

Port = 655

Subnet = 10.18.73.23/32


-----BEGIN RSA PUBLIC KEY-----

blahblahblah

-----END RSA PUBLIC KEY-----


hosts/client1:

Address = 2.2.2.2

Port = 655

Subnet = 192.168.56.101/32

Subnet = 10.0.2.15/32


-----BEGIN RSA PUBLIC KEY-----

blahblah

-----END RSA PUBLIC KEY-----


Thanks in advance for your help!
-Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20120914/190a76b7/attachment-0001.html>

Guus Sliepen

2012-Sep-15 14:23 UTC

head link

Basic configuration problem

On Fri, Sep 14, 2012 at 03:37:28PM -0700, Ryan Rustong wrote:
>  After starting tinc, I am able to see that the tun0 interface comes up and
> the 192.168.0.0/16 route is added to both route tables.  I added
> 10.18.73.0/24 to my "client" route table pointing to the tun0
interface as
> a route is not being created for that (which to my understanding is my
> responsibility as tinc does not take care of that).
[...]> [root at tinc-server tinc]# ping 192.168.1.2
> PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
> From 192.168.1.2 icmp_seq=1 Destination Net Unknown
> From 192.168.1.2 icmp_seq=2 Destination Net Unknown
The response "Destination Net Unknown" means that tinc does not know
where to
send packets with IP address 192.168.1.2 to. Indeed, looking at your host
config files, I see:
> hosts/server1:
> 
> Address = 1.1.1.1
> Port = 655
> Subnet = 10.18.73.23/32
> 
> hosts/client1:
> 
> Address = 2.2.2.2
> Port = 655
> Subnet = 192.168.56.101/32
> Subnet = 10.0.2.15/32
There is no Subnet that contains 192.168.1.2. Given the following ifconfig
commands in your tinc-up files:
> [server1] ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0
> [client1] ifconfig $INTERFACE 192.168.1.2 netmask 255.255.0.0
You should add "Subnet = 192.168.1.1" to hosts/server1, and
"Subnet 192.168.1.2" to hosts/client1. Then the ping command should
work.
Alternatively, you can use "Mode = switch" in tinc.conf and omit all
the Subnet
statements.

However, if your goal is to have the client access the 10.0.2.0/24 network of
the client, and/or the client to access the 10.18.73.0/24 network of the
server, then you don't need to create an 192.168.0.0/16 network for the VPN.
Given the Subnets you currently have in your host config files, I suggest the
following configuration:

hosts/server1:

Address = 1.1.1.1
Subnet = 10.18.73.0/24

server1's tinc-up:

#!/bin/sh
ifconfig $INTERFACE 10.18.73.23 netmask 255.0.0.0

hosts/client1:

Subnet = 10.0.2.0/24

client1's tinc-up:

#!/bin/sh
ifconfig $INTERFACE 10.0.2.15 netmask 255.0.0.0

That way, you should be able to ping 10.0.2.15 directly from the server.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20120915/a3defd5a/attachment.pgp>

Possibly Parallel Threads

Search for more possibly parallel threads

tinc - Sep 2012 - Basic configuration problem

Basic configuration problem

Basic configuration problem

Possibly Parallel Threads