Lance Fredrickson
2013-Oct-05 21:42 UTC
Making available a subnet using a device behind nat router
I run tinc on a series of routers running 3rd party firmware (tomato). Since tinc is running on the gateway device, its routing table is aware of the mesh vpn. At each endpoint, any device one subnet can access any device on another subnet. I now have the situation where I need to make a new endpoint and entire subnet available on the mesh. In this situation I have a device running tinc that is behind nat, so it is not the gateway device. Currently I can access the single machine, but I don't have access to the entire subnet. i've enable ip forwarding on the device running tinc by editing /etc/sysctl.conf. I suppose I need to add some sort of rule to the router/gateway device to know where to send requests bound for the mesh, but I'm not sure how to do this. thanks, Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20131005/e6ab7db9/attachment.html>
Guus Sliepen
2013-Oct-06 13:46 UTC
Making available a subnet using a device behind nat router
On Sat, Oct 05, 2013 at 03:42:49PM -0600, Lance Fredrickson wrote:> I run tinc on a series of routers running 3rd party firmware > (tomato). Since tinc is running on the gateway device, its routing > table is aware of the mesh vpn. At each endpoint, any device one > subnet can access any device on another subnet. > I now have the situation where I need to make a new endpoint and > entire subnet available on the mesh. In this situation I have a > device running tinc that is behind nat, so it is not the gateway > device. Currently I can access the single machine, but I don't have > access to the entire subnet. > i've enable ip forwarding on the device running tinc by editing > /etc/sysctl.conf. I suppose I need to add some sort of rule to the > router/gateway device to know where to send requests bound for the > mesh, but I'm not sure how to do this.You should add a route to the gateway that directs all traffic for your mesh to the LAN IP address of the device running tinc. How you should add a route depends on what kind of gateway device you have. If it is not possible to add a route on the gateway, then your best option is to let the device running tinc masquerade traffic from the mesh to the LAN. That will allow computers in the mesh access the LAN, but not the other way around. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20131006/072292a8/attachment.sig>