thr3ads.net - tinc - Cannot Ping after successful connection? [Mar 2014]

If this information is useful, please help other people find it:
Share via:

Michael Munger

2014-Mar-11 20:21 UTC

Cannot Ping after successful connection?

I apologize for the TLDR-style email, but I wanted to demonstrate that I have
done a lot of work (11 hours and at least 8 tutorials including the tinc docs)
before asking for help.

My basic problem is this: tinc appears to properly connect and authenticate the
client to the server, but I cannot ping or access resources. (yes. I know there
is no 'server' in tinc, but 'server' denotes the center of this
network). The configs included in this email are real (including the IP
addresses). Once I get this working, I'll change all the keys, but
everything is the actual config. So... mistakes would be real too!

Here's the setup:
http://www.gliffy.com/go/publish/image/5463480/L.png

* "Management Workstation" is on my local LAN. 
* VPN Server is on a server with a public IP address, and is intended to create
a "management VPN" for various machines and servers I have around the
United States.
* Server A is a file server in a separate office, connected to the net via DSL
with DHCP on the DSL.

Note: the Server A eth0 IP and the Management Workstation eth0 IP are the same
to demonstrate these are two different networks. In real life, the workstation
IP is 192.168.250.202 and the other IP address would be issued via DHCP.

==The "VPN Server" configuration.=
eth0 = 173.165.161.166 (Public IP Address).

root at web-services:/etc/tinc# cat nets.boot #

# This file contains all names of the networks to be started on system startup.
webservices

root at web-services:/etc/tinc/webservices# cat tinc.conf Name=webservices
Device=/dev/net/tun

root at web-services:/etc/tinc/webservices/hosts# cat webservices
Compression=9
Subnet=192.168.98.0/24
Address=173.165.161.166
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAoEgxyY5DANAlKSP3pkHJvX5Co1uihxcCwFGW7G3bXUsKTkg6TE1P
qs7Fae9HQIYPzu0uHhjR0jFNP0rAEWl2VoQnpe3E6uIBs+8PWlIpB6OvLXjaYbo7
FhCje3OYTQMDwbhGaeZ/TdoOvAhHlu8giHZFc4SZ/Bd4z58UmLC5ShAtHKhMJr6K
dYsZjBWnzg41Q/dY+NRW5RXpH8akt8yW7xw/9So8CM3Lyf9Vvtn1RyY0IJcIq1kV
UXYOmx/j5Ef48GrbziF5DhEhYCqVSYzqfeIS0PKesNyTWvqr0/n2owSH3q5a2mNI
b+DuppRFSWxzkymrvrGfxVRuhi1Hj5lQPwIDAQAB
-----END RSA PUBLIC KEY-----

root at web-services:/etc/tinc/webservices# cat tinc-up 
#!/bin/bash ifconfig $INTERFACE 192.168.98.1 NETMASK 255.255.255.0

==The Management Workstation Configs:=root at michael-desktop:/etc/tinc#cat
nets.boot
## This file contains all names of the networks to be started on system startup.
webservices

root at michael-desktop:/etc/tinc/webservices#cat tinc.conf
Device=/dev/net/tun
ConnectTo=webservices
Name=Mint202
PrivateKeyFile=/etc/tinc/webservices/rsa_key.priv

root at michael-desktop:/etc/tinc/webservices/hosts#cat webservices
Compression=9
Subnet=192.168.98.0/24
Address=173.165.161.166
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAoEgxyY5DANAlKSP3pkHJvX5Co1uihxcCwFGW7G3bXUsKTkg6TE1P
qs7Fae9HQIYPzu0uHhjR0jFNP0rAEWl2VoQnpe3E6uIBs+8PWlIpB6OvLXjaYbo7
FhCje3OYTQMDwbhGaeZ/TdoOvAhHlu8giHZFc4SZ/Bd4z58UmLC5ShAtHKhMJr6K
dYsZjBWnzg41Q/dY+NRW5RXpH8akt8yW7xw/9So8CM3Lyf9Vvtn1RyY0IJcIq1kV
UXYOmx/j5Ef48GrbziF5DhEhYCqVSYzqfeIS0PKesNyTWvqr0/n2owSH3q5a2mNI
b+DuppRFSWxzkymrvrGfxVRuhi1Hj5lQPwIDAQAB
-----END RSA PUBLIC KEY-----

root at michael-desktop:/etc/tinc/webservices#cat tinc-up
#!/bin/bash ifconfig $INTERFACE 192.168.98.2 netmask 255.255.255.0

HERE'S the frustrating part:

When I star the service, I get (what appears) to be a good startup on both
sides:

In the management workstation (Mint202):

Mar 11 15:59:28 michael-desktop tinc.webservices[5126]: Trying to connect to
webservices (173.165.161.166 port 655) Mar 11 15:59:28 michael-desktop
tinc.webservices[5126]: Connected to webservices (173.165.161.166 port 655) Mar
11 15:59:28 michael-desktop tinc.webservices[5126]: Connection with webservices
(173.165.161.166 port 655) activated

On the "VPN Server" (webservices):
Mar 11 15:59:02 web-services tinc.webservices[18550]: tincd 1.0.19 (Apr
22 2013 21:45:36) starting, debug level 1 Mar 11 15:59:02 web-services
tinc.webservices[18550]: /dev/net/tun is a Linux tun/tap device (tun mode) Mar
11 15:59:02 web-services tinc.webservices[18550]: Script tinc-up exited with
non-zero status 1 Mar 11 15:59:02 web-services tinc.webservices[18550]:
Listening on
0.0.0.0 port 655
Mar 11 15:59:02 web-services tinc.webservices[18550]: Listening on :: 
port 655
Mar 11 15:59:02 web-services tinc.webservices[18550]: Ready Mar 11 15:59:12
web-services tinc.webservices[18550]: Connection from
173.165.161.161 port 52784
Mar 11 15:59:12 web-services tinc.webservices[18550]: Connection with
Mint202 (173.165.161.161 port 52784) activated

But... I cannot ping either machine over the VPN. You can see below (this is on
the VPN server), that pinging the local webservices device works, but pinging
the remote machine does not. In other words, the VPN Server can ping its own IP
(192.168.98.1) but cannot ping Mint202 (192.168.98.2).

root at web-services:/etc/tinc/webservices# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:a1:5f:31
           inet addr:173.165.161.166  Bcast:173.165.161.175
Mask:255.255.255.240
           inet6 addr: fe80::20c:29ff:fea1:5f31/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:441343 errors:0 dropped:75 overruns:0 frame:0
           TX packets:176548 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:156214186 (148.9 MiB)  TX bytes:108246744 (103.2 MiB)

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:278 errors:0 dropped:0 overruns:0 frame:0
           TX packets:278 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:157696 (154.0 KiB)  TX bytes:157696 (154.0 KiB)

webservices Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:192.168.98.1  P-t-P:192.168.98.1 Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
           RX packets:2 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:500
           RX bytes:168 (168.0 B)  TX bytes:0 (0.0 B)

root at web-services:/etc/tinc/webservices# ping 192.168.98.1 PING 192.168.98.1
(192.168.98.1) 56(84) bytes of data.
64 bytes from 192.168.98.1: icmp_req=1 ttl=64 time=0.058 ms
64 bytes from 192.168.98.1: icmp_req=2 ttl=64 time=0.038 ms ^C
--- 192.168.98.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt
min/avg/max/mdev = 0.038/0.048/0.058/0.010 ms root at
web-services:/etc/tinc/webservices# ping 192.168.98.2 PING 192.168.98.2
(192.168.98.2) 56(84) bytes of data.
^C
--- 192.168.98.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms

What am I missing here?

Thanks in advance,
Michael

Guus Sliepen

2014-Mar-11 20:31 UTC

head link

Cannot Ping after successful connection?

On Tue, Mar 11, 2014 at 08:21:42PM +0000, Michael Munger wrote:
> I apologize for the TLDR-style email, but I wanted to demonstrate that I
have done a lot of work (11 hours and at least 8 tutorials including the tinc
docs) before asking for help.
No problem, you clearly explained your intentions, the setup and the
configuration files, that really helps.
> My basic problem is this: tinc appears to properly connect and authenticate
> the client to the server, but I cannot ping or access resources.
[...]> root at web-services:/etc/tinc/webservices/hosts# cat webservices
> Compression=9
> Subnet=192.168.98.0/24
> Address=173.165.161.166
> 
> root at web-services:/etc/tinc/webservices# cat tinc-up 
> #!/bin/bash ifconfig $INTERFACE 192.168.98.1 NETMASK 255.255.255.0
[...]> root at michael-desktop:/etc/tinc/webservices/hosts#cat webservices
> Compression=9
> Subnet=192.168.98.0/24
> Address=173.165.161.166
I assume you meant to cat Mint202 here, but I suspect that you have
Subnet=192.168.98.0/24 in hosts/Mint202 as well.

The Subnet statements should not contain the address range of the whole VPN,
but rather that part of the range that belongs to each individual node. So, you
should have Subnet=192.168.98.1 in hosts/webservices, and Subnet=192.168.98.2
in hosts/Mint202.

Other than that, your configuration looks fine, and you should not have to
change anything else.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20140311/1b50d072/attachment.sig>

Reasonably Related Threads

Search for more possibly parallel threads

tinc - Mar 2014 - Cannot Ping after successful connection?

Cannot Ping after successful connection?

Cannot Ping after successful connection?

Reasonably Related Threads