Hi, First sorry for my bad English.
I made a vpn wtih tinc for link my home and my two office. In Addition I want to
configure my android device to link with my vpn.
The topology of the net is this:
cubox(a linux machine in my home with vpn address 192.168.0.20)
groppalbero (a linux machine in my second office with vpn address 192.168.0.40)
imac(a mac machine in my first office with vpn address 192.168.0.50)
nexus5(my android device with vpn address 192.168.0.80)
I have configurate all machine and now they all works except the android device.
On this I use ?Tinc Gui? app for configure it. When I start the tinc daemon it
connect to the configured host and the tun0 interface in created and configured,
but i can ping with any hosts
and any host can ping my android device. the result of ping IS NOT a network
unavailable response. In fact it block un operation and from the tinc gui log I
can see that the packet are received by my android device.
I suspect that can be a problem for the route but I can?t understand which the
problem is.
For information paste the configuration from cubic and android device:
CUBOX :
--------------------------------------------------------------------------------------------------------
andre at cubox vpnalma]$ cat tinc.conf
# Sample tinc configuration file
# This is a comment.
# Spaces and tabs are eliminated.
# The = sign isn't strictly necessary any longer, though you may want
# to leave it in as it improves readability :)
# Variable names are treated case insensitive.
# The name of this tinc host. Required.
Name = cubox
# The internet host to connect with.
# Comment these out to make yourself a listen-only connection
# You must use the name of another tinc host.
# May be used multiple times for redundance.
#ConnectTo = vaio
#ConnectTo = groppalbero
#ConnectTo = imac
#ConnectTo = servermarcy
# The tap device tinc will use.
# Default is /dev/tap0 for ethertap or FreeBSD,
# /dev/tun0 for Solaris and OpenBSD,
# and /dev/net/tun for Linux tun/tap device.
Device = /dev/net/tun
[andre at cubox vpnalma]$ cat tinc-up
#!/bin/sh
# This file sets up the tap device.
# It gives you the freedom to do anything you want with it.
# Use the correct name for the tap device:
# The environment variable $INTERFACE is set to the right name
# on most platforms, but if it doesn't work try to set it manually.
# Give it the right ip and netmask. Remember, the subnet of the
# tap device must be larger than that of the individual Subnets
# as defined in the host configuration file!
ifconfig $INTERFACE 192.168.0.20 netmask 255.255.255.0
#ip link set $INTERFACE up
#ip addr add 192.168.0.20/32 dev $INTERFACE
#ip route add 192.168.0.0/24 dev $INTERFACE
[andre at cubox vpnalma]$ cat hosts/cubox
#iample host configuration file
# This file was generated by host beta.
# The real IP address of this tinc host. Can be used by other tinc hosts.
Address = 10.0.0.7
Address = almaliberty.duckdns.org
# Portnumber for incoming connections. Default is 655.
Port = 655
# Subnet on the virtual private network that is local for this host.
Subnet = 192.168.0.20/32
????????????????????????????????????????????????????
The network is so configurated:
??????????????????????????????????????????????????????????????????????????????
[andre at cubox vpnalma]$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.7 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::d263:b4ff:fe00:6a6b prefixlen 64 scopeid 0x20<link>
ether d0:63:b4:00:6a:6b txqueuelen 1000 (Ethernet)
RX packets 63975281 bytes 142504956 (135.9 MiB)
RX errors 0 dropped 2 overruns 0 frame 0
TX packets 35826176 bytes 2648965717 (2.4 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 167609 bytes 76370891 (72.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 167609 bytes 76370891 (72.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vpnalma: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.0.20 netmask 255.255.255.0 destination 192.168.0.20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500
(UNSPEC)
RX packets 8876 bytes 1765584 (1.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5939 bytes 2394177 (2.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[andre at cubox vpnalma]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router.asus.com 0.0.0.0 UG 1024 0 0 eth0
10.0.0.0 * 255.255.255.0 U 0 0 0 eth0
router.asus.com * 255.255.255.255 UH 1024 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 vpnalma
[andre at cubox vpnalma]$
??????????????????????????????????????????????????????????????????
ON THE ANDROIDE DEVICE SIDE I HAVE THIS CONFG:
u0_a167 at hammerhead:/ $ su
root at hammerhead:/ # cd sdcard/tinc/vpnalma
at tinc.conf <
# Sample tinc configuration file
# This is a comment.
# Spaces and tabs are eliminated.
# The = sign isn't strictly necessary any longer, though you may want
# to leave it in as it improves readability :)
# Variable names are treated case insensitive.
# The name of this tinc host. Required.
Name = nexus5
# The internet host to connect with.
# Comment these out to make yourself a listen-only connection
# You must use the name of another tinc host.
# May be used multiple times for redundance.
ConnectTo = cubox
ConnectTo = groppalbero
ConnectTo = imac
# The tap device tinc will use.
# Default is /dev/tap0 for ethertap or FreeBSD,
# /dev/tun0 for Solaris and OpenBSD,
# and /dev/net/tun for Linux tun/tap device.
#Mode = switch
Device = /dev/tun
#DeviceType = tap
#Interface = tap0
#echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
ScriptsInterpreter = /system/bin/sh
root at hammerhead:/sdcard/tinc/vpnalma # cat tinc-up
#!/bin/sh
# This file sets up the tap device.
# It gives you the freedom to do anything you want with it.
# Use the correct name for the tap device:
# The environment variable $INTERFACE is set to the right name
# on most platforms, but if it doesn't work try to set it manually.
# Give it the right ip and netmask. Remember, the subnet of the
# tap device must be larger than that of the individual Subnets
# as defined in the host configuration file!
ifconfig $INTERFACE 192.168.0.80 netmask 255.255.255.0
#echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
#ip link set $INTERFACE up
#ip addr add 192.168.0.80/24 (http://192.168.0.80/24) dev $INTERFACE
#ip route add 192.168.0.0/24 (http://192.168.0.0/24) dev $INTERFACE
root at hammerhead:/sdcard/tinc/vpnalma # hosts/nexus5
sh: hosts/nexus5: can't execute: Permission denied
at hosts/nexus5 <
# Sample host configuration file
# The real IP address of this tinc host. Can be used by other tinc hosts.
# Portnumber for incoming connections. Default is 655.
#Port = 655
# Subnet on the virtual private network that is local for this host.
Subnet = 192.168.0.80/32 (http://192.168.0.80/32)
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
root at hammerhead:/sdcard/tinc/vpnalma # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 (http://127.0.0.1/8) scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: rmnet0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/[530]
inet 10.183.70.124/29 (http://10.183.70.124/29) scope global rmnet0
inet6 fe80::7561:c093:ea26:5781/64 scope link
valid_lft forever preferred_lft forever
3: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000
link/[530]
4: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000
link/[530]
5: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000
link/[530]
6: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000
link/[530]
7: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000
link/[530]
8: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000
link/[530]
9: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000
link/[530]
10: rev_rmnet0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
1000
link/ether a2:f5:64:5f:9d:05 brd ff:ff:ff:ff:ff:ff
11: rev_rmnet1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
1000
link/ether ea:f8:93:71:83:a1 brd ff:ff:ff:ff:ff:ff
12: rev_rmnet2: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
1000
link/ether 2a:84:3a:f5:3b:f0 brd ff:ff:ff:ff:ff:ff
13: rev_rmnet3: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
1000
link/ether 4a:d5:f8:77:cb:80 brd ff:ff:ff:ff:ff:ff
14: rev_rmnet4: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
1000
link/ether 16:db:e7:e3:f4:39 brd ff:ff:ff:ff:ff:ff
15: rev_rmnet5: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
1000
link/ether 46:3a:94:70:f0:5f brd ff:ff:ff:ff:ff:ff
16: rev_rmnet6: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
1000
link/ether 62:2c:a9:03:e9:4d brd ff:ff:ff:ff:ff:ff
17: rev_rmnet7: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
1000
link/ether f6:8e:08:a1:aa:10 brd ff:ff:ff:ff:ff:ff
18: rev_rmnet8: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
1000
link/ether 72:92:60:5c:e6:7c brd ff:ff:ff:ff:ff:ff
19: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
20: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen
1000
link/ether 8e:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
21: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen
1000
link/ether 8c:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN qlen 500
link/none
inet 192.168.0.80/24 (http://192.168.0.80/24) scope global tun0
root at hammerhead:/sdcard/tinc/vpnalma # ip route
10.183.70.120/29 (http://10.183.70.120/29) dev rmnet0 proto kernel scope link
src 10.183.70.124
10.206.56.132 via 10.183.70.125 dev rmnet0 src 10.183.70.124
10.207.43.46 via 10.183.70.125 dev rmnet0 src 10.183.70.124
192.168.0.0/24 (http://192.168.0.0/24) dev tun0 proto kernel scope link src
192.168.0.80
root at hammerhead:/sdcard/tinc/vpnalma # ping 192.168.0.20
PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data.
^C
--- 192.168.0.20 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9003ms
1|root at hammerhead:/sdcard/tinc/vpnalma #
????????????????????????????????????????????????????????????????????????????????
From the tinc gui log that I can?t copy and paste , I see that the device in
connected to cubic but i can?t ping with it.
--
Andrea Squeri
Inviato con Sparrow (http://www.sparrowmailapp.com/?sig)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20150325/8443916d/attachment-0001.html>
If you are running Lollipop / Android 5.x on your Nexus 5, then you are probably seeing the same issue I was with it. lollipop seems to change networking quite a bit in that it's using iptables / and `ip rule list` extensively for per-user settings. I think http://www.linux.org/threads/debugging-nat-prerouting-issues-iptables.7136/ is relevant if you see running in to the same issue, it's confusing quite a lot of folks. I was unable to get tinc-gui (or even tincd manually and tinkering via adb shell) to work so I've downgraded my S5 to a 4.4.2 rom. I'm not sure if coming up with a fancy tinc-up is the solution or someone with the ability to get tinc compatible with the official Android VPN API that a lot of the openvpn apps are using now. You might be able to draw some inspiration from https://github.com/offensive-security/kali-nethunter/blob/master/utils/manna/start-nat-full-lollipop.sh but I haven't tried it since I've been back on 4.4.2. On Wed, Mar 25, 2015 at 5:15 AM, Andrea Squeri <andrea.squeri at gmail.com> wrote:> Hi, First sorry for my bad English. > I made a vpn wtih tinc for link my home and my two office. In Addition I > want to configure my android device to link with my vpn. > The topology of the net is this: > > cubox(a linux machine in my home with vpn address 192.168.0.20) > groppalbero (a linux machine in my second office with vpn address > 192.168.0.40) > imac(a mac machine in my first office with vpn address 192.168.0.50) > nexus5(my android device with vpn address 192.168.0.80) > > I have configurate all machine and now they all works except the android > device. > On this I use ?Tinc Gui? app for configure it. When I start the tinc > daemon it connect to the configured host and the tun0 interface in created > and configured, but i can ping with any hosts > and any host can ping my android device. the result of ping IS NOT a > network unavailable response. In fact it block un operation and from the > tinc gui log I can see that the packet are received by my android device. > I suspect that can be a problem for the route but I can?t understand which > the problem is. > > For information paste the configuration from cubic and android device: > > CUBOX : > > -------------------------------------------------------------------------------------------------------- > andre at cubox vpnalma]$ cat tinc.conf > # Sample tinc configuration file > > # This is a comment. > # Spaces and tabs are eliminated. > # The = sign isn't strictly necessary any longer, though you may want > # to leave it in as it improves readability :) > # Variable names are treated case insensitive. > > # The name of this tinc host. Required. > Name = cubox > > # The internet host to connect with. > # Comment these out to make yourself a listen-only connection > # You must use the name of another tinc host. > # May be used multiple times for redundance. > #ConnectTo = vaio > #ConnectTo = groppalbero > #ConnectTo = imac > #ConnectTo = servermarcy > > # The tap device tinc will use. > # Default is /dev/tap0 for ethertap or FreeBSD, > # /dev/tun0 for Solaris and OpenBSD, > # and /dev/net/tun for Linux tun/tap device. > Device = /dev/net/tun > [andre at cubox vpnalma]$ cat tinc-up > #!/bin/sh > # This file sets up the tap device. > # It gives you the freedom to do anything you want with it. > # Use the correct name for the tap device: > # The environment variable $INTERFACE is set to the right name > # on most platforms, but if it doesn't work try to set it manually. > > # Give it the right ip and netmask. Remember, the subnet of the > # tap device must be larger than that of the individual Subnets > # as defined in the host configuration file! > ifconfig $INTERFACE 192.168.0.20 netmask 255.255.255.0 > #ip link set $INTERFACE up > #ip addr add 192.168.0.20/32 dev $INTERFACE > #ip route add 192.168.0.0/24 dev $INTERFACE > [andre at cubox vpnalma]$ cat hosts/cubox > #iample host configuration file > # This file was generated by host beta. > > # The real IP address of this tinc host. Can be used by other tinc hosts. > Address = 10.0.0.7 > Address = almaliberty.duckdns.org > # Portnumber for incoming connections. Default is 655. > Port = 655 > > # Subnet on the virtual private network that is local for this host. > Subnet = 192.168.0.20/32 > ???????????????????????????????????????????????????? > The network is so configurated: > > ?????????????????????????????????????????????????????????????????????????????? > > [andre at cubox vpnalma]$ ifconfig > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 10.0.0.7 netmask 255.255.255.0 broadcast 10.0.0.255 > inet6 fe80::d263:b4ff:fe00:6a6b prefixlen 64 scopeid 0x20<link> > ether d0:63:b4:00:6a:6b txqueuelen 1000 (Ethernet) > RX packets 63975281 bytes 142504956 (135.9 MiB) > RX errors 0 dropped 2 overruns 0 frame 0 > TX packets 35826176 bytes 2648965717 (2.4 GiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 > inet 127.0.0.1 netmask 255.0.0.0 > inet6 ::1 prefixlen 128 scopeid 0x10<host> > loop txqueuelen 0 (Local Loopback) > RX packets 167609 bytes 76370891 (72.8 MiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 167609 bytes 76370891 (72.8 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > vpnalma: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 > inet 192.168.0.20 netmask 255.255.255.0 destination 192.168.0.20 > unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen > 500 (UNSPEC) > RX packets 8876 bytes 1765584 (1.6 MiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 5939 bytes 2394177 (2.2 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > [andre at cubox vpnalma]$ route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > default router.asus.com 0.0.0.0 UG 1024 0 0 > eth0 > 10.0.0.0 * 255.255.255.0 U 0 0 0 > eth0 > router.asus.com * 255.255.255.255 UH 1024 0 0 > eth0 > 192.168.0.0 * 255.255.255.0 U 0 0 0 > vpnalma > [andre at cubox vpnalma]$ > > ?????????????????????????????????????????????????????????????????? > > ON THE ANDROIDE DEVICE SIDE I HAVE THIS CONFG: > > > u0_a167 at hammerhead:/ $ su > root at hammerhead:/ # cd sdcard/tinc/vpnalma > at tinc.conf < > # Sample tinc configuration file > > # This is a comment. > # Spaces and tabs are eliminated. > # The = sign isn't strictly necessary any longer, though you may want > # to leave it in as it improves readability :) > # Variable names are treated case insensitive. > > # The name of this tinc host. Required. > Name = nexus5 > > # The internet host to connect with. > # Comment these out to make yourself a listen-only connection > # You must use the name of another tinc host. > # May be used multiple times for redundance. > ConnectTo = cubox > ConnectTo = groppalbero > ConnectTo = imac > # The tap device tinc will use. > # Default is /dev/tap0 for ethertap or FreeBSD, > # /dev/tun0 for Solaris and OpenBSD, > # and /dev/net/tun for Linux tun/tap device. > #Mode = switch > Device = /dev/tun > #DeviceType = tap > #Interface = tap0 > #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter > ScriptsInterpreter = /system/bin/sh > root at hammerhead:/sdcard/tinc/vpnalma # cat tinc-up > #!/bin/sh > # This file sets up the tap device. > # It gives you the freedom to do anything you want with it. > # Use the correct name for the tap device: > # The environment variable $INTERFACE is set to the right name > # on most platforms, but if it doesn't work try to set it manually. > > # Give it the right ip and netmask. Remember, the subnet of the > # tap device must be larger than that of the individual Subnets > # as defined in the host configuration file! > ifconfig $INTERFACE 192.168.0.80 netmask 255.255.255.0 > #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter > #ip link set $INTERFACE up > #ip addr add 192.168.0.80/24 dev $INTERFACE > #ip route add 192.168.0.0/24 dev $INTERFACE > root at hammerhead:/sdcard/tinc/vpnalma # hosts/nexus5 > sh: hosts/nexus5: can't execute: Permission denied > at hosts/nexus5 < > # Sample host configuration file > > # The real IP address of this tinc host. Can be used by other tinc hosts. > > # Portnumber for incoming connections. Default is 655. > #Port = 655 > > # Subnet on the virtual private network that is local for this host. > Subnet = 192.168.0.80/32 > > -----BEGIN RSA PUBLIC KEY----- > > -----END RSA PUBLIC KEY----- > > root at hammerhead:/sdcard/tinc/vpnalma # ip addr > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: rmnet0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 > link/[530] > inet 10.183.70.124/29 scope global rmnet0 > inet6 fe80::7561:c093:ea26:5781/64 scope link > valid_lft forever preferred_lft forever > 3: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 4: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 5: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 6: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 7: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 8: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 9: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 10: rev_rmnet0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether a2:f5:64:5f:9d:05 brd ff:ff:ff:ff:ff:ff > 11: rev_rmnet1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether ea:f8:93:71:83:a1 brd ff:ff:ff:ff:ff:ff > 12: rev_rmnet2: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 2a:84:3a:f5:3b:f0 brd ff:ff:ff:ff:ff:ff > 13: rev_rmnet3: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 4a:d5:f8:77:cb:80 brd ff:ff:ff:ff:ff:ff > 14: rev_rmnet4: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 16:db:e7:e3:f4:39 brd ff:ff:ff:ff:ff:ff > 15: rev_rmnet5: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 46:3a:94:70:f0:5f brd ff:ff:ff:ff:ff:ff > 16: rev_rmnet6: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 62:2c:a9:03:e9:4d brd ff:ff:ff:ff:ff:ff > 17: rev_rmnet7: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether f6:8e:08:a1:aa:10 brd ff:ff:ff:ff:ff:ff > 18: rev_rmnet8: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 72:92:60:5c:e6:7c brd ff:ff:ff:ff:ff:ff > 19: sit0: <NOARP> mtu 1480 qdisc noop state DOWN > link/sit 0.0.0.0 brd 0.0.0.0 > 20: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen > 1000 > link/ether 8e:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff > 21: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen > 1000 > link/ether 8c:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff > 23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast state UNKNOWN qlen 500 > link/none > inet 192.168.0.80/24 scope global tun0 > > > root at hammerhead:/sdcard/tinc/vpnalma # ip route > 10.183.70.120/29 dev rmnet0 proto kernel scope link src 10.183.70.124 > 10.206.56.132 via 10.183.70.125 dev rmnet0 src 10.183.70.124 > 10.207.43.46 via 10.183.70.125 dev rmnet0 src 10.183.70.124 > 192.168.0.0/24 dev tun0 proto kernel scope link src 192.168.0.80 > > > root at hammerhead:/sdcard/tinc/vpnalma # ping 192.168.0.20 > PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data. > ^C > --- 192.168.0.20 ping statistics --- > 10 packets transmitted, 0 received, 100% packet loss, time 9003ms > > 1|root at hammerhead:/sdcard/tinc/vpnalma # > > > ???????????????????????????????????????????????????????????????????????????????? > > From the tinc gui log that I can?t copy and paste , I see that the device > in connected to cubic but i can?t ping with it. > -- > Andrea Squeri > Inviato con Sparrow <http://www.sparrowmailapp.com/?sig> > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150325/68b5c6a9/attachment-0001.html>
I remember running into this issue before (over a year ago) ? if I remember correctly, the issue wasn?t from Tinc, but from Android (I was using Cyanogenmod on the Nexus 5). I needed to flip some networking flag to get packages through. From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Andrea Squeri Sent: Wednesday, March 25, 2015 5:15 AM To: tinc at tinc-vpn.org Subject: Problem With Android Configuration I have configurate all machine and now they all works except the android device. On this I use ?Tinc Gui? app for configure it. When I start the tinc daemon it connect to the configured host and the tun0 interface in created and configured, but i can ping with any hosts and any host can ping my android device. the result of ping IS NOT a network unavailable response. In fact it block un operation and from the tinc gui log I can see that the packet are received by my android device. I suspect that can be a problem for the route but I can?t understand which the problem is.
Actually I have installed a caynogenmod 12 nightly, but until few days ago I had a cataclysm rom (derived from stock) whith elementalx kernel, and i had the same issue. I change to cyano precisely for exclude a ROM issue. In fact googoling for an example of android tinc configuration i found a couple of tutorial that explain how to configure tinc on android (cyanogen in particular). But none of One works form me. So i focus my attention to some error in my net configuration. Andrea Squeri Il 25/mar/2015 21:58 "Mark Lopez" <m at silvenga.com> ha scritto:> I remember running into this issue before (over a year ago) ? if I > remember correctly, the issue wasn?t from Tinc, but from Android (I was > using Cyanogenmod on the Nexus 5). I needed to flip some networking flag to > get packages through. > > From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Andrea Squeri > Sent: Wednesday, March 25, 2015 5:15 AM > To: tinc at tinc-vpn.org > Subject: Problem With Android Configuration > > I have configurate all machine and now they all works except the android > device. > On this I use ?Tinc Gui? app for configure it. When I start the tinc > daemon it connect to the configured host and the tun0 interface in created > and configured, but i can ping with any hosts > and any host can ping my android device. the result of ping IS NOT a > network unavailable response. In fact it block un operation and from the > tinc gui log I can see that the packet are received by my android device. > I suspect that can be a problem for the route but I can?t understand which > the problem is. > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150326/82c71bb9/attachment.html>
Yes. The problem is lollipop. I tried to install tinc on my brother's device which mount a cyano 10.1( android 4.2.2) and it works. I don't understand which is the problem with lollipop. Is there a firewall that block the packets? Andrea Squeri If you are running Lollipop / Android 5.x on your Nexus 5, then you are probably seeing the same issue I was with it. lollipop seems to change networking quite a bit in that it's using iptables / and `ip rule list` extensively for per-user settings. I think http://www.linux.org/threads/debugging-nat-prerouting-issues-iptables.7136/ is relevant if you see running in to the same issue, it's confusing quite a lot of folks. I was unable to get tinc-gui (or even tincd manually and tinkering via adb shell) to work so I've downgraded my S5 to a 4.4.2 rom. I'm not sure if coming up with a fancy tinc-up is the solution or someone with the ability to get tinc compatible with the official Android VPN API that a lot of the openvpn apps are using now. You might be able to draw some inspiration from https://github.com/offensive-security/kali-nethunter/blob/master/utils/manna/start-nat-full-lollipop.sh but I haven't tried it since I've been back on 4.4.2. On Wed, Mar 25, 2015 at 5:15 AM, Andrea Squeri <andrea.squeri at gmail.com> wrote:> Hi, First sorry for my bad English. > I made a vpn wtih tinc for link my home and my two office. In Addition I > want to configure my android device to link with my vpn. > The topology of the net is this: > > cubox(a linux machine in my home with vpn address 192.168.0.20) > groppalbero (a linux machine in my second office with vpn address > 192.168.0.40) > imac(a mac machine in my first office with vpn address 192.168.0.50) > nexus5(my android device with vpn address 192.168.0.80) > > I have configurate all machine and now they all works except the android > device. > On this I use ?Tinc Gui? app for configure it. When I start the tinc > daemon it connect to the configured host and the tun0 interface in created > and configured, but i can ping with any hosts > and any host can ping my android device. the result of ping IS NOT a > network unavailable response. In fact it block un operation and from the > tinc gui log I can see that the packet are received by my android device. > I suspect that can be a problem for the route but I can?t understand which > the problem is. > > For information paste the configuration from cubic and android device: > > CUBOX : > > -------------------------------------------------------------------------------------------------------- > andre at cubox vpnalma]$ cat tinc.conf > # Sample tinc configuration file > > # This is a comment. > # Spaces and tabs are eliminated. > # The = sign isn't strictly necessary any longer, though you may want > # to leave it in as it improves readability :) > # Variable names are treated case insensitive. > > # The name of this tinc host. Required. > Name = cubox > > # The internet host to connect with. > # Comment these out to make yourself a listen-only connection > # You must use the name of another tinc host. > # May be used multiple times for redundance. > #ConnectTo = vaio > #ConnectTo = groppalbero > #ConnectTo = imac > #ConnectTo = servermarcy > > # The tap device tinc will use. > # Default is /dev/tap0 for ethertap or FreeBSD, > # /dev/tun0 for Solaris and OpenBSD, > # and /dev/net/tun for Linux tun/tap device. > Device = /dev/net/tun > [andre at cubox vpnalma]$ cat tinc-up > #!/bin/sh > # This file sets up the tap device. > # It gives you the freedom to do anything you want with it. > # Use the correct name for the tap device: > # The environment variable $INTERFACE is set to the right name > # on most platforms, but if it doesn't work try to set it manually. > > # Give it the right ip and netmask. Remember, the subnet of the > # tap device must be larger than that of the individual Subnets > # as defined in the host configuration file! > ifconfig $INTERFACE 192.168.0.20 netmask 255.255.255.0 > #ip link set $INTERFACE up > #ip addr add 192.168.0.20/32 dev $INTERFACE > #ip route add 192.168.0.0/24 dev $INTERFACE > [andre at cubox vpnalma]$ cat hosts/cubox > #iample host configuration file > # This file was generated by host beta. > > # The real IP address of this tinc host. Can be used by other tinc hosts. > Address = 10.0.0.7 > Address = almaliberty.duckdns.org > # Portnumber for incoming connections. Default is 655. > Port = 655 > > # Subnet on the virtual private network that is local for this host. > Subnet = 192.168.0.20/32 > ???????????????????????????????????????????????????? > The network is so configurated: > > ?????????????????????????????????????????????????????????????????????????????? > > [andre at cubox vpnalma]$ ifconfig > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 10.0.0.7 netmask 255.255.255.0 broadcast 10.0.0.255 > inet6 fe80::d263:b4ff:fe00:6a6b prefixlen 64 scopeid 0x20<link> > ether d0:63:b4:00:6a:6b txqueuelen 1000 (Ethernet) > RX packets 63975281 bytes 142504956 (135.9 MiB) > RX errors 0 dropped 2 overruns 0 frame 0 > TX packets 35826176 bytes 2648965717 (2.4 GiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 > inet 127.0.0.1 netmask 255.0.0.0 > inet6 ::1 prefixlen 128 scopeid 0x10<host> > loop txqueuelen 0 (Local Loopback) > RX packets 167609 bytes 76370891 (72.8 MiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 167609 bytes 76370891 (72.8 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > vpnalma: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 > inet 192.168.0.20 netmask 255.255.255.0 destination 192.168.0.20 > unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen > 500 (UNSPEC) > RX packets 8876 bytes 1765584 (1.6 MiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 5939 bytes 2394177 (2.2 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > [andre at cubox vpnalma]$ route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > default router.asus.com 0.0.0.0 UG 1024 0 0 > eth0 > 10.0.0.0 * 255.255.255.0 U 0 0 0 > eth0 > router.asus.com * 255.255.255.255 UH 1024 0 0 > eth0 > 192.168.0.0 * 255.255.255.0 U 0 0 0 > vpnalma > [andre at cubox vpnalma]$ > > ?????????????????????????????????????????????????????????????????? > > ON THE ANDROIDE DEVICE SIDE I HAVE THIS CONFG: > > > u0_a167 at hammerhead:/ $ su > root at hammerhead:/ # cd sdcard/tinc/vpnalma > at tinc.conf < > # Sample tinc configuration file > > # This is a comment. > # Spaces and tabs are eliminated. > # The = sign isn't strictly necessary any longer, though you may want > # to leave it in as it improves readability :) > # Variable names are treated case insensitive. > > # The name of this tinc host. Required. > Name = nexus5 > > # The internet host to connect with. > # Comment these out to make yourself a listen-only connection > # You must use the name of another tinc host. > # May be used multiple times for redundance. > ConnectTo = cubox > ConnectTo = groppalbero > ConnectTo = imac > # The tap device tinc will use. > # Default is /dev/tap0 for ethertap or FreeBSD, > # /dev/tun0 for Solaris and OpenBSD, > # and /dev/net/tun for Linux tun/tap device. > #Mode = switch > Device = /dev/tun > #DeviceType = tap > #Interface = tap0 > #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter > ScriptsInterpreter = /system/bin/sh > root at hammerhead:/sdcard/tinc/vpnalma # cat tinc-up > #!/bin/sh > # This file sets up the tap device. > # It gives you the freedom to do anything you want with it. > # Use the correct name for the tap device: > # The environment variable $INTERFACE is set to the right name > # on most platforms, but if it doesn't work try to set it manually. > > # Give it the right ip and netmask. Remember, the subnet of the > # tap device must be larger than that of the individual Subnets > # as defined in the host configuration file! > ifconfig $INTERFACE 192.168.0.80 netmask 255.255.255.0 > #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter > #ip link set $INTERFACE up > #ip addr add 192.168.0.80/24 dev $INTERFACE > #ip route add 192.168.0.0/24 dev $INTERFACE > root at hammerhead:/sdcard/tinc/vpnalma # hosts/nexus5 > sh: hosts/nexus5: can't execute: Permission denied > at hosts/nexus5 < > # Sample host configuration file > > # The real IP address of this tinc host. Can be used by other tinc hosts. > > # Portnumber for incoming connections. Default is 655. > #Port = 655 > > # Subnet on the virtual private network that is local for this host. > Subnet = 192.168.0.80/32 > > -----BEGIN RSA PUBLIC KEY----- > > -----END RSA PUBLIC KEY----- > > root at hammerhead:/sdcard/tinc/vpnalma # ip addr > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: rmnet0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 > link/[530] > inet 10.183.70.124/29 scope global rmnet0 > inet6 fe80::7561:c093:ea26:5781/64 scope link > valid_lft forever preferred_lft forever > 3: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 4: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 5: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 6: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 7: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 8: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 9: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 10: rev_rmnet0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether a2:f5:64:5f:9d:05 brd ff:ff:ff:ff:ff:ff > 11: rev_rmnet1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether ea:f8:93:71:83:a1 brd ff:ff:ff:ff:ff:ff > 12: rev_rmnet2: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 2a:84:3a:f5:3b:f0 brd ff:ff:ff:ff:ff:ff > 13: rev_rmnet3: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 4a:d5:f8:77:cb:80 brd ff:ff:ff:ff:ff:ff > 14: rev_rmnet4: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 16:db:e7:e3:f4:39 brd ff:ff:ff:ff:ff:ff > 15: rev_rmnet5: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 46:3a:94:70:f0:5f brd ff:ff:ff:ff:ff:ff > 16: rev_rmnet6: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 62:2c:a9:03:e9:4d brd ff:ff:ff:ff:ff:ff > 17: rev_rmnet7: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether f6:8e:08:a1:aa:10 brd ff:ff:ff:ff:ff:ff > 18: rev_rmnet8: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 72:92:60:5c:e6:7c brd ff:ff:ff:ff:ff:ff > 19: sit0: <NOARP> mtu 1480 qdisc noop state DOWN > link/sit 0.0.0.0 brd 0.0.0.0 > 20: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen > 1000 > link/ether 8e:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff > 21: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen > 1000 > link/ether 8c:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff > 23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast state UNKNOWN qlen 500 > link/none > inet 192.168.0.80/24 scope global tun0 > > > root at hammerhead:/sdcard/tinc/vpnalma # ip route > 10.183.70.120/29 dev rmnet0 proto kernel scope link src 10.183.70.124 > 10.206.56.132 via 10.183.70.125 dev rmnet0 src 10.183.70.124 > 10.207.43.46 via 10.183.70.125 dev rmnet0 src 10.183.70.124 > 192.168.0.0/24 dev tun0 proto kernel scope link src 192.168.0.80 > > > root at hammerhead:/sdcard/tinc/vpnalma # ping 192.168.0.20 > PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data. > ^C > --- 192.168.0.20 ping statistics --- > 10 packets transmitted, 0 received, 100% packet loss, time 9003ms > > 1|root at hammerhead:/sdcard/tinc/vpnalma # > > > ???????????????????????????????????????????????????????????????????????????????? > > From the tinc gui log that I can?t copy and paste , I see that the device > in connected to cubic but i can?t ping with it. > -- > Andrea Squeri > Inviato con Sparrow <http://www.sparrowmailapp.com/?sig> > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >_______________________________________________ tinc mailing list tinc at tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150326/979cd67a/attachment-0001.html>