Hey there, So I have two Amazon EC2 instances (micro) running tincd. Each is running dnsmasq to provide a dhcp server for tinc users. Their configuration looks something like this: [tinc1:/etc/tinc/tincnet/tinc.conf] Name = tinc1 AddressFamily = ipv4 Interface = tun0 Mode = switch ConnectTo = tinc1 ConnectTo = tinc2 [tinc1:/etc/tinc/tincnet/hosts/tinc1] Address = 10.100.250.100 Subnet = 172.31.1.1/32 [tinc1:/etc/tinc/tincnet/tinc-up] #!/bin/sh ifconfig $INTERFACE 172.31.1.1 netmask 255.255.0.0 [tinc1:/etc/dnsmasq.d/devnet-dhcp] interface=tun0 bind-interfaces # Dynamic IP range dhcp-range=172.31.1.11,172.31.1.254,24h The VPN works great - I simply add a new user's pubkey to /etc/tinc/tincnet/hosts on each of the two boxes, then they can connect and send traffic to any host on the VPN (each with an IP like 172.31.14.13). Next question is... how do I go from this setup to a "router"/"bridge" like setup? I would like to ultimately use this to allow access to some internal networks with IPs like 10.100.250.0/24 through the VPN, but I have no idea how to actually build that just yet. Thanks for any consideration and thanks for reading this far :) ~ Benjamin -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150727/36fdd168/attachment.html>
On Mon, Jul 27, 2015 at 4:07 AM, Benjamin <zorlin at gmail.com> wrote:> > how do I go from this setup to a "router"/"bridge" like setup?If 10.100.250.0/24 is assigned by EC2, and you want to route that network through Tinc, then you will not get the desired result. The paravirtualized interface is unbridgeable, and the gate between nodes usually filters traffic involving unrecognized MAC or IP addresses. I've tried this kind of configuration at Azure and EC2, but only had good results at places like Linode that accommodate private network customization for small accounts. The best solution at most cloud hosts is to keep all user-facing services inside Tinc. Past that, use any Linux routing tutorial. Traffic on Tinc interfaces can be routed like physical interfaces. Start with a front-end like UFW that makes the initial ip_forward configuration easy.