> On 03 Jun 2016, at 11:43 AM, Chris Clarke <chris at
listerthrawn.co.uk> wrote:
>
> Hi,
>
> I've an existing tinc switch mode VPN set up with a few nodes.
I've now added a new node, but I want this node to route all its traffic
through tinc and use one of the tinc nodes as its gateway to the rest of the
internet.
>
> I've got the device on the VPN and it participates nicely, but I
can't talk to the internet at large. When I tcpdump the external interface
on the exit node, I see the packets leaving the network, but the source IP is
still the tinc VPN IP address of the device, and it's not NAT'd the
source as I expected. I've checked that I've added an iptables rule to
do this, but for some reason it's not hitting it. I?m not new to setting up
NAT gateways with iptables so I'm pretty sure that bit is correct.
iptables?s MASQUERADE is done on the postrouting, which is done after tinc
handed it to the kernel.
The problems might be the matching you?ve setup that isn?t correct, as at the
POSTROUTING phase you can?t really match the input interface, you have to match
the output interface and you would need to match for that IP it originates from.
> Could this be something to do with it coming from tinc?
Shouldn?t be.