I have a 4 Node Tinc VPN setup with 2 nodes on my LAN and the other 2 outside the LAN in the cloud. Everything has been working great for about 5 years now, until today when I decided to move one of the nodes to another box. I basically, copied over the /etc/tinc folder to the new server and also moved the /etc/network/interfaces file, so that the new server was an exact mirror (more or less). But I think I may have forgotten something because while all my nodes can ping each other using the VPN IPs (i.e., 10.9.0.x), I can't seem to ping my LAN (i.e., 172.23.6.x) from any of the external nodes. At this point I'm unsure of which information to provide in order to elicit some assistance, however, below is the routing table of one INTERNAL and EXTERNAL node. I basically want to be able to reach the 172.23.6.0 network from any of the EXTERNAL nodes - any assistance would be highly appreciated. Thanks. Routing Table of EXTERNAL NODE (10.9.0.4) root at web1:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 107.170.80.1 0.0.0.0 UG 0 0 0 eth0 10.9.0.0 * 255.255.255.0 U 0 0 0 tinc0 10.128.0.0 * 255.255.0.0 U 0 0 0 eth1 107.170.80.0 * 255.255.240.0 U 0 0 0 eth0 172.23.6.0 10.9.0.1 255.255.255.0 UG 0 0 0 tinc0 Routing Table of INTERNAL NODE (10.9.0.1) root at ubuntu2:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 50-242-184-134- 0.0.0.0 UG 0 0 0 eth0 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0 10.9.0.0 * 255.255.255.0 U 0 0 0 tinc0 50.242.184.128 * 255.255.255.248 U 0 0 0 eth0 172.23.6.0 * 255.255.255.0 U 0 0 0 eth1 172.23.7.0 172.23.6.1 255.255.255.0 UG 0 0 0 eth1 207.187.53.0 172.23.6.1 255.255.255.0 UG 0 0 0 eth1 Very Respectfully, Kismet-Gerald Agbasi IT/Systems Administrator Central Truck Center, Inc. Office: 240-487-3315 Toll Free: 1-800-492-0709 Fax: 240-487-3399 3839 Ironwood Place Landover, MD 20785 www.centraltruckcenter.com This message may contain confidential and/or proprietary information, and is intended for the person or entity to which it is addressed. Any use by others for all other purposes is strictly prohibited. ____________________________________________________________________________ _____________________________ 3839 Ironwood Place | Landover, MD | 20785 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20161005/a68afaa2/attachment.html>
Hi Kismet, Am Wed, 5 Oct 2016 10:13:13 -0400 schrieb "Kismet Agbasi" <kagbasi at centraltruck.net>:> At this point I'm unsure of which information to provide in order to elicit > some assistance, however, below is the routing table of one INTERNAL and > EXTERNAL node. I basically want to be able to reach the 172.23.6.0 network > from any of the EXTERNAL nodes - any assistance would be highly appreciated.I suggest to send pings from the source to the target and try to verify the packets along their way. "tcpdump" is usually a good tool for this: tcpdump -ni any icmp (replace "any" with a specific interface in order to make sure that the traffic is on the right track) Afterwards you will have a better feeling whether you need to check the forward or the return traffic and at which specific node the routing or the firewall rules are not acting in line with your plan. Cheers, Lars
Lars, Thanks for that tcpdump command, very helpful. I was able to confirm that the packets are indeed reaching the INSIDE node - so I'm suspecting that my routing table might be wrong. Very Respectfully, Kismet Agbasi -----Original Message----- From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Lars Kruse Sent: Wednesday, October 5, 2016 4:18 PM To: tinc at tinc-vpn.org Subject: Re: Can't Route LAN Traffic Behind Tinc Network Hi Kismet, Am Wed, 5 Oct 2016 10:13:13 -0400 schrieb "Kismet Agbasi" <kagbasi at centraltruck.net>:> At this point I'm unsure of which information to provide in order to > elicit some assistance, however, below is the routing table of one > INTERNAL and EXTERNAL node. I basically want to be able to reach the > 172.23.6.0 network from any of the EXTERNAL nodes - any assistance would be highly appreciated.I suggest to send pings from the source to the target and try to verify the packets along their way. "tcpdump" is usually a good tool for this: tcpdump -ni any icmp (replace "any" with a specific interface in order to make sure that the traffic is on the right track) Afterwards you will have a better feeling whether you need to check the forward or the return traffic and at which specific node the routing or the firewall rules are not acting in line with your plan. Cheers, Lars _______________________________________________ tinc mailing list tinc at tinc-vpn.org https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
On 05/10/2016 16:13, Kismet Agbasi wrote:> I have a 4 Node Tinc VPN setup with 2 nodes on my LAN and the other 2 > outside the LAN in the cloud. Everything has been working great for about 5 > years now, until today when I decided to move one of the nodes to another > box.Hi Kismet, Just thought I'd jump in here as I do a lot of this kind of thing, and in case you haven't got a solution yet, I'd like to verify a couple of simple things before you go down any of the wrong rabbit-holes. :)> I basically, copied over the /etc/tinc folder to the new server and > also moved the /etc/network/interfaces file, so that the new server was an > exact mirror (more or less).Fine, but yes, there are a number of things missing to qualify for exact mirror.> > > But I think I may have forgotten something because while all my nodes can > ping each other using the VPN IPs (i.e., 10.9.0.x), I can't seem to ping my > LAN (i.e., 172.23.6.x) from any of the external nodes. > At this point I'm unsure of which information to provide in order to elicit > some assistance,The two other keys pieces of information that were missing about your new server are the firewall rules and kernel forwarding. Did you remember to activate kernel ip forwarding? i.e. echo 1 > /proc/sys/net/ipv4/ip_forward ? Now, I note that in a later post you have said:> I was able to confirm that the packets are indeed reaching the INSIDE nodeand when I saw that I was about to cancel my reply, but.. maybe I can get you to confirm what you mean by INSIDE node? Do you mean the node on the LAN that runs tinc, or a node that does not run tinc? k/
Keith, Thanks for the reply and the pointers.> Did you remember to activate kernel ip forwarding? > i.e. echo 1 > /proc/sys/net/ipv4/ip_forward ?I actually forgot to do this, but I have enabled it now in /etc/systctl.conf and can confirm now after a reboot that it's enabled. Unfortunately, still can't ping the node on the LAN.> and when I saw that I was about to cancel my reply, but.. maybe I can get you to confirm what you mean by INSIDE node? > Do you mean the node on the LAN that runs tinc, or a node that does not run tinc?What I meant by INSIDE node is that this is the node running tinc, it sits on my LAN and it's the one all the other nodes connect to. To expound further, this box has two interfaces - eth0 (WAN) and eth1 (LAN). Its LAN IP is 172.23.6.149 and it's tinc IP is 10.9.0.1. As you can see from the below results, I can ping it from my workstation on the LAN as well as from one of the external tinc nodes (residing in a VM in the cloud). Finally, MTR also confirms that the ping packet is indeed reaching the tinc node on my LAN. So all seems to be pointing to a routing issue on that LAN node, but I can't seem to figure it out. Probably something really simple, but it's not jumping up at me...lol. *************************************************************** C:\Users\kagbasi>ping -t 172.23.6.149 Pinging 172.23.6.149 with 32 bytes of data: Reply from 172.23.6.149: bytes=32 time<1ms TTL=64 Reply from 172.23.6.149: bytes=32 time<1ms TTL=64 Reply from 172.23.6.149: bytes=32 time<1ms TTL=64 Ping statistics for 172.23.6.149: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms root at web1:~# ping 10.9.0.1 PING 10.9.0.1 (10.9.0.1) 56(84) bytes of data. 64 bytes from 10.9.0.1: icmp_seq=1 ttl=64 time=17.1 ms 64 bytes from 10.9.0.1: icmp_seq=2 ttl=64 time=16.5 ms 64 bytes from 10.9.0.1: icmp_seq=3 ttl=64 time=17.2 ms ^C --- 10.9.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 16.530/16.978/17.207/0.351 ms My traceroute [v0.85] web1 (0.0.0.0) Thu Oct 6 09:36:52 2016 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. 10.9.0.1 0.0% 25 16.4 17.6 15.8 35.5 3.9 2. ??? ************************************************************************** This is the kernel routing table for the INSIDE node. One thing, however, that peaks my attention is that the entry for the 172.23.6.0/24 subnet shows * as the gateway, which I'm thinking means it's using the default gateway, but I could be wrong. If it is, then it means the packets are being routed out the wrong interface.: root at ubuntu2:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 50-242-184-134- 0.0.0.0 UG 0 0 0 eth0 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0 10.9.0.0 * 255.255.255.0 U 0 0 0 tinc0 50.242.184.128 * 255.255.255.248 U 0 0 0 eth0 172.23.6.0 * 255.255.255.0 U 0 0 0 eth1 172.23.7.0 172.23.6.1 255.255.255.0 UG 0 0 0 eth1 207.187.53.0 172.23.6.1 255.255.255.0 UG 0 0 0 eth1 Very Respectfully, Kismet Agbasi -----Original Message----- From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Keith Sent: Thursday, October 6, 2016 8:35 AM To: tinc at tinc-vpn.org Subject: Re: Can't Route LAN Traffic Behind Tinc Network On 05/10/2016 16:13, Kismet Agbasi wrote:> I have a 4 Node Tinc VPN setup with 2 nodes on my LAN and the other 2 > outside the LAN in the cloud. Everything has been working great for > about 5 years now, until today when I decided to move one of the nodes > to another box.Hi Kismet, Just thought I'd jump in here as I do a lot of this kind of thing, and in case you haven't got a solution yet, I'd like to verify a couple of simple things before you go down any of the wrong rabbit-holes. :)> I basically, copied over the /etc/tinc folder to the new server and > also moved the /etc/network/interfaces file, so that the new server > was an exact mirror (more or less).Fine, but yes, there are a number of things missing to qualify for exact mirror.> > > But I think I may have forgotten something because while all my nodes > can ping each other using the VPN IPs (i.e., 10.9.0.x), I can't seem > to ping my LAN (i.e., 172.23.6.x) from any of the external nodes. > At this point I'm unsure of which information to provide in order to > elicit some assistance,The two other keys pieces of information that were missing about your new server are the firewall rules and kernel forwarding. Did you remember to activate kernel ip forwarding? i.e. echo 1 > /proc/sys/net/ipv4/ip_forward ? Now, I note that in a later post you have said:> I was able to confirm that the packets are indeed reaching the INSIDE > nodeand when I saw that I was about to cancel my reply, but.. maybe I can get you to confirm what you mean by INSIDE node? Do you mean the node on the LAN that runs tinc, or a node that does not run tinc? k/ _______________________________________________ tinc mailing list tinc at tinc-vpn.org https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc