thanks, but i was able to make it work based on some suggestion on tomato shibby forums. Regards Ramesh On Sun, Jan 15, 2017 at 9:02 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:> On Fri, Jan 13, 2017 at 06:53:07PM +0000, Guillermo Bisheimer wrote: > > > I've setup a Tinc VPN for a bunch of nodes divided in two groups: > > > > Group 1: > > IP Range 10.100.0.2 to 10.100.127.255 > > > > Group 2: > > IP Range 10.100.128.1 to 10.100.255.255 > > > > Server IP: 10.100.0.1 > > I would recommend running two tinc daemons on the server, one for each > group. That way, you don't have to use TunnelServer and Forwarding > kernel. > > > The problem is that I also need to isolate clients from group 1 from > > reaching the server, but found no way to do that yet. > > If you use two tinc daemons, and then for group 1, you can add > "DeviceType = dummy" to the server's tinc.conf. That way the server > doesn't create a tun/tap interface at all, so it cannot send or receive > packets for that group. > > > Tried with > > > > sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP > > > > but this only works for blocking ping but it doesn't stop curl or > anything > > else. > > That command works better with -A instead of -D. It should then drop > everything, not just ping packets, unless there is another rule earlier > in the INPUT chain that explicitly allows that traffic. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170115/6dee547e/attachment.html>
Thanks for the answer Guus, One more thing. I can run two tinc daemons one for each group, but I sill need to communicate clients from one group to the other. Clients from group 2 (admin group) need to reach clients from group 1 (remote server group), but clients from group 1 must not be able to reach each other nor the server. If I'm not using TunnelServer and Forwarding, How can I setup the routes between the two Tinc daemons? Thanks! El dom., 15 ene. 2017 a las 11:29, Ramesh (<nramesh1 at gmail.com>) escribió:> thanks, but i was able to make it work based on some suggestion on tomato > shibby forums. > > Regards > > Ramesh > > On Sun, Jan 15, 2017 at 9:02 AM, Guus Sliepen <guus at tinc-vpn.org> wrote: > > On Fri, Jan 13, 2017 at 06:53:07PM +0000, Guillermo Bisheimer wrote: > > > I've setup a Tinc VPN for a bunch of nodes divided in two groups: > > > > Group 1: > > IP Range 10.100.0.2 to 10.100.127.255 > > > > Group 2: > > IP Range 10.100.128.1 to 10.100.255.255 > > > > Server IP: 10.100.0.1 > > I would recommend running two tinc daemons on the server, one for each > group. That way, you don't have to use TunnelServer and Forwarding > kernel. > > > The problem is that I also need to isolate clients from group 1 from > > reaching the server, but found no way to do that yet. > > If you use two tinc daemons, and then for group 1, you can add > "DeviceType = dummy" to the server's tinc.conf. That way the server > doesn't create a tun/tap interface at all, so it cannot send or receive > packets for that group. > > > Tried with > > > > sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP > > > > but this only works for blocking ping but it doesn't stop curl or > anything > > else. > > That command works better with -A instead of -D. It should then drop > everything, not just ping packets, unless there is another rule earlier > in the INPUT chain that explicitly allows that traffic. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-- *Ing. Guillermo Bisheimer* *B&S Sistemas de Control y Equipamientos* Av. de los Constituyentes 1172 (E3116CIX) Crespo, Entre Ríos Tel/Fax: (0343) 407-8990 (Nuevo número) Cel: (0343) 154679052 WEB: www.bys-control.com.ar e-mail: gbisheimer at bys-control.com.ar skype: guillermo.bisheimer -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170116/de90e238/attachment.html>
There was a mistake in the firewall rule I've posted earlier: sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP As you stated, I was using -A instead of -D, but that only stops ping packets, but not anything else. El lun., 16 ene. 2017 a las 9:29, Guillermo Bisheimer (< gbisheimer at bys-control.com.ar>) escribió:> Thanks for the answer Guus, > > One more thing. I can run two tinc daemons one for each group, but I sill > need to communicate clients from one group to the other. > > Clients from group 2 (admin group) need to reach clients from group 1 > (remote server group), but clients from group 1 must not be able to reach > each other nor the server. > > If I'm not using TunnelServer and Forwarding, How can I setup the routes > between the two Tinc daemons? > > Thanks! > > > > > > El dom., 15 ene. 2017 a las 11:29, Ramesh (<nramesh1 at gmail.com>) escribió: > > thanks, but i was able to make it work based on some suggestion on tomato > shibby forums. > > Regards > > Ramesh > > On Sun, Jan 15, 2017 at 9:02 AM, Guus Sliepen <guus at tinc-vpn.org> wrote: > > On Fri, Jan 13, 2017 at 06:53:07PM +0000, Guillermo Bisheimer wrote: > > > I've setup a Tinc VPN for a bunch of nodes divided in two groups: > > > > Group 1: > > IP Range 10.100.0.2 to 10.100.127.255 > > > > Group 2: > > IP Range 10.100.128.1 to 10.100.255.255 > > > > Server IP: 10.100.0.1 > > I would recommend running two tinc daemons on the server, one for each > group. That way, you don't have to use TunnelServer and Forwarding > kernel. > > > The problem is that I also need to isolate clients from group 1 from > > reaching the server, but found no way to do that yet. > > If you use two tinc daemons, and then for group 1, you can add > "DeviceType = dummy" to the server's tinc.conf. That way the server > doesn't create a tun/tap interface at all, so it cannot send or receive > packets for that group. > > > Tried with > > > > sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP > > > > but this only works for blocking ping but it doesn't stop curl or > anything > > else. > > That command works better with -A instead of -D. It should then drop > everything, not just ping packets, unless there is another rule earlier > in the INPUT chain that explicitly allows that traffic. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > > -- > > *Ing. Guillermo Bisheimer* > > *B&S Sistemas de Control y Equipamientos* > > Av. de los Constituyentes 1172 > > (E3116CIX) Crespo, Entre Ríos > > Tel/Fax: (0343) 407-8990 (Nuevo número) > > Cel: (0343) 154679052 > > WEB: www.bys-control.com.ar > > e-mail: gbisheimer at bys-control.com.ar > > skype: guillermo.bisheimer >-- *Ing. Guillermo Bisheimer* *B&S Sistemas de Control y Equipamientos* Av. de los Constituyentes 1172 (E3116CIX) Crespo, Entre Ríos Tel/Fax: (0343) 407-8990 (Nuevo número) Cel: (0343) 154679052 WEB: www.bys-control.com.ar e-mail: gbisheimer at bys-control.com.ar skype: guillermo.bisheimer -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170116/27ee7fcb/attachment-0001.html>
On Mon, Jan 16, 2017 at 12:29:59PM +0000, Guillermo Bisheimer wrote:> One more thing. I can run two tinc daemons one for each group, but I sill > need to communicate clients from one group to the other. > > Clients from group 2 (admin group) need to reach clients from group 1 > (remote server group), but clients from group 1 must not be able to reach > each other nor the server. > > If I'm not using TunnelServer and Forwarding, How can I setup the routes > between the two Tinc daemons?For group 1, set TunnelServer = yes and Forwarding = off. This prevents clients from seeing and talking to each other. Also don't use DeviceType. Now that you have two VPN interfaces on the server, one for group 1 and one for group 2, you can use the routing table and/or firewall rules to control who can reach who. You still need to block traffic from the clients to the server itself. Instead of:> sudo iptables -A INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROPTry: sudo iptables -A INPUT -i <group 1 interface> -j DROP This should drop all packets from the clients. Note that the INPUT chain only applies to packets destined for the server itself, packets that are to be forwarded between group 1 and 2 go via the FORWARD chain. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170116/3af2e92d/attachment.sig>