Hi Team,
I admit that I am not familiar with Tinc very well, but have Tinc running at
approximately 20 sites and functioning as a mesh vpn/network. I am having
issues adding an additional site as it will not communicate with the rest. I
have taken the firmware of one and flashed it on another router to make it
duplicate and then tested it working but when I change the hostname, and IP to
what we need it to be (in this case 172.16.100.0) it no longer communicates with
the rest of the network even though I have the same public key (they all have
the same key) as well as adding it to the host folder and tinc config file on
every other router. Am I missing something? The current system seems to be
working now but having issues to add new.
Thanks in advance for any advise assistance or referral you could provide.
Regards,
Chris
Contents of the /etc/tinc/NETNAME/hosts/ folder (NOTE pfsense is just what we
called the sites)
pfsense1 pfsense100 pfsense11 pfsense12 pfsense16 pfsense17
pfsense19 pfsense2 pfsense20 pfsense201 pfsense26 pfsense27 pfsense4
pfsense7
All of the /etc/tinc/NETNAME/hosts/ files have the same public key on each
router as well as each file above.
Here is the current configuration setup. (OpenWRT router is .254 on all subnets)
Pfsense1 is 172.16.1.0
Pfsense2 is 172.16.2.0
Pfsense4 is 172.16.4.0
Etc..
Partial file contents of /etc/config/tinc
config tinc-net NETNAME
option enabled 1
option logfile /tmp/log/tinc.log
option debug 1
option AddressFamily ipv4
list ConnectTo=pfsense2
list ConnectTo=pfsense4
list ConnectTo=pfsense12
list ConnectTo=pfsense201
list ConnectTo=pfsense11
list ConnectTo=pfsense1
list ConnectTo=pfsense19
list ConnectTo=pfsense7
list ConnectTo pfsense26
list ConnectTo pfsense27
list ConnectTo pfsense100
option Name pfsense16
config tinc-host pfsense20
option enabled 1
option net NETNAME
list Address {PUBLICIPHERE for this site}
option Subnet 172.16.20.0/24
config tinc-host pfsense7
option enabled 1
option net NETNAME
list Address {PUBLICIPHERE for this site}
option Subnet 172.16.7.0/24
config tinc-host pfsense19
option enabled 1
option net NETNAME
list Address {PUBLICIPHERE for this site}
option Subnet 172.16.19.0/24
config tinc-host pfsense100
option enabled 1
option net NETNAME
list Address {PUBLICIPHERE for this site}
option Subnet 172.16.100.0/24
It continues with the rest of the sites that I did not list to limit email
length.
File contents of /etc/tinc/NETNAME/tinc-up
#!/bin/sh
ip=`uci get network.lan.ipaddr`
ifconfig $INTERFACE $ip
File contents of /etc/tinc/NETNAME/tinc-down
#!/bin/sh
ifconfig $INTERFACE down
File contents of /etc/tinc/NETNAME/subnet-up
#!/bin/sh
[ $NODE = `uci get tinc.$NETNAME.Name` ] && exit
case $SUBNET in
*/32) targetType=-host ;;
*) targetType=-net ;;
esac
route add $targetType $SUBNET dev $INTERFACE
File contents of /etc/tinc/NETNAME/subnet-down
[ $NODE = `uci get tinc.$NETNAME.Name` ] && exit
case $SUBNET in
*/32) targetType=-host ;;
*) targetType=-net ;;
esac
route del $targetType $SUBNET dev $INTERFACE
To be clear (also not sure how it works without it) but tinc.conf is not in the
/etc/tinc/NETNAME folder. We can see it in the /tmp/tinc/NETNAME directory only
and its contents are below.
File contents of /tmp/tinc/NETNAME/tinc.conf (this is on the pfsense16 unit with
subnet 172.16.16.0)
AddressFamily = ipv4
ConnectTo = pfsense26
ConnectTo = pfsense27
Name = pfsense16
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20180315/b7c8d1eb/attachment.html>
On Thu, Mar 15, 2018 at 03:41:00PM +0000, Chris . wrote:> I admit that I am not familiar with Tinc very well, but have Tinc running at approximately 20 sites and functioning as a mesh vpn/network. I am having issues adding an additional site as it will not communicate with the rest. I have taken the firmware of one and flashed it on another router to make it duplicate and then tested it working but when I change the hostname, and IP to what we need it to be (in this case 172.16.100.0) it no longer communicates with the rest of the network even though I have the same public key (they all have the same key) as well as adding it to the host folder and tinc config file on every other router. Am I missing something? The current system seems to be working now but having issues to add new.I suspect you do have an error in your configuration somewhere. Either on the new node, or in the other node(s) that will have connections with the new node. Check for typos.> Partial file contents of /etc/config/tinc > > config tinc-net NETNAME > option enabled 1 > option logfile /tmp/log/tinc.log > option debug 1 > option AddressFamily ipv4 > > list ConnectTo=pfsense2 > list ConnectTo=pfsense4 > list ConnectTo=pfsense12 > list ConnectTo=pfsense201 > list ConnectTo=pfsense11 > list ConnectTo=pfsense1 > list ConnectTo=pfsense19 > list ConnectTo=pfsense7 > list ConnectTo pfsense26 > list ConnectTo pfsense27 > list ConnectTo pfsense100 > option Name pfsense16I'm no pfsense expert. But why do some lines have ConnectTo=pfsense with a = sign between ConnectTo and pfsense, and other lines have a space instead of the =?> To be clear (also not sure how it works without it) but tinc.conf is not in the /etc/tinc/NETNAME folder. We can see it in the /tmp/tinc/NETNAME directory only and its contents are below. > File contents of /tmp/tinc/NETNAME/tinc.conf (this is on the pfsense16 unit with subnet 172.16.16.0) > AddressFamily = ipv4 > ConnectTo = pfsense26 > ConnectTo = pfsense27 > Name = pfsense16I see only two ConnectTo's here, ConnectTo = pfsense100 is missing. Could that be the problem? -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180315/dc2cdf97/attachment.sig>
Regarding the connect to spaces and = is a great question which I do not know.
What is the proper configuration for the connect to command and how should it be
used. I do not see specifically I nthe documentation that specifies that for the
/etc/config/tinc file.
The pfsense is just the name given by the initial person that set it up and has
nothing specific to do with pfsense.
When I edit the /tmp/tinc/NETNAME/tinc.conf file and reboot it (I think
obviously) changes. How would I make the change stick. Does it default look at
the /etc/tinc/NETNAME/tinc.conf first before it looks at the /tmp......
location? I tried to create the file in /etc/tinc/NETNAME directory but that
seemed to have no effect after adding the new site to an existing location.
Here is an existing site called pfsense12
CONTENTS of /etc/tinc/NETNAME/hosts/pfsense100
(RSA PUBLIC KEY IS HERE)
CONTENTS of /etc/config/tinc
config tinc-net NETNAME
option enabled 1
option logfile /tmp/log/tinc.log
# option debug 1
option AddressFamily ipv4
list ConnectTo pfsense2
list ConnectTo pfsense4
list ConnectTo pfsense18
list ConnectTo pfsense201
list ConnectTo pfsense11
list ConnectTo pfsense7
list ConnectTo pfsense1
list ConnectTo pfsense16
list ConnectTo pfsense19
list ConnectTo pfsense17
list ConnectTo pfsense20
list ConnectTo pfsense26
list ConnectTo pfsense100
list ConnectTo pfsense27
option Name pfsense12
option PrivateKeyFile /etc/tinc/NETNAME/rsa_key.priv
config tinc-host pfsense20
option enabled 1
option net NETNAME
list Address PUBLIC IP OF THIS SITE
option Subnet 172.16.20.0/24
config tinc-host pfsense7
option enabled 1
option net NETNAME
list Address PUBLIC IP OF THIS SITE
option Subnet 172.16.7.0/24
config tinc-host pfsense100
option enabled 1
option net NETNAME
list Address PUBLIC IP OF THIS SITE
option Subnet 172.16.17.100/24
.... IT continues to list all of the sites.
Below is the contents of the new site that we are trying to add.
CONTENTS of /etc/tinc/NETNAME/hosts/pfsense12
(RSA PUBLIC KEY IS HERE)
CONTENTS of /etc/config/tinc
config tinc-net NETNAME
option enabled 1
option logfile /var/log/tinc.log
option debug 5
option AddressFamily ipv4
list ConnectTo pfsense201
list ConnectTo pfsense7
list ConnectTo pfsense4
list ConnectTo pfsense12
list ConnectTo pfsense11
list ConnectTo pfsense1
list ConnectTo pfsense16
list ConnectTo pfsense19
list ConnectTo pfsense2
list ConnectTo pfsense28
list ConnectTo pfsense29
option Name pfsense100
option PrivateKeyFile /etc/tinc/NETNAME/rsa_key.priv
config tinc-host pfsense28
option enabled 1
option net NETNAME
list Address PUBLIC IP HERE
option Subnet 172.16.28.0/24
config tinc-host pfsense12
option enabled 1
option net NETNAME
list Address PUBLIC IP HERE
option Subnet 172.16.29.0/24
config tinc-host pfsense201
option enable 1
option net NETNAME
option Address PUBLIC IP HERE
option Subnet 172.16.201.0/24
config tinc-host pfsense7
option enabled 1
option net NETNAME
list Address PUBLIC IP HERE
option Subnet 172.16.7.0/24
Does that look correct?
Thank you for the response!
Chris
-----Original Message-----
From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Guus Sliepen
Sent: Thursday, March 15, 2018 3:57 PM
To: tinc at tinc-vpn.org
Subject: Re: issues connecting in other sites
On Thu, Mar 15, 2018 at 03:41:00PM +0000, Chris . wrote:
> I admit that I am not familiar with Tinc very well, but have Tinc running
at approximately 20 sites and functioning as a mesh vpn/network. I am having
issues adding an additional site as it will not communicate with the rest. I
have taken the firmware of one and flashed it on another router to make it
duplicate and then tested it working but when I change the hostname, and IP to
what we need it to be (in this case 172.16.100.0) it no longer communicates with
the rest of the network even though I have the same public key (they all have
the same key) as well as adding it to the host folder and tinc config file on
every other router. Am I missing something? The current system seems to be
working now but having issues to add new.
I suspect you do have an error in your configuration somewhere. Either on the
new node, or in the other node(s) that will have connections with the new node.
Check for typos.
> Partial file contents of /etc/config/tinc
>
> config tinc-net NETNAME
> option enabled 1
> option logfile /tmp/log/tinc.log
> option debug 1
> option AddressFamily ipv4
>
> list ConnectTo=pfsense2
> list ConnectTo=pfsense4
> list ConnectTo=pfsense12
> list ConnectTo=pfsense201
> list ConnectTo=pfsense11
> list ConnectTo=pfsense1
> list ConnectTo=pfsense19
> list ConnectTo=pfsense7
> list ConnectTo pfsense26
> list ConnectTo pfsense27
> list ConnectTo pfsense100
> option Name pfsense16
I'm no pfsense expert. But why do some lines have ConnectTo=pfsense with a =
sign between ConnectTo and pfsense, and other lines have a space instead of the
=?
> To be clear (also not sure how it works without it) but tinc.conf is not in
the /etc/tinc/NETNAME folder. We can see it in the /tmp/tinc/NETNAME directory
only and its contents are below.
> File contents of /tmp/tinc/NETNAME/tinc.conf (this is on the pfsense16
> unit with subnet 172.16.16.0) AddressFamily = ipv4 ConnectTo =
> pfsense26 ConnectTo = pfsense27 Name = pfsense16
I see only two ConnectTo's here, ConnectTo = pfsense100 is missing.
Could that be the problem?
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
I did notice the that interface we have named br-lan did not have the proper
broadcast and netmask information. I adjusted that and it looks like its now
connecting but still running into issues.
Here is a snipet from the new system we are trying to connect in (from the
/var/log/tinc.log file)
2018-03-15 22:57:26 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:57:26 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:57:31 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:57:31 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:57:35 tinc.NETNAME[871]: Got KEY_CHANGED from pfsense201
(PFSENSE201-PUBLICIP port 45305): 14 247954dd pfsense29
2018-03-15 22:57:35 tinc.NETNAME[871]: Forwarding KEY_CHANGED from pfsense201
(PFSENSE201-PUBLICIP port 45305): 14 247954dd pfsense29
2018-03-15 22:57:36 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:57:36 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:57:41 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:57:41 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:57:46 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:57:46 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:57:51 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:57:51 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:57:56 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:57:56 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:57:56 tinc.NETNAME[871]: Trying to connect to pfsense12
(PFSENSE12-PUBLICIP port 655)
2018-03-15 22:57:59 tinc.NETNAME[871]: Error while connecting to pfsense12
(PFSENSE12-PUBLICIP port 655): No route to host
2018-03-15 22:57:59 tinc.NETNAME[871]: Could not set up a meta connection to
pfsense12
2018-03-15 22:57:59 tinc.NETNAME[871]: Trying to re-establish outgoing
connection in 155 seconds
2018-03-15 22:58:01 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:58:01 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:06 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:58:06 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:11 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:58:11 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:16 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:58:16 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:21 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:58:21 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:22 tinc.NETNAME[871]: Got PING from pfsense201
(PFSENSE201-PUBLICIP port 45305): 8
2018-03-15 22:58:22 tinc.NETNAME[871]: Sending PONG to pfsense201
(PFSENSE201-PUBLICIP port 45305): 9
2018-03-15 22:58:22 tinc.NETNAME[871]: Sending 2 bytes of metadata to pfsense201
(PFSENSE201-PUBLICIP port 45305)
2018-03-15 22:58:22 tinc.NETNAME[871]: Flushing 2 bytes to pfsense201
(PFSENSE201-PUBLICIP port 45305)
2018-03-15 22:58:23 tinc.NETNAME[871]: Sending PING to pfsense201
(PFSENSE201-PUBLICIP port 45305): 8
2018-03-15 22:58:23 tinc.NETNAME[871]: Sending 2 bytes of metadata to pfsense201
(PFSENSE201-PUBLICIP port 45305)
2018-03-15 22:58:23 tinc.NETNAME[871]: Flushing 2 bytes to pfsense201
(PFSENSE201-PUBLICIP port 45305)
2018-03-15 22:58:23 tinc.NETNAME[871]: Got MTU probe length 1459 from pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:23 tinc.NETNAME[871]: Got MTU probe length 1459 from pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:23 tinc.NETNAME[871]: Got PONG from pfsense201
(PFSENSE201-PUBLICIP port 45305): 9
2018-03-15 22:58:23 tinc.NETNAME[871]: Got MTU probe length 1459 from pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:25 tinc.NETNAME[871]: Sending MTU probe length 1467 to
pfsense201 (PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:25 tinc.NETNAME[871]: Sending MTU probe length 1459 to
pfsense201 (PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:25 tinc.NETNAME[871]: Sending MTU probe length 1459 to
pfsense201 (PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:25 tinc.NETNAME[871]: Sending MTU probe length 1459 to
pfsense201 (PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:25 tinc.NETNAME[871]: Got MTU probe length 1459 from pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:25 tinc.NETNAME[871]: Got MTU probe length 1459 from pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:25 tinc.NETNAME[871]: Got MTU probe length 1459 from pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:26 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:58:26 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:31 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:58:31 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
2018-03-15 22:58:36 tinc.NETNAME[871]: Read packet of 74 bytes from Linux
tun/tap device (tun mode)
2018-03-15 22:58:36 tinc.NETNAME[871]: Sending packet of 74 bytes to pfsense201
(PFSENSE201-PUBLICIP port 655)
I changed the /etc/config/tinc file for testing just listed only two sites to
connect to. Below is for the new 100 site im trying to connect into the network.
config tinc-net NETNAME
option enabled 1
option logfile /var/log/tinc.log
option debug 5
option AddressFamily ipv4
list ConnectTo pfsense201
list ConnectTo pfsense12
option Name pfsense100
option PrivateKeyFile /etc/tinc/NETNAME/rsa_key.priv
config tinc-host pfsense201
option enabled 1
option net NETNAME
option Address PUBLICIPOFTHISSITEHERE
option Subnet 172.16.201.0/24
config tinc-host pfsense12
option enabled 1
option net NETNAME
list Address PUBLICIPOFTHISSITEHERE
option Subnet 172.16.12.0/24
Summary, it looks like its connecting BUT when I ping I get time out and I
cannot visit any http either. I looked at other users issues with connectivity
and no ping but cannot determine the issue running wireshark. Any ideas?
Thank you again for the guidance!
Chris
-----Original Message-----
From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Guus Sliepen
Sent: Thursday, March 15, 2018 3:57 PM
To: tinc at tinc-vpn.org
Subject: Re: issues connecting in other sites
On Thu, Mar 15, 2018 at 03:41:00PM +0000, Chris . wrote:
> I admit that I am not familiar with Tinc very well, but have Tinc running
at approximately 20 sites and functioning as a mesh vpn/network. I am having
issues adding an additional site as it will not communicate with the rest. I
have taken the firmware of one and flashed it on another router to make it
duplicate and then tested it working but when I change the hostname, and IP to
what we need it to be (in this case 172.16.100.0) it no longer communicates with
the rest of the network even though I have the same public key (they all have
the same key) as well as adding it to the host folder and tinc config file on
every other router. Am I missing something? The current system seems to be
working now but having issues to add new.
I suspect you do have an error in your configuration somewhere. Either on the
new node, or in the other node(s) that will have connections with the new node.
Check for typos.
> Partial file contents of /etc/config/tinc
>
> config tinc-net NETNAME
> option enabled 1
> option logfile /tmp/log/tinc.log
> option debug 1
> option AddressFamily ipv4
>
> list ConnectTo=pfsense2
> list ConnectTo=pfsense4
> list ConnectTo=pfsense12
> list ConnectTo=pfsense201
> list ConnectTo=pfsense11
> list ConnectTo=pfsense1
> list ConnectTo=pfsense19
> list ConnectTo=pfsense7
> list ConnectTo pfsense26
> list ConnectTo pfsense27
> list ConnectTo pfsense100
> option Name pfsense16
I'm no pfsense expert. But why do some lines have ConnectTo=pfsense with a =
sign between ConnectTo and pfsense, and other lines have a space instead of the
=?
> To be clear (also not sure how it works without it) but tinc.conf is not in
the /etc/tinc/NETNAME folder. We can see it in the /tmp/tinc/NETNAME directory
only and its contents are below.
> File contents of /tmp/tinc/NETNAME/tinc.conf (this is on the pfsense16
> unit with subnet 172.16.16.0) AddressFamily = ipv4 ConnectTo =
> pfsense26 ConnectTo = pfsense27 Name = pfsense16
I see only two ConnectTo's here, ConnectTo = pfsense100 is missing.
Could that be the problem?
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>