Guus Sliepen
2018-Apr-10 21:18 UTC
Route certain trafic via a tinc node that is not directly connected.
On Tue, Apr 10, 2018 at 03:36:08PM +0200, Hans de Groot wrote:> hosta <--> hostb <--> hostc > > Hosta and hostc are not directly connected via tinc. But both are conncted > via hostb (I called my network tincnet). This works fine I can ssh from > hosta to hostc and vice versa without any problems. > > hostc is in a whitelisted iprange at some service provider. > > I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc. > > I added the iptables mangle rule to mark all traffic to ipaddressx at port > 700. > > -A OUTPUT -p 6 -m tcp -d ipaddressx/255.255.255.255 --dport 700 -j MARK > --set-mark 0x1 > > I added: > ip route add default via iphostc dev tincnet table hostc > ip rule add from 0.0.0.0/0 fwmark 1 table hostcIf you are running tinc in router mode (which is the default), then the "via iphostc" option does not have any effect. The packets will go to dev tincnet, but there is nothing in the header of IP packets that contains the address of the gateway. Also, if you are using router mode, then you must inform tinc about which peer to send packets with destination address ipaddressx to. So you can add "Subnet = ipaddressx/" to hostc's hosts/hostc. But tinc only routes on address, not on ports.> Now when I try this: > > traceroute -T -n ipaddressx -p 700 > > The route goes via the ip of hostb and not via the ip of hostc as I would > have expected.There are two possibilities for this: one is that tinc thinks the packets with destination address ipaddressx should go to hostb (because of what is in the Subnet statements), the other is that hosta and hostc cannot directly communicate with each other, and traffic is routed via hostb, and you have Forwarding = kernel in your tinc.conf. The latter will force the packets to be sent to the tun interface on hostb, and if you don't have any rules on hostb to send packets for ipaddressx port 700 to hostc, they will not be forwarded the way you want.> A weird thing is when I try the add route with any ip in the tincnet subnet > the route gets added even if that ip is not in use and all traffic still > goes via the ip of hostb. > ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet table > hostcAgain, in router mode, the "via ..." option has no effect at all.> Is it tincd at hostb that intercepts the traffic actually meant for hostc > and thinks it's meant for hostb and rewrites stuff automaticaly? Or am I > missing something in the ip route / ip rules part?Tinc itself does not rewrite anything.> But I really would like to understand how to do this via mangle/fwmark and > ip route / ip rule way.It would help if you could show us your tinc.conf from hostb, and all hosts/* files, so we can check how you configured tinc exactly. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180410/1b4d8d26/attachment.sig>
Hans de Groot
2018-Apr-11 10:30 UTC
Route certain trafic via a tinc node that is not directly connected.
Hello again :) Thank you all for your reply's. Below are the config files of the 3 hosts. I use tinc in router mode. I do not have a kernel mode config lines anywhere so tinc must be using the default settings here. I added the ipaddressx to subnets on hostc and this works. Traffic to that ip is now routed via hostc. But since this ipaddressx address changes often I need to resolve it automaticaly and change the iptable rules that mark the packets. I was really hoping to have to do this at one location (at hosta) and not update the subnets on hostc. (and I also would like to understand how this works with tinc) If I use the old route command I can tell it to route traffic for a certain ip to a certain gateway. (without tinc) ie: route add -host 192.168.0.16 gw 10.0.0.1 eth0 I always assumed packets were specifically send to 10.0.0.1 if packets with destination 192.168.0.16 arrived on this his host. But Guus says the VIA option has no effect. So is there a way to send packets to a specific gateway ip using ip route? I do have a subnet 0.0.0.0 at hostb so that is probably why traffic goes out via hostb when I do not have the specific subnet/ip at hostc Regards Hans de Groot configs at hosta tinc.conf Name = hosta Device =/dev/net/tun Hostnames = No connectto = hostb Mode = Router KeyExpire = 3600 PingInterval = 10 PingTimeout = 15 PrivateKeyFile = /etc/tinc/tincnet/rsa_key.priv ProcessPriority = high PMTUDiscovery = yes tinc-up #!/bin/bash ifconfig $INTERFACE 192.168.230.21 netmask 255.255.255.0 route add -net 192.168.230.0 netmask 255.255.255.0 gw 192.168.230.1 ip route add default via 192.168.230.160 dev tincnet table hostc ip rule add from 0.0.0.0/0 fwmark 1 table hostc hosta Address = x.x.x.x Cipher = blowfish Compression = 0 Digest = sha1 IndirectData = Yes Port = 110 Subnet = 192.168.230.21/32 TCPonly = yes -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- hostb Address = x.x.x.x Cipher = blowfish Compression = 0 Digest = sha1 IndirectData = Yes Port = 110 Subnet = 192.168.230.1/32 Subnet = 0.0.0.0/0 TCPonly = yes -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- ------------------------------------------------- configs at hostb tinc.conf AddressFamily = ipv4 Name = hostb Device =/dev/net/tun Hostnames = No Mode = Router KeyExpire = 3600 PingInterval = 30 PingTimeout = 60 PrivateKeyFile = /usr/local/etc/tinc/tincnet/rsa_key.priv ProcessPriority = high PMTUDiscovery = yes tinc-up #!/bin/bash ifconfig $INTERFACE 192.168.230.1 netmask 255.255.255.0 route add -net 192.168.230.0 netmask 255.255.255.0 gw 192.168.230.1 ip route add default via 192.168.230.160 dev tincnet table hostc ip rule add from 0.0.0.0/0 fwmark 1 table hostc hostb Address = x.x.x.x Cipher = blowfish Compression = 0 Digest = sha1 IndirectData = Yes Port = 110 Subnet = 192.168.230.1/32 Subnet = 0.0.0.0/0 TCPonly = No -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- hostc Cipher = blowfish Compression = 0 Digest = sha1 IndirectData = Yes Port = 655 Subnet = 192.168.230.160/32 Subnet = 10.100.1.241/32 TCPonly = Yes -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- ----------------------------------------------------------- config at hostc tinc.conf AddressFamily = ipv4 Name = hostc ConnectTo = hostb Interface = tincnet Hostnames = No Mode = Router KeyExpire = 3600 PingInterval = 10 PingTimeout = 10 tinc-up #!/bin/bash ifconfig $INTERFACE 192.168.230.160 netmask 255.255.255.0 hostb Address = x.x.x.x Cipher = blowfish Compression = 0 Digest = sha1 IndirectData = Yes Port = 110 Subnet = 192.168.230.1/32 Subnet = 0.0.0.0/0 TCPonly = Yes -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- hostc Address = x.x.x.x Cipher = blowfish Compression = 0 Digest = sha1 IndirectData = Yes Port = 655 Subnet = 192.168.230.160/32 Subnet = 10.100.2.2/32 Subnet = 10.100.1.236/32 TCPonly = Yes -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- On 4/10/2018 11:18 PM, Guus Sliepen wrote:> On Tue, Apr 10, 2018 at 03:36:08PM +0200, Hans de Groot wrote: > >> hosta <--> hostb <--> hostc >> >> Hosta and hostc are not directly connected via tinc. But both are conncted >> via hostb (I called my network tincnet). This works fine I can ssh from >> hosta to hostc and vice versa without any problems. >> >> hostc is in a whitelisted iprange at some service provider. >> >> I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc. >> >> I added the iptables mangle rule to mark all traffic to ipaddressx at port >> 700. >> >> -A OUTPUT -p 6 -m tcp -d ipaddressx/255.255.255.255 --dport 700 -j MARK >> --set-mark 0x1 >> >> I added: >> ip route add default via iphostc dev tincnet table hostc >> ip rule add from 0.0.0.0/0 fwmark 1 table hostc > If you are running tinc in router mode (which is the default), then the > "via iphostc" option does not have any effect. The packets will go to > dev tincnet, but there is nothing in the header of IP packets that > contains the address of the gateway. > > Also, if you are using router mode, then you must inform tinc about > which peer to send packets with destination address ipaddressx to. So > you can add "Subnet = ipaddressx/" to hostc's hosts/hostc. But tinc only > routes on address, not on ports. > >> Now when I try this: >> >> traceroute -T -n ipaddressx -p 700 >> >> The route goes via the ip of hostb and not via the ip of hostc as I would >> have expected. > There are two possibilities for this: one is that tinc thinks the > packets with destination address ipaddressx should go to hostb (because > of what is in the Subnet statements), the other is that hosta and hostc > cannot directly communicate with each other, and traffic is routed via > hostb, and you have Forwarding = kernel in your tinc.conf. The latter > will force the packets to be sent to the tun interface on hostb, and if > you don't have any rules on hostb to send packets for ipaddressx port > 700 to hostc, they will not be forwarded the way you want. > >> A weird thing is when I try the add route with any ip in the tincnet subnet >> the route gets added even if that ip is not in use and all traffic still >> goes via the ip of hostb. >> ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet table >> hostc > Again, in router mode, the "via ..." option has no effect at all. > >> Is it tincd at hostb that intercepts the traffic actually meant for hostc >> and thinks it's meant for hostb and rewrites stuff automaticaly? Or am I >> missing something in the ip route / ip rules part? > Tinc itself does not rewrite anything. > >> But I really would like to understand how to do this via mangle/fwmark and >> ip route / ip rule way. > It would help if you could show us your tinc.conf from hostb, and all > hosts/* files, so we can check how you configured tinc exactly. > > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180411/75103bf5/attachment.html>
Etienne Dechamps
2018-Apr-11 19:20 UTC
Route certain trafic via a tinc node that is not directly connected.
On 11 April 2018 at 11:30, Hans de Groot <hansg at dandy.nl> wrote:> Hello again :) > > Thank you all for your reply's. Below are the config files of the 3 hosts. > I use tinc in router mode. I do not have a kernel mode config lines > anywhere so tinc must be using the default settings here. > > I added the ipaddressx to subnets on hostc and this works. Traffic to > that ip is now routed via hostc. > But since this ipaddressx address changes often I need to resolve it > automaticaly and change the iptable rules that mark the packets. I was > really hoping to have to do this at one location (at hosta) and not update > the subnets on hostc. (and I also would like to understand how this works > with tinc) > > If I use the old route command I can tell it to route traffic for a > certain ip to a certain gateway. (without tinc) > ie: route add -host 192.168.0.16 gw 10.0.0.1 eth0 > I always assumed packets were specifically send to 10.0.0.1 if packets > with destination 192.168.0.16 arrived on this his host. > But Guus says the VIA option has no effect. >No, the "via" option doesn't have any effect, because it only has effect at layer 2, e.g. on an Ethernet network. tinc running in router mode is a layer 3 (IP) network, not a layer 2 (Ethernet) network. When you use that option on a layer 2 network such as Ethernet, the "via" option determines which layer 2 host (i.e. which MAC address, after ARP resolution) the packet will go to. In "router mode" tinc there are no MAC addresses, and tinc decides where to send packets based on destination IP address, not the kernel.> So is there a way to send packets to a specific gateway ip using ip > route? >If you change the tinc mode to "switch", then your tinc VPN will behave just like a physical Ethernet network, and the "via" option will work just like it does on a real network. But note that setting that option comes with a long list of consequences and is quite a radical, breaking change. (Also keep in mind that all nodes on your network need to use the same mode.)> I do have a subnet 0.0.0.0 at hostb so that is probably why traffic goes > out via hostb when I do not have the specific subnet/ip at hostc >Yes, that explains it. If one of your nodes has a 0.0.0.0 subnet then it means tinc will send traffic to that node by default if no other subnets match the destination IP address on the packet. Which is what happened with "ipaddressx". An alternative solution to your problem, besides going one layer down, would be to go one layer up: you could set up a "tunnel within the tunnel", i.e. hosta could establish a tunnel to hostc *on top of* the tinc VPN. Then, if you want certain packets to go through hostc, you can just send them through that tunnel and you're done. I am actually using such a solution for a special purpose on my own tinc network right now. The simplest solution for the tunnel is to use IP/IP, which has minimal overhead and is easy to understand and troubleshoot. I contributed some code to tinc that provides better support for that use case: https://github.com/gsliepen/tinc/pull/166> Regards > > Hans de Groot > > > configs at hosta > tinc.conf > Name = hosta > Device =/dev/net/tun > Hostnames = No > connectto = hostb > Mode = Router > KeyExpire = 3600 > PingInterval = 10 > PingTimeout = 15 > PrivateKeyFile = /etc/tinc/tincnet/rsa_key.priv > ProcessPriority = high > PMTUDiscovery = yes > > tinc-up > #!/bin/bash > ifconfig $INTERFACE 192.168.230.21 netmask 255.255.255.0 > route add -net 192.168.230.0 netmask 255.255.255.0 gw 192.168.230.1 > ip route add default via 192.168.230.160 dev tincnet table hostc > ip rule add from 0.0.0.0/0 fwmark 1 table hostc > > > hosta > Address = x.x.x.x > Cipher = blowfish > Compression = 0 > Digest = sha1 > IndirectData = Yes > Port = 110 > Subnet = 192.168.230.21/32 > TCPonly = yes > > -----BEGIN RSA PUBLIC KEY----- > -----END RSA PUBLIC KEY----- > > hostb > Address = x.x.x.x > Cipher = blowfish > Compression = 0 > Digest = sha1 > IndirectData = Yes > Port = 110 > Subnet = 192.168.230.1/32 > Subnet = 0.0.0.0/0 > TCPonly = yes > -----BEGIN RSA PUBLIC KEY----- > -----END RSA PUBLIC KEY----- > > ------------------------------------------------- > configs at hostb > tinc.conf > AddressFamily = ipv4 > Name = hostb > Device =/dev/net/tun > Hostnames = No > Mode = Router > KeyExpire = 3600 > PingInterval = 30 > PingTimeout = 60 > PrivateKeyFile = /usr/local/etc/tinc/tincnet/rsa_key.priv > ProcessPriority = high > PMTUDiscovery = yes > > tinc-up > #!/bin/bash > ifconfig $INTERFACE 192.168.230.1 netmask 255.255.255.0 > route add -net 192.168.230.0 netmask 255.255.255.0 gw 192.168.230.1 > ip route add default via 192.168.230.160 dev tincnet table hostc > ip rule add from 0.0.0.0/0 fwmark 1 table hostc > > hostb > Address = x.x.x.x > Cipher = blowfish > Compression = 0 > Digest = sha1 > IndirectData = Yes > Port = 110 > Subnet = 192.168.230.1/32 > Subnet = 0.0.0.0/0 > TCPonly = No > -----BEGIN RSA PUBLIC KEY----- > -----END RSA PUBLIC KEY----- > > hostc > Cipher = blowfish > Compression = 0 > Digest = sha1 > IndirectData = Yes > Port = 655 > Subnet = 192.168.230.160/32 > Subnet = 10.100.1.241/32 > TCPonly = Yes > -----BEGIN RSA PUBLIC KEY----- > -----END RSA PUBLIC KEY----- > > ----------------------------------------------------------- > config at hostc > tinc.conf > AddressFamily = ipv4 > Name = hostc > ConnectTo = hostb > Interface = tincnet > Hostnames = No > Mode = Router > KeyExpire = 3600 > PingInterval = 10 > PingTimeout = 10 > > tinc-up > #!/bin/bash > ifconfig $INTERFACE 192.168.230.160 netmask 255.255.255.0 > > hostb > Address = x.x.x.x > Cipher = blowfish > Compression = 0 > Digest = sha1 > IndirectData = Yes > Port = 110 > Subnet = 192.168.230.1/32 > Subnet = 0.0.0.0/0 > TCPonly = Yes > > -----BEGIN RSA PUBLIC KEY----- > -----END RSA PUBLIC KEY----- > > > hostc > Address = x.x.x.x > Cipher = blowfish > Compression = 0 > Digest = sha1 > IndirectData = Yes > Port = 655 > Subnet = 192.168.230.160/32 > Subnet = 10.100.2.2/32 > Subnet = 10.100.1.236/32 > TCPonly = Yes > -----BEGIN RSA PUBLIC KEY----- > -----END RSA PUBLIC KEY----- > > > > > > > > > On 4/10/2018 11:18 PM, Guus Sliepen wrote: > > On Tue, Apr 10, 2018 at 03:36:08PM +0200, Hans de Groot wrote: > > > hosta <--> hostb <--> hostc > > Hosta and hostc are not directly connected via tinc. But both are conncted > via hostb (I called my network tincnet). This works fine I can ssh from > hosta to hostc and vice versa without any problems. > > hostc is in a whitelisted iprange at some service provider. > > I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc. > > I added the iptables mangle rule to mark all traffic to ipaddressx at port > 700. > > -A OUTPUT -p 6 -m tcp -d ipaddressx/255.255.255.255 --dport 700 -j MARK > --set-mark 0x1 > > I added: > ip route add default via iphostc dev tincnet table hostc > ip rule add from 0.0.0.0/0 fwmark 1 table hostc > > If you are running tinc in router mode (which is the default), then the > "via iphostc" option does not have any effect. The packets will go to > dev tincnet, but there is nothing in the header of IP packets that > contains the address of the gateway. > > Also, if you are using router mode, then you must inform tinc about > which peer to send packets with destination address ipaddressx to. So > you can add "Subnet = ipaddressx/" to hostc's hosts/hostc. But tinc only > routes on address, not on ports. > > > Now when I try this: > > traceroute -T -n ipaddressx -p 700 > > The route goes via the ip of hostb and not via the ip of hostc as I would > have expected. > > There are two possibilities for this: one is that tinc thinks the > packets with destination address ipaddressx should go to hostb (because > of what is in the Subnet statements), the other is that hosta and hostc > cannot directly communicate with each other, and traffic is routed via > hostb, and you have Forwarding = kernel in your tinc.conf. The latter > will force the packets to be sent to the tun interface on hostb, and if > you don't have any rules on hostb to send packets for ipaddressx port > 700 to hostc, they will not be forwarded the way you want. > > > A weird thing is when I try the add route with any ip in the tincnet subnet > the route gets added even if that ip is not in use and all traffic still > goes via the ip of hostb. > ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet table > hostc > > Again, in router mode, the "via ..." option has no effect at all. > > > Is it tincd at hostb that intercepts the traffic actually meant for hostc > and thinks it's meant for hostb and rewrites stuff automaticaly? Or am I > missing something in the ip route / ip rules part? > > Tinc itself does not rewrite anything. > > > But I really would like to understand how to do this via mangle/fwmark and > ip route / ip rule way. > > It would help if you could show us your tinc.conf from hostb, and all > hosts/* files, so we can check how you configured tinc exactly. > > > > > _______________________________________________ > tinc mailing listtinc at tinc-vpn.orghttps://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180411/49bd4589/attachment-0001.html>
Reasonably Related Threads
- Route certain trafic via a tinc node that is not directly connected.
- Route certain trafic via a tinc node that is not directly connected.
- Route certain trafic via a tinc node that is not directly connected.
- Indirect routing issue?
- Help on a Nat To Nat soluction - tinc servers won't ping remote clients