Dear all, I am trying to configure a basic TINC vpn between two sites using OpenWRT routers. The link seems to work, the ping between the two routers is ok, but I can't ping hosts between the subnets behind the routers. This is the configuration: ======== SITE 1 (CLIENT) - polimnia (subnet 192.168.4.0/24, gw 192.168.4.1) tinc.conf ------------- Name = polimnia ConnectTo = calliope hosts/polimnia --------------------- Subnet = 172.16.0.4/32 Subnet = 192.168.4.0/24 tinc-up script ------------------- #!/bin/sh ip link set $INTERFACE up ip addr add 172.16.0.4/24 dev $INTERFACE ip route add 192.168.2.0/24 dev $INTERFACE ======== SITE 2 (SERVER) - calliope (subnet 192.168.2.0/24, gw 192.168.2.1) tinc.conf ------------- Name = calliope hosts/calliope --------------------- Address = [ip public address] ........ Subnet = 172.16.0.2/32 Subnet = 192.168.2.0/24 tinc-up script ------------------- #!/bin/sh ip link set $INTERFACE up ip addr add 172.16.0.2/24 dev $INTERFACE ip route add 192.168.4.0/24 dev $INTERFACE ======================================================== When I run both tincd daemons in verbose mode, the connection starts correctly and the two routers can reach each others, but not the hosts in the subnets. I tried deactivating the firewalls on both routers, thus I don't think it is a firewall issue. The line "ip route add" is in both tinc-up script, so it should work.... I don't know how to solve the problem. Thank you in advance for any help. Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180524/8917e76d/attachment.html>
did you add a forwarding allow rule from tinc interface to lan and vise versa on both ends? even with firewall off default is to not forward till told to do so. On Thu, May 24, 2018, 10:07 AM Davide L <davide.lovreglio at gmail.com> wrote:> Dear all, > > I am trying to configure a basic TINC vpn between two sites using OpenWRT > routers. The link seems to work, the ping between the two routers is ok, > but I can't ping hosts between the subnets behind the routers. > > This is the configuration: > > ======== SITE 1 (CLIENT) - polimnia (subnet 192.168.4.0/24, gw > 192.168.4.1) > > tinc.conf > ------------- > Name = polimnia > ConnectTo = calliope > > hosts/polimnia > --------------------- > Subnet = 172.16.0.4/32 > Subnet = 192.168.4.0/24 > > > tinc-up script > ------------------- > #!/bin/sh > ip link set $INTERFACE up > ip addr add 172.16.0.4/24 dev $INTERFACE > ip route add 192.168.2.0/24 dev $INTERFACE > > ======== SITE 2 (SERVER) - calliope (subnet 192.168.2.0/24, gw > 192.168.2.1) > > tinc.conf > ------------- > Name = calliope > > hosts/calliope > --------------------- > Address = [ip public address] ........ > Subnet = 172.16.0.2/32 > Subnet = 192.168.2.0/24 > > tinc-up script > ------------------- > #!/bin/sh > ip link set $INTERFACE up > ip addr add 172.16.0.2/24 dev $INTERFACE > ip route add 192.168.4.0/24 dev $INTERFACE > > ========================================================> > When I run both tincd daemons in verbose mode, the connection starts > correctly and the two routers can reach each others, but not the hosts in > the subnets. > > I tried deactivating the firewalls on both routers, thus I don't think it > is a firewall issue. > > The line "ip route add" is in both tinc-up script, so it should work.... > > I don't know how to solve the problem. > > Thank you in advance for any help. > Davide > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180524/fe8f1a42/attachment.html>
I have done it... added on both routers a new firewall zone covering the tinc interface, policy in accept, out accept, fwd accept, interzone forwarding from/to LAN.... when I do it, I am not even able to ping the routers between them, even though the PING PONG is ok in the tinc debug.... 2018-05-24 20:28 GMT+02:00 Naemr . <naemrr at gmail.com>:> did you add a forwarding allow rule from tinc interface to lan and vise > versa on both ends? even with firewall off default is to not forward till > told to do so. > > On Thu, May 24, 2018, 10:07 AM Davide L <davide.lovreglio at gmail.com> > wrote: > >> Dear all, >> >> I am trying to configure a basic TINC vpn between two sites using OpenWRT >> routers. The link seems to work, the ping between the two routers is ok, >> but I can't ping hosts between the subnets behind the routers. >> >> This is the configuration: >> >> ======== SITE 1 (CLIENT) - polimnia (subnet 192.168.4.0/24, gw >> 192.168.4.1) >> >> tinc.conf >> ------------- >> Name = polimnia >> ConnectTo = calliope >> >> hosts/polimnia >> --------------------- >> Subnet = 172.16.0.4/32 >> Subnet = 192.168.4.0/24 >> >> >> tinc-up script >> ------------------- >> #!/bin/sh >> ip link set $INTERFACE up >> ip addr add 172.16.0.4/24 dev $INTERFACE >> ip route add 192.168.2.0/24 dev $INTERFACE >> >> ======== SITE 2 (SERVER) - calliope (subnet 192.168.2.0/24, gw >> 192.168.2.1) >> >> tinc.conf >> ------------- >> Name = calliope >> >> hosts/calliope >> --------------------- >> Address = [ip public address] ........ >> Subnet = 172.16.0.2/32 >> Subnet = 192.168.2.0/24 >> >> tinc-up script >> ------------------- >> #!/bin/sh >> ip link set $INTERFACE up >> ip addr add 172.16.0.2/24 dev $INTERFACE >> ip route add 192.168.4.0/24 dev $INTERFACE >> >> ========================================================>> >> When I run both tincd daemons in verbose mode, the connection starts >> correctly and the two routers can reach each others, but not the hosts in >> the subnets. >> >> I tried deactivating the firewalls on both routers, thus I don't think it >> is a firewall issue. >> >> The line "ip route add" is in both tinc-up script, so it should work.... >> >> I don't know how to solve the problem. >> >> Thank you in advance for any help. >> Davide >> >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org >> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180524/c22851a8/attachment-0001.html>
Hello Davide, Am Thu, 24 May 2018 17:50:50 +0200 schrieb Davide L <davide.lovreglio at gmail.com>:> I don't know how to solve the problem.Maybe you want to check, where exactly the packet disappears? The following could be helpful to be run on one of the hosts along the way of the packet: tcpdump -npi any icmp and host PEER_IP * meanwhile run a "ping" from the source to the target * PEER_IP could be either the source or the target IP * "any" could also be replaced with a specific network interface Hint: "any" will cause the same packet to be listed twice by "tcpdump" (once on the incoming and a few milliseconds later on the outgoing interface) Just follow the path of the packet forward and then the path of the reply packet backwards. Somewhere along the way you will notice, that there is no packet. The previous host is the culprit (routing or firewall rules). Regarding routing: "ip route get TARGET_IP" could be useful (on the problematic host). Have fun! Cheers, Lars