Aloha! I am new to tinc and I like to figure out my own issues before asking but I am not sure of my next step here. I am not sure if the problem is the VPN configuration or in my network. I will try to be as through as possible. I have two computers that are CentOS with the latest tinc from their respective repositories. Server A is behind a Sophos XG and Server B is behind a Ubiquiti Edge Router that I have no control over (Borrowing internet from colleague at remote site). I have the 655 port UDP/TCP open and mapped to Server A. I have added static rules for devices on the Server A network to talk to the devices on the Server B network. I can ping server to server with the tinc addresses. Server A 192.168.0.10 (tinc) 10.75.70.51 (eth0). Server B 192.168.0.15(tinc) 192.168.1.10 (eth0). I can also ping devices on the 10.75.70.0 network from Server B. I can ping from the Sophos XG and a Windows Server @ 10.75.70.50 as well to Server B at 192.168.0.15 and 192.168.10. I can also ping the device @ 192.168.1.15 which is on the network eth0 of Server B. So it seems the VPN connects and I can ping across all the devices. The problem is when I try to open a webpage across the vpn. It seem it will only let me open the webpage on 10.75.70.51(Server A) from Server B. I can also ssh to from Server B to Server A so I know that tinc is working. However, any device that I can ping on the 10.75.70.X network other than Server A will not allow me to open their webpages. When I try curl it will tell me "No Route to Host". Which makes little sense because I am pinging between sites...unless I am missing something bigger in all of this. My inital reason for wanting this connection was allow my server A to web proxy a hardware device with a web interface on the remote 192.168.1x network. I can ping the device....I just can't open the web interface. I have looked the MTU and noticed that it fell apart anything above 1408. I did try setting some MTU setting but nothing has worked so I am here to ask the experts. However, I then looked at curl and realized the problem is probably not MTU related. I appreciate any thoughts and help. Here are my current configs: Server A Conf: Name = serverA Device = /dev/net/tun Address Family = ipv4 Server A host: Address = xx.xx.xx.xx Subnet = 192.168.0.10 Subnet = 10.75.70.0/24 PMTU = 1436 ClampMSS = yes PMTUDiscovery = yes Server A TincUp: ip link set $INTERFACE up ip addr add 192.168.0.10 dev $INTERFACE ip route add 192.168.0.0/24 dev $INTERFACE ip route add 192.168.1.0/24 dev $INTERFACE Server B Conf: Name = khwisnmp Device = /dev/net/tun Address Family = ipv4 ConnectTo = librenms Server B host: ubnet = 192.168.0.15 Subnet = 192.168.1.0/24 PMTU = 1436 ClampMSS = yes PMTUDiscovery = yes Server B TincUP: ip link set $INTERFACE up ip addr add 192.168.0.15 dev $INTERFACE ip route add 192.168.0.0/24 dev $INTERFACE ip route add 10.75.70.0/24 dev $INTERFACE Aloha, Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190109/4aeaaef6/attachment-0001.html>
Try removing all MTU related settings from both sides. Allow tinc to learn on its own. " PMTU = 1436 ClampMSS = yes PMTUDiscovery = yes" in the config, " Address Family = ipv4" is likely not necessary, i would recommend removing it. " Device = /dev/net/tun" should not be used, unless tinc is having issues locating the tun device. however " DeviceType = tun" should be added, especialy as you have not declared an interface in the config eg: "Interface = tun6" Also Subnet = 192.168.0.10 Is incomplete Subnet = 192.168.0.10/32 Same for the .15 host A working setup of mine: tinc.conf; Name = ov1thaboxnet port = 655 Interface = tun6 DeviceType = tun ConnectTo = ov2thaboxnet Compression = 10 ov1thaboxnet host file; Address = xxx.xxx.xxx.xxx 655 Subnet = 192.168.66.1/32 tinc.conf; Name = ov2thaboxnet port = 655 Interface = tun6 DeviceType = tun Compression = 10 ov2thaboxnet host file; Address = 107.161.30.244 655 Address = 107.161.30.244 443 Subnet = 192.168.66.2/32 Subnet = 10.111.42.0/24 IP forwarding must be enabled as well sysctl -w net.ipv4.ip_forward=1 echo 1 > /proc/sys/net/ipv4/ip_forward As it appears the tinc boxes are not the gateway machines for ether lan you may also need to nat lan traffic iptables -A FORWARD -i $INTERFACE -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE On Fri, Jan 11, 2019, 3:46 PM Aaron Savage <radiosavagelists at gmail.com wrote:> Aloha! > > I am new to tinc and I like to figure out my own issues before asking but > I am not sure of my next step here. I am not sure if the problem is the > VPN configuration or in my network. I will try to be as through as > possible. > > I have two computers that are CentOS with the latest tinc from their > respective repositories. > > Server A is behind a Sophos XG and Server B is behind a Ubiquiti Edge > Router that I have no control over (Borrowing internet from colleague at > remote site). I have the 655 port UDP/TCP open and mapped to Server A. I > have added static rules for devices on the Server A network to talk to the > devices on the Server B network. I can ping server to server with the tinc > addresses. Server A 192.168.0.10 (tinc) 10.75.70.51 (eth0). Server B > 192.168.0.15(tinc) 192.168.1.10 (eth0). I can also ping devices on the > 10.75.70.0 network from Server B. I can ping from the Sophos XG and a > Windows Server @ 10.75.70.50 as well to Server B at 192.168.0.15 and > 192.168.10. I can also ping the device @ 192.168.1.15 which is on the > network eth0 of Server B. So it seems the VPN connects and I can ping > across all the devices. The problem is when I try to open a webpage across > the vpn. It seem it will only let me open the webpage on > 10.75.70.51(Server A) from Server B. I can also ssh to from Server B to > Server A so I know that tinc is working. However, any device that I can > ping on the 10.75.70.X network other than Server A will not allow me to > open their webpages. When I try curl it will tell me "No Route to Host". > Which makes little sense because I am pinging between sites...unless I am > missing something bigger in all of this. > > My inital reason for wanting this connection was allow my server A to web > proxy a hardware device with a web interface on the remote 192.168.1x > network. I can ping the device....I just can't open the web interface. I > have looked the MTU and noticed that it fell apart anything above 1408. I > did try setting some MTU setting but nothing has worked so I am here to ask > the experts. However, I then looked at curl and realized the problem is > probably not MTU related. I appreciate any thoughts and help. > > Here are my current configs: > > Server A Conf: > Name = serverA > Device = /dev/net/tun > Address Family = ipv4 > > Server A host: > Address = xx.xx.xx.xx > Subnet = 192.168.0.10 > Subnet = 10.75.70.0/24 > PMTU = 1436 > ClampMSS = yes > PMTUDiscovery = yes > > Server A TincUp: > ip link set $INTERFACE up > ip addr add 192.168.0.10 dev $INTERFACE > ip route add 192.168.0.0/24 dev $INTERFACE > ip route add 192.168.1.0/24 dev $INTERFACE > > Server B Conf: > Name = khwisnmp > Device = /dev/net/tun > Address Family = ipv4 > ConnectTo = librenms > > Server B host: > ubnet = 192.168.0.15 > Subnet = 192.168.1.0/24 > PMTU = 1436 > ClampMSS = yes > PMTUDiscovery = yes > > Server B TincUP: > ip link set $INTERFACE up > ip addr add 192.168.0.15 dev $INTERFACE > ip route add 192.168.0.0/24 dev $INTERFACE > ip route add 10.75.70.0/24 dev $INTERFACE > > Aloha, > Aaron > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190111/8e4c007b/attachment.html>
Thank you for taking the time to respond to my email. As of now, it is all working. I have cleaned up my host files and configuration files as well. I did have one side to route through the box. Add the rules on the other side made it work like a charm. Aloha! On Fri, Jan 11, 2019 at 2:27 PM Naemr . <naemrr at gmail.com> wrote:> Try removing all MTU related settings from both sides. Allow tinc to learn > on its own. > > " PMTU = 1436 > ClampMSS = yes > PMTUDiscovery = yes" > > in the config, " Address Family = ipv4" is likely not necessary, i would > recommend removing it. > > " Device = /dev/net/tun" should not be used, unless tinc is having issues > locating the tun device. > however > " DeviceType = tun" > should be added, especialy as you have not declared an interface in the > config > eg: "Interface = tun6" > > > > Also Subnet = 192.168.0.10 > Is incomplete > > Subnet = 192.168.0.10/32 > > Same for the .15 host > > A working setup of mine: > tinc.conf; > Name = ov1thaboxnet > port = 655 > Interface = tun6 > DeviceType = tun > ConnectTo = ov2thaboxnet > Compression = 10 > > ov1thaboxnet host file; > Address = xxx.xxx.xxx.xxx 655 > Subnet = 192.168.66.1/32 > > tinc.conf; > Name = ov2thaboxnet > port = 655 > Interface = tun6 > DeviceType = tun > Compression = 10 > > ov2thaboxnet host file; > Address = 107.161.30.244 655 > Address = 107.161.30.244 443 > Subnet = 192.168.66.2/32 > Subnet = 10.111.42.0/24 > > > > > > IP forwarding must be enabled as well > > sysctl -w net.ipv4.ip_forward=1 > echo 1 > /proc/sys/net/ipv4/ip_forward > > > As it appears the tinc boxes are not the gateway machines for ether lan > you may also need to nat lan traffic > > iptables -A FORWARD -i $INTERFACE -j ACCEPT > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > On Fri, Jan 11, 2019, 3:46 PM Aaron Savage <radiosavagelists at gmail.com > wrote: > >> Aloha! >> >> I am new to tinc and I like to figure out my own issues before asking but >> I am not sure of my next step here. I am not sure if the problem is the >> VPN configuration or in my network. I will try to be as through as >> possible. >> >> I have two computers that are CentOS with the latest tinc from their >> respective repositories. >> >> Server A is behind a Sophos XG and Server B is behind a Ubiquiti Edge >> Router that I have no control over (Borrowing internet from colleague at >> remote site). I have the 655 port UDP/TCP open and mapped to Server A. I >> have added static rules for devices on the Server A network to talk to the >> devices on the Server B network. I can ping server to server with the tinc >> addresses. Server A 192.168.0.10 (tinc) 10.75.70.51 (eth0). Server B >> 192.168.0.15(tinc) 192.168.1.10 (eth0). I can also ping devices on the >> 10.75.70.0 network from Server B. I can ping from the Sophos XG and a >> Windows Server @ 10.75.70.50 as well to Server B at 192.168.0.15 and >> 192.168.10. I can also ping the device @ 192.168.1.15 which is on the >> network eth0 of Server B. So it seems the VPN connects and I can ping >> across all the devices. The problem is when I try to open a webpage across >> the vpn. It seem it will only let me open the webpage on >> 10.75.70.51(Server A) from Server B. I can also ssh to from Server B to >> Server A so I know that tinc is working. However, any device that I can >> ping on the 10.75.70.X network other than Server A will not allow me to >> open their webpages. When I try curl it will tell me "No Route to Host". >> Which makes little sense because I am pinging between sites...unless I am >> missing something bigger in all of this. >> >> My inital reason for wanting this connection was allow my server A to web >> proxy a hardware device with a web interface on the remote 192.168.1x >> network. I can ping the device....I just can't open the web interface. I >> have looked the MTU and noticed that it fell apart anything above 1408. I >> did try setting some MTU setting but nothing has worked so I am here to ask >> the experts. However, I then looked at curl and realized the problem is >> probably not MTU related. I appreciate any thoughts and help. >> >> Here are my current configs: >> >> Server A Conf: >> Name = serverA >> Device = /dev/net/tun >> Address Family = ipv4 >> >> Server A host: >> Address = xx.xx.xx.xx >> Subnet = 192.168.0.10 >> Subnet = 10.75.70.0/24 >> PMTU = 1436 >> ClampMSS = yes >> PMTUDiscovery = yes >> >> Server A TincUp: >> ip link set $INTERFACE up >> ip addr add 192.168.0.10 dev $INTERFACE >> ip route add 192.168.0.0/24 dev $INTERFACE >> ip route add 192.168.1.0/24 dev $INTERFACE >> >> Server B Conf: >> Name = khwisnmp >> Device = /dev/net/tun >> Address Family = ipv4 >> ConnectTo = librenms >> >> Server B host: >> ubnet = 192.168.0.15 >> Subnet = 192.168.1.0/24 >> PMTU = 1436 >> ClampMSS = yes >> PMTUDiscovery = yes >> >> Server B TincUP: >> ip link set $INTERFACE up >> ip addr add 192.168.0.15 dev $INTERFACE >> ip route add 192.168.0.0/24 dev $INTERFACE >> ip route add 10.75.70.0/24 dev $INTERFACE >> >> Aloha, >> Aaron >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org >> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >> > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190114/c70be18a/attachment.html>