tinc - Jan 2019 - Can Ping But No Web Interface

Aloha!

I am new to tinc and I like to figure out my own issues before asking but I
am not sure of my next step here.  I am not sure if the problem is the VPN
configuration or in my network.  I will try to be as through as possible.

I have two computers that are CentOS with the latest tinc from their
respective repositories.

Server A is behind a Sophos XG and Server B is behind a Ubiquiti Edge
Router that I have no control over (Borrowing internet from colleague at
remote site).  I have the 655 port UDP/TCP open and mapped to Server A.  I
have added static rules for devices on the Server A network to talk to the
devices on the Server B network.  I can ping server to server with the tinc
addresses.  Server A 192.168.0.10 (tinc) 10.75.70.51 (eth0).  Server B
192.168.0.15(tinc) 192.168.1.10 (eth0).  I can also ping devices on the
10.75.70.0 network from Server B.  I can ping from the Sophos XG and a
Windows Server @ 10.75.70.50 as well to Server B at 192.168.0.15 and
192.168.10.  I can also ping the device @ 192.168.1.15 which is on the
network eth0 of Server B.  So it seems the VPN connects and I can ping
across all the devices.  The problem is when I try to open a webpage across
the vpn.  It seem it will only let me open the webpage on
10.75.70.51(Server A) from Server B.  I can also ssh to from Server B to
Server A so I know that tinc is working.  However, any device that I can
ping on the 10.75.70.X network other than Server A will not allow me to
open their webpages. When I try curl it will tell me "No Route to
Host".
Which makes little sense because I am pinging between sites...unless I am
missing something bigger in all of this.

My inital reason for wanting this connection was allow my server A to web
proxy a hardware device with a web interface on the remote 192.168.1x
network.  I can ping the device....I just can't open the web interface.  I
have looked the MTU and noticed that it fell apart anything above 1408.  I
did try setting some MTU setting but nothing has worked so I am here to ask
the experts.  However, I then looked at curl and realized the problem is
probably not MTU related.  I appreciate any thoughts and help.

Here are my current configs:

Server A Conf:
Name = serverA
Device = /dev/net/tun
Address Family = ipv4

Server A host:
Address = xx.xx.xx.xx
Subnet = 192.168.0.10
Subnet = 10.75.70.0/24
PMTU = 1436
ClampMSS = yes
PMTUDiscovery =    yes

Server A TincUp:
ip link set $INTERFACE up
ip addr add  192.168.0.10 dev $INTERFACE
ip route add 192.168.0.0/24 dev $INTERFACE
ip route add 192.168.1.0/24 dev $INTERFACE

Server B Conf:
Name = khwisnmp
Device = /dev/net/tun
Address Family = ipv4
ConnectTo = librenms

Server B host:
ubnet = 192.168.0.15
Subnet = 192.168.1.0/24
PMTU = 1436
ClampMSS = yes
PMTUDiscovery = yes

Server B TincUP:
ip link set $INTERFACE up
ip addr add  192.168.0.15 dev $INTERFACE
ip route add 192.168.0.0/24 dev $INTERFACE
ip route add 10.75.70.0/24 dev $INTERFACE

Aloha,
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20190109/4aeaaef6/attachment-0001.html>

Try removing all MTU related settings from both sides. Allow tinc to learn
on its own.

" PMTU = 1436
ClampMSS = yes
PMTUDiscovery = yes"

in the config, " Address Family = ipv4" is likely not necessary, i
would
recommend removing it.

" Device = /dev/net/tun" should not be used, unless tinc is having
issues
locating the tun device.
however
" DeviceType = tun"
should be added, especialy as you have not declared an interface in the
config
eg: "Interface = tun6"



Also Subnet = 192.168.0.10
Is incomplete

Subnet = 192.168.0.10/32

Same for the .15 host

A working setup of mine:
tinc.conf;
Name = ov1thaboxnet
port = 655
Interface = tun6
DeviceType = tun
ConnectTo = ov2thaboxnet
Compression = 10

ov1thaboxnet host file;
Address = xxx.xxx.xxx.xxx 655
Subnet = 192.168.66.1/32

tinc.conf;
Name = ov2thaboxnet
port = 655
Interface = tun6
DeviceType = tun
Compression = 10

ov2thaboxnet host file;
Address = 107.161.30.244 655
Address = 107.161.30.244 443
Subnet = 192.168.66.2/32
Subnet = 10.111.42.0/24





IP forwarding must be enabled as well

sysctl -w net.ipv4.ip_forward=1
echo 1 > /proc/sys/net/ipv4/ip_forward


As it appears the tinc boxes are not the gateway machines for ether lan you
may also need to nat lan traffic

iptables -A FORWARD -i  $INTERFACE -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o  eth0 -j MASQUERADE



On Fri, Jan 11, 2019, 3:46 PM Aaron Savage <radiosavagelists at gmail.com
wrote:
> Aloha!
>
> I am new to tinc and I like to figure out my own issues before asking but
> I am not sure of my next step here.  I am not sure if the problem is the
> VPN configuration or in my network.  I will try to be as through as
> possible.
>
> I have two computers that are CentOS with the latest tinc from their
> respective repositories.
>
> Server A is behind a Sophos XG and Server B is behind a Ubiquiti Edge
> Router that I have no control over (Borrowing internet from colleague at
> remote site).  I have the 655 port UDP/TCP open and mapped to Server A.  I
> have added static rules for devices on the Server A network to talk to the
> devices on the Server B network.  I can ping server to server with the tinc
> addresses.  Server A 192.168.0.10 (tinc) 10.75.70.51 (eth0).  Server B
> 192.168.0.15(tinc) 192.168.1.10 (eth0).  I can also ping devices on the
> 10.75.70.0 network from Server B.  I can ping from the Sophos XG and a
> Windows Server @ 10.75.70.50 as well to Server B at 192.168.0.15 and
> 192.168.10.  I can also ping the device @ 192.168.1.15 which is on the
> network eth0 of Server B.  So it seems the VPN connects and I can ping
> across all the devices.  The problem is when I try to open a webpage across
> the vpn.  It seem it will only let me open the webpage on
> 10.75.70.51(Server A) from Server B.  I can also ssh to from Server B to
> Server A so I know that tinc is working.  However, any device that I can
> ping on the 10.75.70.X network other than Server A will not allow me to
> open their webpages. When I try curl it will tell me "No Route to
Host".
> Which makes little sense because I am pinging between sites...unless I am
> missing something bigger in all of this.
>
> My inital reason for wanting this connection was allow my server A to web
> proxy a hardware device with a web interface on the remote 192.168.1x
> network.  I can ping the device....I just can't open the web interface.
I
> have looked the MTU and noticed that it fell apart anything above 1408.  I
> did try setting some MTU setting but nothing has worked so I am here to ask
> the experts.  However, I then looked at curl and realized the problem is
> probably not MTU related.  I appreciate any thoughts and help.
>
> Here are my current configs:
>
> Server A Conf:
> Name = serverA
> Device = /dev/net/tun
> Address Family = ipv4
>
> Server A host:
> Address = xx.xx.xx.xx
> Subnet = 192.168.0.10
> Subnet = 10.75.70.0/24
> PMTU = 1436
> ClampMSS = yes
> PMTUDiscovery =    yes
>
> Server A TincUp:
> ip link set $INTERFACE up
> ip addr add  192.168.0.10 dev $INTERFACE
> ip route add 192.168.0.0/24 dev $INTERFACE
> ip route add 192.168.1.0/24 dev $INTERFACE
>
> Server B Conf:
> Name = khwisnmp
> Device = /dev/net/tun
> Address Family = ipv4
> ConnectTo = librenms
>
> Server B host:
> ubnet = 192.168.0.15
> Subnet = 192.168.1.0/24
> PMTU = 1436
> ClampMSS = yes
> PMTUDiscovery = yes
>
> Server B TincUP:
> ip link set $INTERFACE up
> ip addr add  192.168.0.15 dev $INTERFACE
> ip route add 192.168.0.0/24 dev $INTERFACE
> ip route add 10.75.70.0/24 dev $INTERFACE
>
> Aloha,
> Aaron
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20190111/8e4c007b/attachment.html>

Thank you for taking the time to respond to my email.  As of now, it is all
working.  I have cleaned up my host files and configuration files as well.
I did have one side to route through the box.  Add the rules on the other
side made it work like a charm.

Aloha!

On Fri, Jan 11, 2019 at 2:27 PM Naemr . <naemrr at gmail.com> wrote:
> Try removing all MTU related settings from both sides. Allow tinc to learn
> on its own.
>
> " PMTU = 1436
> ClampMSS = yes
> PMTUDiscovery = yes"
>
> in the config, " Address Family = ipv4" is likely not necessary,
i would
> recommend removing it.
>
> " Device = /dev/net/tun" should not be used, unless tinc is
having issues
> locating the tun device.
> however
> " DeviceType = tun"
> should be added, especialy as you have not declared an interface in the
> config
> eg: "Interface = tun6"
>
>
>
> Also Subnet = 192.168.0.10
> Is incomplete
>
> Subnet = 192.168.0.10/32
>
> Same for the .15 host
>
> A working setup of mine:
> tinc.conf;
> Name = ov1thaboxnet
> port = 655
> Interface = tun6
> DeviceType = tun
> ConnectTo = ov2thaboxnet
> Compression = 10
>
> ov1thaboxnet host file;
> Address = xxx.xxx.xxx.xxx 655
> Subnet = 192.168.66.1/32
>
> tinc.conf;
> Name = ov2thaboxnet
> port = 655
> Interface = tun6
> DeviceType = tun
> Compression = 10
>
> ov2thaboxnet host file;
> Address = 107.161.30.244 655
> Address = 107.161.30.244 443
> Subnet = 192.168.66.2/32
> Subnet = 10.111.42.0/24
>
>
>
>
>
> IP forwarding must be enabled as well
>
> sysctl -w net.ipv4.ip_forward=1
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> As it appears the tinc boxes are not the gateway machines for ether lan
> you may also need to nat lan traffic
>
> iptables -A FORWARD -i  $INTERFACE -j ACCEPT
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -t nat -A POSTROUTING -o  eth0 -j MASQUERADE
>
>
>
> On Fri, Jan 11, 2019, 3:46 PM Aaron Savage <radiosavagelists at
gmail.com
> wrote:
>
>> Aloha!
>>
>> I am new to tinc and I like to figure out my own issues before asking
but
>> I am not sure of my next step here.  I am not sure if the problem is
the
>> VPN configuration or in my network.  I will try to be as through as
>> possible.
>>
>> I have two computers that are CentOS with the latest tinc from their
>> respective repositories.
>>
>> Server A is behind a Sophos XG and Server B is behind a Ubiquiti Edge
>> Router that I have no control over (Borrowing internet from colleague
at
>> remote site).  I have the 655 port UDP/TCP open and mapped to Server A.
I
>> have added static rules for devices on the Server A network to talk to
the
>> devices on the Server B network.  I can ping server to server with the
tinc
>> addresses.  Server A 192.168.0.10 (tinc) 10.75.70.51 (eth0).  Server B
>> 192.168.0.15(tinc) 192.168.1.10 (eth0).  I can also ping devices on the
>> 10.75.70.0 network from Server B.  I can ping from the Sophos XG and a
>> Windows Server @ 10.75.70.50 as well to Server B at 192.168.0.15 and
>> 192.168.10.  I can also ping the device @ 192.168.1.15 which is on the
>> network eth0 of Server B.  So it seems the VPN connects and I can ping
>> across all the devices.  The problem is when I try to open a webpage
across
>> the vpn.  It seem it will only let me open the webpage on
>> 10.75.70.51(Server A) from Server B.  I can also ssh to from Server B
to
>> Server A so I know that tinc is working.  However, any device that I
can
>> ping on the 10.75.70.X network other than Server A will not allow me to
>> open their webpages. When I try curl it will tell me "No Route to
Host".
>> Which makes little sense because I am pinging between sites...unless I
am
>> missing something bigger in all of this.
>>
>> My inital reason for wanting this connection was allow my server A to
web
>> proxy a hardware device with a web interface on the remote 192.168.1x
>> network.  I can ping the device....I just can't open the web
interface.  I
>> have looked the MTU and noticed that it fell apart anything above 1408.
I
>> did try setting some MTU setting but nothing has worked so I am here to
ask
>> the experts.  However, I then looked at curl and realized the problem
is
>> probably not MTU related.  I appreciate any thoughts and help.
>>
>> Here are my current configs:
>>
>> Server A Conf:
>> Name = serverA
>> Device = /dev/net/tun
>> Address Family = ipv4
>>
>> Server A host:
>> Address = xx.xx.xx.xx
>> Subnet = 192.168.0.10
>> Subnet = 10.75.70.0/24
>> PMTU = 1436
>> ClampMSS = yes
>> PMTUDiscovery =    yes
>>
>> Server A TincUp:
>> ip link set $INTERFACE up
>> ip addr add  192.168.0.10 dev $INTERFACE
>> ip route add 192.168.0.0/24 dev $INTERFACE
>> ip route add 192.168.1.0/24 dev $INTERFACE
>>
>> Server B Conf:
>> Name = khwisnmp
>> Device = /dev/net/tun
>> Address Family = ipv4
>> ConnectTo = librenms
>>
>> Server B host:
>> ubnet = 192.168.0.15
>> Subnet = 192.168.1.0/24
>> PMTU = 1436
>> ClampMSS = yes
>> PMTUDiscovery = yes
>>
>> Server B TincUP:
>> ip link set $INTERFACE up
>> ip addr add  192.168.0.15 dev $INTERFACE
>> ip route add 192.168.0.0/24 dev $INTERFACE
>> ip route add 10.75.70.0/24 dev $INTERFACE
>>
>> Aloha,
>> Aaron
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20190114/c70be18a/attachment.html>