Hello Julien, Am Tue, 15 Jan 2019 16:33:26 +0100 schrieb Julien dupont <marcelvierzon at gmail.com>:> ip_forward was not enabled, now it is.a good step forward :) (you should do this permanently via /etc/sysctl.d/)> 'iptables -L -vn' yields: > [..]OK. The output tells us, that there are firewall rules. Now you should take a look at your firewall configuration file. There you will need to allow traffic from your tinc network into your office network. Maybe you want to restrict this to certain IPs or ports. As soon as your firewall rules allow forward traffic to your target, you can check, whether these packets arrive and maybe where the response packets get lost. Cheers, Lars
In most howtos it is instructed to enable port forwarding with 'echo 1 > /proc/sys/net/ipv4/ip_forward', but they don't say it's not permanent... So it was gone when I rebooted the machine. I then disabled the firewall on the VPN_office machine... And it works! If obviously VPN_out must be highly secured, I guess there is no problem to disable the firewall on VPN_office? Everything is blocked on our LAN router.I don't understand why it was on in first place as I did not enable it. Thanks you very much Lars for your kind help. Although I browsed a lot of help pages and howto, I did not find any that was actually telling the *full* right set of instructions. Le mar. 15 janv. 2019 à 21:09, Lars Kruse <lists at sumpfralle.de> a écrit :> Hello Julien, > > > Am Tue, 15 Jan 2019 16:33:26 +0100 > schrieb Julien dupont <marcelvierzon at gmail.com>: > > > ip_forward was not enabled, now it is. > > a good step forward :) > > (you should do this permanently via /etc/sysctl.d/) > > > > 'iptables -L -vn' yields: > > [..] > > OK. The output tells us, that there are firewall rules. > Now you should take a look at your firewall configuration file. There you > will > need to allow traffic from your tinc network into your office network. > Maybe > you want to restrict this to certain IPs or ports. > > As soon as your firewall rules allow forward traffic to your target, you > can > check, whether these packets arrive and maybe where the response packets > get > lost. > > Cheers, > Lars > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190117/8fcdcbc7/attachment.html>
On Thu, Jan 17, 2019 at 7:07 AM Julien dupont <marcelvierzon at gmail.com> wrote:> In most howtos it is instructed to enable port forwarding with 'echo 1 > /proc/sys/net/ipv4/ip_forward',Fyi, that is "IP forwarding", not port forwarding. https://unix.stackexchange.com/questions/14056/what-is-kernel-ip-forwarding https://en.wikipedia.org/wiki/Port_forwarding -Parke
Hello Julien, I am happy, that your traffic now flows as it should! Am Thu, 17 Jan 2019 16:06:43 +0100 schrieb Julien dupont <marcelvierzon at gmail.com>:> I then disabled the firewall on the VPN_office machine... And it works! If > obviously VPN_out must be highly secured, I guess there is no problem to > disable the firewall on VPN_office? Everything is blocked on our LAN > router.I don't understand why it was on in first place as I did not enable > it.Instead of simply disabling it, I would suggest to inspects its current state / set of rules and clarify whether it serves a purpose. In case that there are _no_ rules right now, it means that incoming traffic from any interface can communicate into any other interface on that host (and to all services on that host itself). I do not want to scare you for no reason - I just want to make sure, that you understand what you are doing :) Cheers, LArs