Thanks Michael, I will proceed like this. I think I didn't have UDP 655 forwarded on the remote server, will do that (had it at my client's router). If tinc connects, will both server and client see each other, for example I will be able to access all webui's running on SERVER from CLIENT side? For example, SERVER is running webui of Tvheadend on 192.168.0.4:9981 How can I access that from CLIENT? Do I need to use iptables or routing? Thanks, drake On Thu, Feb 7, 2019 at 6:26 PM Michael Munger <mj at hph.io> wrote:> Local IPs of the client are irrelevant. > > The client should be configured to look for the host by domain name > (/etc/tinc/yournetwork/hosts/EXAMPLESERVER should have the dDNS name in the > Address directive) and the tinc.conf file should have that as the host to > connect to for the network. (ConnectTo=EXAMPLESERVER) > > Then, you need port forwarding in your router to forward TCP/UDP 655 from > the WAN address to the router to the LAN address of the server. The server > should be a static IP on that network *or *it should have a DHCP > reservation so it doesn't move and break NAT port forwarding. > > When tinc starts, it will check tinc.conf for the ConnectTo directive. In > your case, it will be ConnectTo=EXAMPLESERVER. Then, it looks in the hosts/ > directory for the EXAMPLESERVER file, and reads the Address= directive to > see where that server is. Since you're using ddns, it will do a DNS lookup > for that domain name, and find your current IP address (hopefully) and try > to connect on udp/655. When those packets reach your router, they should > get forwarded to the server, which will authenticate the connection. If the > server can authenticate the client, it will keep the connection, and if > not, it will drop it. > > Make sure that your host files are properly exchanged on both sides so > that both sides can authenticate the other side using the public / private > key pair. (Private keys are never exchanged. Only public ones as kept in > the hosts/ directory). > > Michael Munger, dCAP, MCPS, MCNPS, MBSS > *Microsoft Certified Professional* > *Microsoft Certified Small Business Specialist* > *Digium Certified Asterisk Professional* > *High Powered Help, Inc.* > p: 678-905-8569 > w: hph.io e: mj at hph.io > > On 2/7/19 5:03 AM, Drake Drake wrote: > > Hi, > > I'm new to Tinc and I'm having some hard time to figure out the proper > configuration for my use case. In hope you can help me out. > > A) SERVER running tinc (Ubuntu 16.04 LTS) > External IP: 111.111.111.111 (ddns) > Behind a router with NAT, local IP of SERVER: 192.168.0.4 > > B) CLIENT running tinc (Ubuntu 16.04 LTS) > External IP: 222.222.222.222 (ddns) > Behind a router with NAT, local IP of CLIENT: 192.168.1.100 > > I would like to make a tunnel between SERVER and CLIENT in order to access > TVheadend SatIP on SERVER from CLIENT. The ports are 9981 and 9981 (UDP and > TCP). That is, my CLIENT should see the SERVER. > I don't want to route any of the internet traffic over client or server, > just to have access to these remote ports. > What would be the way to achieve this? > > Many thanks, > drake > > _______________________________________________ > tinc mailing listtinc at tinc-vpn.orghttps://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190207/02b98ab9/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: mdonhcmajalnajpc.png Type: image/png Size: 738 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190207/02b98ab9/attachment.png>
Get it connected first and able to ping the remote server's IP. Then, you should be able to access stuff on the server network as if you were on that LAN. You should also remove the pet forwarding on the client side. It's unnecessary. Get Outlook for Android<https://aka.ms/ghei36> On Thu, Feb 7, 2019 at 12:49 PM -0500, "Drake Drake" <drakemails at gmail.com<mailto:drakemails at gmail.com>> wrote: Thanks Michael, I will proceed like this. I think I didn't have UDP 655 forwarded on the remote server, will do that (had it at my client's router). If tinc connects, will both server and client see each other, for example I will be able to access all webui's running on SERVER from CLIENT side? For example, SERVER is running webui of Tvheadend on 192.168.0.4:9981<http://192.168.0.4:9981> How can I access that from CLIENT? Do I need to use iptables or routing? Thanks, drake On Thu, Feb 7, 2019 at 6:26 PM Michael Munger <mj at hph.io<mailto:mj at hph.io>> wrote: Local IPs of the client are irrelevant. The client should be configured to look for the host by domain name (/etc/tinc/yournetwork/hosts/EXAMPLESERVER should have the dDNS name in the Address directive) and the tinc.conf file should have that as the host to connect to for the network. (ConnectTo=EXAMPLESERVER) Then, you need port forwarding in your router to forward TCP/UDP 655 from the WAN address to the router to the LAN address of the server. The server should be a static IP on that network or it should have a DHCP reservation so it doesn't move and break NAT port forwarding. When tinc starts, it will check tinc.conf for the ConnectTo directive. In your case, it will be ConnectTo=EXAMPLESERVER. Then, it looks in the hosts/ directory for the EXAMPLESERVER file, and reads the Address= directive to see where that server is. Since you're using ddns, it will do a DNS lookup for that domain name, and find your current IP address (hopefully) and try to connect on udp/655. When those packets reach your router, they should get forwarded to the server, which will authenticate the connection. If the server can authenticate the client, it will keep the connection, and if not, it will drop it. Make sure that your host files are properly exchanged on both sides so that both sides can authenticate the other side using the public / private key pair. (Private keys are never exchanged. Only public ones as kept in the hosts/ directory). [cid:168c91440422fce10151] Michael Munger, dCAP, MCPS, MCNPS, MBSS Microsoft Certified Professional Microsoft Certified Small Business Specialist Digium Certified Asterisk Professional High Powered Help, Inc. p: 678-905-8569 w: hph.io<https://hph.io> e: mj at hph.io<mailto:mj at hph.io> On 2/7/19 5:03 AM, Drake Drake wrote: Hi, I'm new to Tinc and I'm having some hard time to figure out the proper configuration for my use case. In hope you can help me out. A) SERVER running tinc (Ubuntu 16.04 LTS) External IP: 111.111.111.111 (ddns) Behind a router with NAT, local IP of SERVER: 192.168.0.4 B) CLIENT running tinc (Ubuntu 16.04 LTS) External IP: 222.222.222.222 (ddns) Behind a router with NAT, local IP of CLIENT: 192.168.1.100 I would like to make a tunnel between SERVER and CLIENT in order to access TVheadend SatIP on SERVER from CLIENT. The ports are 9981 and 9981 (UDP and TCP). That is, my CLIENT should see the SERVER. I don't want to route any of the internet traffic over client or server, just to have access to these remote ports. What would be the way to achieve this? Many thanks, drake _______________________________________________ tinc mailing list tinc at tinc-vpn.org<mailto:tinc at tinc-vpn.org> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc _______________________________________________ tinc mailing list tinc at tinc-vpn.org<mailto:tinc at tinc-vpn.org> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190207/cb92c9b3/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: mdonhcmajalnajpc.png Type: image/png Size: 738 bytes Desc: mdonhcmajalnajpc.png URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190207/cb92c9b3/attachment-0001.png>
I managed to configure and I can ping both server and client. But Tvheadend can't see the Satip server. 2019. febr. 7., Cs 19:08 dátummal Michael Munger <mj at hph.io> ezt írta:> Get it connected first and able to ping the remote server's IP. Then, you > should be able to access stuff on the server network as if you were on that > LAN. > > You should also remove the pet forwarding on the client side. It's > unnecessary. > > Get Outlook for Android <https://aka.ms/ghei36> > > > > > On Thu, Feb 7, 2019 at 12:49 PM -0500, "Drake Drake" <drakemails at gmail.com > > wrote: > > Thanks Michael, I will proceed like this. >> I think I didn't have UDP 655 forwarded on the remote server, will do >> that (had it at my client's router). >> If tinc connects, will both server and client see each other, for example >> I will be able to access all webui's running on SERVER from CLIENT side? >> For example, SERVER is running webui of Tvheadend on 192.168.0.4:9981 >> How can I access that from CLIENT? Do I need to use iptables or routing? >> Thanks, >> drake >> >> On Thu, Feb 7, 2019 at 6:26 PM Michael Munger <mj at hph.io> wrote: >> >>> Local IPs of the client are irrelevant. >>> >>> The client should be configured to look for the host by domain name >>> (/etc/tinc/yournetwork/hosts/EXAMPLESERVER should have the dDNS name in the >>> Address directive) and the tinc.conf file should have that as the host to >>> connect to for the network. (ConnectTo=EXAMPLESERVER) >>> >>> Then, you need port forwarding in your router to forward TCP/UDP 655 >>> from the WAN address to the router to the LAN address of the server. The >>> server should be a static IP on that network *or *it should have a DHCP >>> reservation so it doesn't move and break NAT port forwarding. >>> >>> When tinc starts, it will check tinc.conf for the ConnectTo directive. >>> In your case, it will be ConnectTo=EXAMPLESERVER. Then, it looks in the >>> hosts/ directory for the EXAMPLESERVER file, and reads the Address>>> directive to see where that server is. Since you're using ddns, it will do >>> a DNS lookup for that domain name, and find your current IP address >>> (hopefully) and try to connect on udp/655. When those packets reach your >>> router, they should get forwarded to the server, which will authenticate >>> the connection. If the server can authenticate the client, it will keep the >>> connection, and if not, it will drop it. >>> >>> Make sure that your host files are properly exchanged on both sides so >>> that both sides can authenticate the other side using the public / private >>> key pair. (Private keys are never exchanged. Only public ones as kept in >>> the hosts/ directory). >>> >>> Michael Munger, dCAP, MCPS, MCNPS, MBSS >>> *Microsoft Certified Professional* >>> *Microsoft Certified Small Business Specialist* >>> *Digium Certified Asterisk Professional* >>> *High Powered Help, Inc.* >>> p: 678-905-8569 >>> w: hph.io e: mj at hph.io >>> >>> On 2/7/19 5:03 AM, Drake Drake wrote: >>> >>> Hi, >>> >>> I'm new to Tinc and I'm having some hard time to figure out the proper >>> configuration for my use case. In hope you can help me out. >>> >>> A) SERVER running tinc (Ubuntu 16.04 LTS) >>> External IP: 111.111.111.111 (ddns) >>> Behind a router with NAT, local IP of SERVER: 192.168.0.4 >>> >>> B) CLIENT running tinc (Ubuntu 16.04 LTS) >>> External IP: 222.222.222.222 (ddns) >>> Behind a router with NAT, local IP of CLIENT: 192.168.1.100 >>> >>> I would like to make a tunnel between SERVER and CLIENT in order to >>> access TVheadend SatIP on SERVER from CLIENT. The ports are 9981 and 9981 >>> (UDP and TCP). That is, my CLIENT should see the SERVER. >>> I don't want to route any of the internet traffic over client or server, >>> just to have access to these remote ports. >>> What would be the way to achieve this? >>> >>> Many thanks, >>> drake >>> >>> _______________________________________________ >>> tinc mailing listtinc at tinc-vpn.orghttps://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >>> >>> _______________________________________________ >>> tinc mailing list >>> tinc at tinc-vpn.org >>> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >>> >> _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190208/61c51383/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: mdonhcmajalnajpc.png Type: image/png Size: 738 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190208/61c51383/attachment-0001.png>