-> [[!meta title="creating a bridge to bridge tinc-vpn dhcp system to connect netwerk segments"]]
->
-> # this docu is still in progress # jelle
->
-> ------------------------------------------------------------------------
->
-> # Company: PowerCraft Technology
-> # Author: Copyright Jelle de Jong <jelledejong@powercraft.nl>
-> # Note: Please send me an email if you enhanced the document
-> # Date: 2009-09-15
-> # License: CC-BY-SA
->
-> # This document is free documentation; you can redistribute it and/or
-> # modify it under the terms of the Creative Commons Attribution Share
-> # Alike as published by the Creative Commons Foundation; either version
-> # 3.0 of the License, or (at your option) any later version.
-> #
-> # This document is distributed in the hope that it will be useful,
-> # but WITHOUT ANY WARRANTY; without even the implied warranty of
-> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-> # Creative Commons BY-SA License for more details.
-> #
-> # http://creativecommons.org/licenses/by-sa/
->
-> ------------------------------------------------------------------------
->
-> # information: http://www.tinc-vpn.org/
->
-> ------------------------------------------------------------------------
->
-> apt-get update; apt-get dist-upgrade
->
-> apt-cache show tinc
-> apt-get install tinc/unstable
-> apt-get install bridge-utils/unstable
->
-> ------------------------------------------------------------------------
->
-> /etc/init.d/tinc stop
->
-> ------------------------------------------------------------------------
->
-> # ls -hal /dev/net/tun
-> crw-rw-rw- 1 root root 10, 200 2009-09-11 15:37 /dev/net/tun
->
-> # grep tinc /etc/services
-> tinc 655/tcp # tinc control port
-> tinc 655/udp
->
-> cat /usr/share/doc/tinc/README.Debian
-> zcat /usr/share/doc/tinc/README.gz | less
-> zcat /usr/share/doc/tinc/NEWS.gz | less
-> cat /usr/share/doc/tinc/examples/tinc-up
-> w3m /usr/share/doc/tinc/tinc_0.html
->
-> http://www.tinc-vpn.org/documentation/tinc_toc
->
-> sudo vim /etc/default/tinc
-> EXTRA="-d"
-> cat /etc/default/tinc
->
-> less /etc/init.d/tinc
->
-> ------------------------------------------------------------------------
->
-> ifconfig -a
-> route -n
->
-> ------------------------------------------------------------------------
->
-> # ifconfig -a
-> eth0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52
-> inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> RX packets:35 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:5879 errors:0 dropped:0 overruns:0 carrier:1
-> collisions:0 txqueuelen:1000
-> RX bytes:5958 (5.8 KiB) TX bytes:594793 (580.8 KiB)
-> Interrupt:28
->
-> lo Link encap:Local Loopback
-> inet addr:127.0.0.1 Mask:255.0.0.0
-> inet6 addr: ::1/128 Scope:Host
-> UP LOOPBACK RUNNING MTU:16436 Metric:1
-> RX packets:838 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:838 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:0
-> RX bytes:87938 (85.8 KiB) TX bytes:87938 (85.8 KiB)
->
-> ppp0 Link encap:Point-to-Point Protocol
-> inet addr:10.79.163.113 P-t-P:10.64.64.64 Mask:255.255.255.255
-> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
-> RX packets:4833 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:4645 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:3
-> RX bytes:952105 (929.7 KiB) TX bytes:319496 (312.0 KiB)
->
-> # route -n
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
-> 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
->
-> ------------------------------------------------------------------------
->
-> # client02 configuration
-> ------------------------------------------------------------------------
->
-> cat /etc/tinc/nets.boot
-> echo 'myvpn01' | sudo tee --append /etc/tinc/nets.boot
-> cat /etc/tinc/nets.boot
->
-> ------------------------------------------------------------------------
->
-> sudo mkdir --verbose /etc/tinc/myvpn01/
-> sudo mkdir --verbose /etc/tinc/myvpn01/hosts/
-> sudo touch /etc/tinc/myvpn01/tinc.conf
->
-> ------------------------------------------------------------------------
->
-> # on server
-> cat /etc/tinc/myvpn01/hosts/server01
->
-> # on client, copy cert data of server to client
-> sudo vim /etc/tinc/myvpn01/hosts/server01
->
-> # add on head of file
-> Address = 712.661.21.23 # only on client
->
-> ------------------------------------------------------------------------
->
-> echo 'ConnectTo = server01
-> Device = /dev/net/tun
-> Interface = tun0
-> Mode = switch
-> Name = client02' | sudo tee /etc/tinc/myvpn01/tinc.conf
->
-> sudo cat /etc/tinc/myvpn01/tinc.conf
-> sudo chmod 644 /etc/tinc/myvpn01/tinc.conf
-> ls -hal /etc/tinc/myvpn01/tinc.conf
->
-> echo '#!/bin/sh
-> ifconfig $INTERFACE 0.0.0.0
-> brctl addif br0 $INTERFACE
-> ifconfig $INTERFACE up' | tee /etc/tinc/myvpn01/tinc-up
->
-> sudo cat /etc/tinc/myvpn01/tinc-up
-> sudo chmod 755 /etc/tinc/myvpn01/tinc-up
-> ls -hal /etc/tinc/myvpn01/tinc-up
->
-> echo '#!/bin/sh
-> ifup br0 &' | sudo tee /etc/tinc/myvpn01/hosts/server01-up
->
-> sudo cat /etc/tinc/myvpn01/hosts/server01-up
-> sudo chmod 755 /etc/tinc/myvpn01/hosts/server01-up
-> ls -hal /etc/tinc/myvpn01/hosts/server01-up
->
-> echo '#!/bin/sh
-> brctl delif br0 $INTERFACE
-> ifconfig $INTERFACE down' | sudo tee /etc/tinc/myvpn01/tinc-down
->
-> sudo cat /etc/tinc/myvpn01/tinc-down
-> sudo chmod 755 /etc/tinc/myvpn01/tinc-down
-> ls -hal /etc/tinc/myvpn01/tinc-down
->
-> echo '#!/bin/sh
-> ifdown br0
-> ifconfig br0 0.0.0.0' | sudo tee /etc/tinc/myvpn01/hosts/server01-down
->
-> sudo cat /etc/tinc/myvpn01/hosts/server01-down
-> sudo chmod 755 /etc/tinc/myvpn01/hosts/server01-down
-> ls -hal /etc/tinc/myvpn01/hosts/server01-down
->
-> ------------------------------------------------------------------------
->
-> sudo rm /etc/tinc/myvpn01/rsa_key.priv
-> sudo rm /etc/tinc/myvpn01/hosts/client02
-> echo 'PMTU = 1280
-> PMTUDiscovery = yes' | sudo tee --append /etc/tinc/myvpn01/hosts/client02
-> sudo tincd -n myvpn01 -K
->
-> ------------------------------------------------------------------------
->
-> # on client add on head of file
-> sudo vim /etc/tinc/myvpn01/hosts/client02
-> Compression = 9
-> TCPOnly = yes
->
-> # on client
-> sudo cat /etc/tinc/myvpn01/hosts/client02
->
-> # on server, copy cert data of client to server
-> vim /etc/tinc/myvpn01/hosts/client02
->
-> ------------------------------------------------------------------------
->
-> # cat /etc/network/interfaces
-> auto lo
-> iface lo inet loopback
->
-> auto ppp0
-> iface ppp0 inet ppp
-> provider mobile-vodafone
->
-> auto eth0
-> iface eth0 inet manual
-> pre-up brctl addbr br0
-> pre-up ifconfig eth0 down
-> pre-up brctl addif br0 eth0
-> pre-up ifconfig eth0 up
-> post-down ifconfig eth0 down
-> post-down brctl delif br0 eth0
-> post-down ifconfig br0 down
-> post-down brctl delbr br0
->
-> iface br0 inet dhcp
-> post-up route del default dev br0
->
-> ------------------------------------------------------------------------
->
-> echo 'interface "br0" {
-> request subnet-mask, broadcast-address, time-offset,
-> host-name, netbios-scope, interface-mtu, ntp-servers;
-> }' | tee --append /etc/dhcp3/dhclient.conf
->
-> cat /etc/dhcp3/dhclient.conf
->
-> ------------------------------------------------------------------------
->
-> sudo /etc/init.d/tinc stop
-> fg
-> sudo /usr/sbin/tincd --net myvpn01 --no-detach --debug=5
->
-> ------------------------------------------------------------------------
->
-> # sudo /usr/sbin/tincd --net myvpn01 --no-detach --debug=5
-> tincd 1.0.9 (Dec 26 2008 14:50:38) starting, debug level 5
->
-> ------------------------------------------------------------------------
->
-> ifconfig -a
-> route -n
-> brctl show
-> brctl showmacs br0
->
-> ------------------------------------------------------------------------
->
-> # ifconfig -a
-> br0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52
-> inet addr:10.10.3.116 Bcast:10.10.255.255 Mask:255.255.0.0
-> inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> RX packets:2479 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:0
-> RX bytes:209742 (204.8 KiB) TX bytes:10280 (10.0 KiB)
->
-> eth0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52
-> inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> RX packets:11 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:2430 errors:0 dropped:0 overruns:0 carrier:1
-> collisions:0 txqueuelen:1000
-> RX bytes:1079 (1.0 KiB) TX bytes:237231 (231.6 KiB)
-> Interrupt:28
->
-> lo Link encap:Local Loopback
-> inet addr:127.0.0.1 Mask:255.0.0.0
-> inet6 addr: ::1/128 Scope:Host
-> UP LOOPBACK RUNNING MTU:16436 Metric:1
-> RX packets:516 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:516 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:0
-> RX bytes:63488 (62.0 KiB) TX bytes:63488 (62.0 KiB)
->
-> ppp0 Link encap:Point-to-Point Protocol
-> inet addr:10.79.163.113 P-t-P:10.64.64.64 Mask:255.255.255.255
-> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
-> RX packets:2028 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:1967 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:3
-> RX bytes:388056 (378.9 KiB) TX bytes:152260 (148.6 KiB)
->
-> tun0 Link encap:Ethernet HWaddr 42:8f:ff:cf:51:a8
-> inet6 addr: fe80::408f:ffff:fecf:51a8/64 Scope:Link
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> RX packets:2545 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:70 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:500
-> RX bytes:249926 (244.0 KiB) TX bytes:10375 (10.1 KiB)
->
-> # route -n
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
-> 10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
-> 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
->
-> # brctl show
-> bridge name bridge id STP enabled interfaces
-> br0 8000.0026186aa052 no eth0
-> tun0
-> # brctl showmacs br0
-> port no mac addr is local? ageing timer
-> 2 00:01:36:05:ba:5f no 0.00
-> 2 00:02:44:b0:d6:4a no 32.81
-> 2 00:04:23:02:14:d2 no 32.36
-> 2 00:04:75:f6:fb:34 no 181.26
-> 2 00:08:02:1f:bb:2f no 116.37
-> 2 00:08:a1:3f:f9:c6 no 181.46
-> 2 00:08:a1:3f:f9:d8 no 32.93
-> 2 00:0a:5e:43:85:80 no 7.87
-> 2 00:0c:76:50:3a:1e no 226.27
-> 2 00:10:22:fd:87:0d no 80.60
-> 2 00:10:22:fd:88:66 no 78.88
-> 2 00:10:83:57:a9:d9 no 51.13
-> 2 00:10:b5:e8:04:5b no 6.80
-> 2 00:11:09:a9:66:0c no 247.43
-> 2 00:11:09:a9:66:49 no 149.78
-> 2 00:11:09:a9:66:7c no 151.98
-> 2 00:11:09:a9:66:b1 no 24.24
-> 2 00:11:2f:48:16:ac no 0.25
-> 2 00:11:85:d5:ae:b2 no 62.16
-> 2 00:11:85:e9:de:ec no 2.29
-> 2 00:12:79:91:3d:de no 15.00
-> 2 00:13:20:82:bc:19 no 210.92
-> 2 00:13:20:82:bc:82 no 266.75
-> 2 00:13:21:cc:f1:42 no 12.52
-> 2 00:15:f2:0b:c2:6a no 31.42
-> 2 00:15:f2:4b:e9:8a no 13.65
-> 2 00:17:31:77:d7:10 no 166.02
-> 2 00:17:a4:df:77:99 no 288.48
-> 2 00:18:f3:20:f3:aa no 128.37
-> 2 00:18:f3:a3:a5:ec no 15.15
-> 2 00:18:f3:a3:a5:f5 no 107.42
-> 2 00:1b:11:63:e4:08 no 15.46
-> 2 00:1b:11:63:e6:6a no 232.79
-> 2 00:1b:11:63:ff:a7 no 251.39
-> 2 00:1b:21:43:7c:85 no 3.41
-> 2 00:1b:21:44:27:8b no 186.89
-> 2 00:1c:c4:be:54:2e no 9.67
-> 2 00:1e:8c:92:b3:bb no 6.91
-> 2 00:20:6b:54:c1:85 no 202.51
-> 2 00:20:af:aa:71:3d no 25.63
-> 2 00:24:8c:3d:9e:e1 no 0.22
-> 2 00:24:8c:8f:bb:68 no 127.07
-> 1 00:26:18:6a:a0:52 yes 0.00
-> 2 00:40:01:30:29:01 no 27.75
-> 2 00:69:00:12:1e:5c no 218.41
-> 2 00:69:00:12:25:84 no 133.35
-> 2 00:e0:4b:0c:75:2d no 54.79
-> 2 00:e0:4c:02:7c:fb no 9.09
-> 2 00:e0:4c:43:c0:e2 no 194.68
-> 2 42:8f:ff:cf:51:a8 yes 0.00
->
-> ------------------------------------------------------------------------
+ [[!meta title="creating a bridge to bridge tinc-vpn dhcp system to connect netwerk segments"]]
+
+ # this docu is still in progress # jelle
+
+ ------------------------------------------------------------------------
+
+ # Company: PowerCraft Technology
+ # Author: Copyright Jelle de Jong <jelledejong@powercraft.nl>
+ # Note: Please send me an email if you enhanced the document
+ # Date: 2009-09-15
+ # License: CC-BY-SA
+
+ # This document is free documentation; you can redistribute it and/or
+ # modify it under the terms of the Creative Commons Attribution Share
+ # Alike as published by the Creative Commons Foundation; either version
+ # 3.0 of the License, or (at your option) any later version.
+ #
+ # This document is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ # Creative Commons BY-SA License for more details.
+ #
+ # http://creativecommons.org/licenses/by-sa/
+
+ ------------------------------------------------------------------------
+
+ # information: http://www.tinc-vpn.org/
+
+ ------------------------------------------------------------------------
+
+ apt-get update; apt-get dist-upgrade
+
+ apt-cache show tinc
+ apt-get install tinc/unstable
+ apt-get install bridge-utils/unstable
+
+ ------------------------------------------------------------------------
+
+ /etc/init.d/tinc stop
+
+ ------------------------------------------------------------------------
+
+ # ls -hal /dev/net/tun
+ crw-rw-rw- 1 root root 10, 200 2009-09-11 15:37 /dev/net/tun
+
+ # grep tinc /etc/services
+ tinc 655/tcp # tinc control port
+ tinc 655/udp
+
+ cat /usr/share/doc/tinc/README.Debian
+ zcat /usr/share/doc/tinc/README.gz | less
+ zcat /usr/share/doc/tinc/NEWS.gz | less
+ cat /usr/share/doc/tinc/examples/tinc-up
+ w3m /usr/share/doc/tinc/tinc_0.html
+
+ http://www.tinc-vpn.org/documentation/tinc_toc
+
+ sudo vim /etc/default/tinc
+ EXTRA="-d"
+ cat /etc/default/tinc
+
+ less /etc/init.d/tinc
+
+ ------------------------------------------------------------------------
+
+ ifconfig -a
+ route -n
+
+ ------------------------------------------------------------------------
+
+ # ifconfig -a
+ eth0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52
+ inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:35 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:5879 errors:0 dropped:0 overruns:0 carrier:1
+ collisions:0 txqueuelen:1000
+ RX bytes:5958 (5.8 KiB) TX bytes:594793 (580.8 KiB)
+ Interrupt:28
+
+ lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ inet6 addr: ::1/128 Scope:Host
+ UP LOOPBACK RUNNING MTU:16436 Metric:1
+ RX packets:838 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:838 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:0
+ RX bytes:87938 (85.8 KiB) TX bytes:87938 (85.8 KiB)
+
+ ppp0 Link encap:Point-to-Point Protocol
+ inet addr:10.79.163.113 P-t-P:10.64.64.64 Mask:255.255.255.255
+ UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
+ RX packets:4833 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:4645 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:3
+ RX bytes:952105 (929.7 KiB) TX bytes:319496 (312.0 KiB)
+
+ # route -n
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
+ 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
+
+ ------------------------------------------------------------------------
+
+ # client02 configuration
+ ------------------------------------------------------------------------
+
+ cat /etc/tinc/nets.boot
+ echo 'myvpn01' | sudo tee --append /etc/tinc/nets.boot
+ cat /etc/tinc/nets.boot
+
+ ------------------------------------------------------------------------
+
+ sudo mkdir --verbose /etc/tinc/myvpn01/
+ sudo mkdir --verbose /etc/tinc/myvpn01/hosts/
+ sudo touch /etc/tinc/myvpn01/tinc.conf
+
+ ------------------------------------------------------------------------
+
+ # on server
+ cat /etc/tinc/myvpn01/hosts/server01
+
+ # on client, copy cert data of server to client
+ sudo vim /etc/tinc/myvpn01/hosts/server01
+
+ # add on head of file
+ Address = 712.661.21.23 # only on client
+
+ ------------------------------------------------------------------------
+
+ echo 'ConnectTo = server01
+ Device = /dev/net/tun
+ Interface = tun0
+ Mode = switch
+ Name = client02' | sudo tee /etc/tinc/myvpn01/tinc.conf
+
+ sudo cat /etc/tinc/myvpn01/tinc.conf
+ sudo chmod 644 /etc/tinc/myvpn01/tinc.conf
+ ls -hal /etc/tinc/myvpn01/tinc.conf
+
+ echo '#!/bin/sh
+ ifconfig $INTERFACE 0.0.0.0
+ brctl addif br0 $INTERFACE
+ ifconfig $INTERFACE up' | tee /etc/tinc/myvpn01/tinc-up
+
+ sudo cat /etc/tinc/myvpn01/tinc-up
+ sudo chmod 755 /etc/tinc/myvpn01/tinc-up
+ ls -hal /etc/tinc/myvpn01/tinc-up
+
+ echo '#!/bin/sh
+ ifup br0 &' | sudo tee /etc/tinc/myvpn01/hosts/server01-up
+
+ sudo cat /etc/tinc/myvpn01/hosts/server01-up
+ sudo chmod 755 /etc/tinc/myvpn01/hosts/server01-up
+ ls -hal /etc/tinc/myvpn01/hosts/server01-up
+
+ echo '#!/bin/sh
+ brctl delif br0 $INTERFACE
+ ifconfig $INTERFACE down' | sudo tee /etc/tinc/myvpn01/tinc-down
+
+ sudo cat /etc/tinc/myvpn01/tinc-down
+ sudo chmod 755 /etc/tinc/myvpn01/tinc-down
+ ls -hal /etc/tinc/myvpn01/tinc-down
+
+ echo '#!/bin/sh
+ ifdown br0
+ ifconfig br0 0.0.0.0' | sudo tee /etc/tinc/myvpn01/hosts/server01-down
+
+ sudo cat /etc/tinc/myvpn01/hosts/server01-down
+ sudo chmod 755 /etc/tinc/myvpn01/hosts/server01-down
+ ls -hal /etc/tinc/myvpn01/hosts/server01-down
+
+ ------------------------------------------------------------------------
+
+ sudo rm /etc/tinc/myvpn01/rsa_key.priv
+ sudo rm /etc/tinc/myvpn01/hosts/client02
+ echo 'PMTU = 1280
+ PMTUDiscovery = yes' | sudo tee --append /etc/tinc/myvpn01/hosts/client02
+ sudo tincd -n myvpn01 -K
+
+ ------------------------------------------------------------------------
+
+ # on client add on head of file
+ sudo vim /etc/tinc/myvpn01/hosts/client02
+ Compression = 9
+ TCPOnly = yes
+
+ # on client
+ sudo cat /etc/tinc/myvpn01/hosts/client02
+
+ # on server, copy cert data of client to server
+ vim /etc/tinc/myvpn01/hosts/client02
+
+ ------------------------------------------------------------------------
+
+ # cat /etc/network/interfaces
+ auto lo
+ iface lo inet loopback
+
+ auto ppp0
+ iface ppp0 inet ppp
+ provider mobile-vodafone
+
+ auto eth0
+ iface eth0 inet manual
+ pre-up brctl addbr br0
+ pre-up ifconfig eth0 down
+ pre-up brctl addif br0 eth0
+ pre-up ifconfig eth0 up
+ post-down ifconfig eth0 down
+ post-down brctl delif br0 eth0
+ post-down ifconfig br0 down
+ post-down brctl delbr br0
+
+ iface br0 inet dhcp
+ post-up route del default dev br0
+
+ ------------------------------------------------------------------------
+
+ echo 'interface "br0" {
+ request subnet-mask, broadcast-address, time-offset,
+ host-name, netbios-scope, interface-mtu, ntp-servers;
+ }' | tee --append /etc/dhcp3/dhclient.conf
+
+ cat /etc/dhcp3/dhclient.conf
+
+ ------------------------------------------------------------------------
+
+ sudo /etc/init.d/tinc stop
+ fg
+ sudo /usr/sbin/tincd --net myvpn01 --no-detach --debug=5
+
+ ------------------------------------------------------------------------
+
+ # sudo /usr/sbin/tincd --net myvpn01 --no-detach --debug=5
+ tincd 1.0.9 (Dec 26 2008 14:50:38) starting, debug level 5
+
+ ------------------------------------------------------------------------
+
+ ifconfig -a
+ route -n
+ brctl show
+ brctl showmacs br0
+
+ ------------------------------------------------------------------------
+
+ # ifconfig -a
+ br0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52
+ inet addr:10.10.3.116 Bcast:10.10.255.255 Mask:255.255.0.0
+ inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:2479 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:0
+ RX bytes:209742 (204.8 KiB) TX bytes:10280 (10.0 KiB)
+
+ eth0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52
+ inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:11 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:2430 errors:0 dropped:0 overruns:0 carrier:1
+ collisions:0 txqueuelen:1000
+ RX bytes:1079 (1.0 KiB) TX bytes:237231 (231.6 KiB)
+ Interrupt:28
+
+ lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ inet6 addr: ::1/128 Scope:Host
+ UP LOOPBACK RUNNING MTU:16436 Metric:1
+ RX packets:516 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:516 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:0
+ RX bytes:63488 (62.0 KiB) TX bytes:63488 (62.0 KiB)
+
+ ppp0 Link encap:Point-to-Point Protocol
+ inet addr:10.79.163.113 P-t-P:10.64.64.64 Mask:255.255.255.255
+ UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
+ RX packets:2028 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:1967 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:3
+ RX bytes:388056 (378.9 KiB) TX bytes:152260 (148.6 KiB)
+
+ tun0 Link encap:Ethernet HWaddr 42:8f:ff:cf:51:a8
+ inet6 addr: fe80::408f:ffff:fecf:51a8/64 Scope:Link
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:2545 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:70 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:500
+ RX bytes:249926 (244.0 KiB) TX bytes:10375 (10.1 KiB)
+
+ # route -n
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
+ 10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
+ 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
+
+ # brctl show
+ bridge name bridge id STP enabled interfaces
+ br0 8000.0026186aa052 no eth0
+ tun0
+ # brctl showmacs br0
+ port no mac addr is local? ageing timer
+ 2 00:01:36:05:ba:5f no 0.00
+ 2 00:02:44:b0:d6:4a no 32.81
+ 2 00:04:23:02:14:d2 no 32.36
+ 2 00:04:75:f6:fb:34 no 181.26
+ 2 00:08:02:1f:bb:2f no 116.37
+ 2 00:08:a1:3f:f9:c6 no 181.46
+ 2 00:08:a1:3f:f9:d8 no 32.93
+ 2 00:0a:5e:43:85:80 no 7.87
+ 2 00:0c:76:50:3a:1e no 226.27
+ 2 00:10:22:fd:87:0d no 80.60
+ 2 00:10:22:fd:88:66 no 78.88
+ 2 00:10:83:57:a9:d9 no 51.13
+ 2 00:10:b5:e8:04:5b no 6.80
+ 2 00:11:09:a9:66:0c no 247.43
+ 2 00:11:09:a9:66:49 no 149.78
+ 2 00:11:09:a9:66:7c no 151.98
+ 2 00:11:09:a9:66:b1 no 24.24
+ 2 00:11:2f:48:16:ac no 0.25
+ 2 00:11:85:d5:ae:b2 no 62.16
+ 2 00:11:85:e9:de:ec no 2.29
+ 2 00:12:79:91:3d:de no 15.00
+ 2 00:13:20:82:bc:19 no 210.92
+ 2 00:13:20:82:bc:82 no 266.75
+ 2 00:13:21:cc:f1:42 no 12.52
+ 2 00:15:f2:0b:c2:6a no 31.42
+ 2 00:15:f2:4b:e9:8a no 13.65
+ 2 00:17:31:77:d7:10 no 166.02
+ 2 00:17:a4:df:77:99 no 288.48
+ 2 00:18:f3:20:f3:aa no 128.37
+ 2 00:18:f3:a3:a5:ec no 15.15
+ 2 00:18:f3:a3:a5:f5 no 107.42
+ 2 00:1b:11:63:e4:08 no 15.46
+ 2 00:1b:11:63:e6:6a no 232.79
+ 2 00:1b:11:63:ff:a7 no 251.39
+ 2 00:1b:21:43:7c:85 no 3.41
+ 2 00:1b:21:44:27:8b no 186.89
+ 2 00:1c:c4:be:54:2e no 9.67
+ 2 00:1e:8c:92:b3:bb no 6.91
+ 2 00:20:6b:54:c1:85 no 202.51
+ 2 00:20:af:aa:71:3d no 25.63
+ 2 00:24:8c:3d:9e:e1 no 0.22
+ 2 00:24:8c:8f:bb:68 no 127.07
+ 1 00:26:18:6a:a0:52 yes 0.00
+ 2 00:40:01:30:29:01 no 27.75
+ 2 00:69:00:12:1e:5c no 218.41
+ 2 00:69:00:12:25:84 no 133.35
+ 2 00:e0:4b:0c:75:2d no 54.79
+ 2 00:e0:4c:02:7c:fb no 9.09
+ 2 00:e0:4c:43:c0:e2 no 194.68
+ 2 42:8f:ff:cf:51:a8 yes 0.00
+
+ ------------------------------------------------------------------------
192.168.0.0/16). This is no different from the configuration that would be
required if tinc was replaced with an actual switch or hub.
-> host# brctl addbr bridge
-> host# ifconfig bridge 192.168.10.20 netmask 255.255.0.0
->
-> host# ifconfig eth1 0.0.0.0
-> host# brctl addif bridge eth1
-> host# ifconfig eth1 up
->
-> After starting tinc:
->
-> host# brctl show
-> bridge name bridge id STP enabled interfaces
-> bridge 8000.005004003002 yes eth1
-> vpn
->
-> host# ifconfig
-> eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
-> inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0
-> UP BROADCAST RUNNING MTU:1500 Metric:1
-> ...
->
-> eth1 Link encap:Ethernet HWaddr 00:11:22:33:44:55
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> ...
->
-> lo Link encap:Local Loopback
-> inet addr:127.0.0.1 Mask:255.0.0.0
-> UP LOOPBACK RUNNING MTU:3856 Metric:1
-> ...
->
-> bridge Link encap:Ethernet HWaddr 00:11:22:33:44:55
-> inet addr:192.168.10.20 Bcast:192.168.255.255 Mask:255.255.0.0
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
->
-> vpn Link encap:Ethernet HWaddr 00:11:22:33:44:55
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> ...
->
-> host# route
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
-> 192.168.0.0 * 255.255.0.0 U 0 0 0 bridge
-> default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0
+ host# brctl addbr bridge
+ host# ifconfig bridge 192.168.10.20 netmask 255.255.0.0
+
+ host# ifconfig eth1 0.0.0.0
+ host# brctl addif bridge eth1
+ host# ifconfig eth1 up
+
+ After starting tinc:
+
+ host# brctl show
+ bridge name bridge id STP enabled interfaces
+ bridge 8000.005004003002 yes eth1
+ vpn
+
+ host# ifconfig
+ eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
+ inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MTU:1500 Metric:1
+ ...
+
+ eth1 Link encap:Ethernet HWaddr 00:11:22:33:44:55
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ ...
+
+ lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ UP LOOPBACK RUNNING MTU:3856 Metric:1
+ ...
+
+ bridge Link encap:Ethernet HWaddr 00:11:22:33:44:55
+ inet addr:192.168.10.20 Bcast:192.168.255.255 Mask:255.255.0.0
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+
+ vpn Link encap:Ethernet HWaddr 00:11:22:33:44:55
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ ...
+
+ host# route
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
+ 192.168.0.0 * 255.255.0.0 U 0 0 0 bridge
+ default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0
### Configuration of tinc
tinc maintains an ARP cache to determine whether any received packet should be
forwarded to the remote tinc instance.
-> host# cat /etc/tinc/vpn/tinc.conf
-> Name = segment1
-> Mode = switch
-> ConnectTo = segment2
->
-> host# cat /etc/tinc/vpn/tinc-up
-> #!/bin/sh
->
-> ifconfig $INTERFACE 0.0.0.0
-> brctl addif bridge $INTERFACE
-> ifconfig $INTERFACE up
->
-> host# ls /etc/tinc/vpn/hosts
-> segment1 segment2 ...
->
-> host# cat /etc/tinc/vpn/hosts/segment1
-> Address = 123.234.123.42
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
->
-> host# cat /etc/tinc/vpn/hosts/segment2
-> Address = 200.201.202.203
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
+ host# cat /etc/tinc/vpn/tinc.conf
+ Name = segment1
+ Mode = switch
+ ConnectTo = segment2
+
+ host# cat /etc/tinc/vpn/tinc-up
+ #!/bin/sh
+
+ ifconfig $INTERFACE 0.0.0.0
+ brctl addif bridge $INTERFACE
+ ifconfig $INTERFACE up
+
+ host# ls /etc/tinc/vpn/hosts
+ segment1 segment2 ...
+
+ host# cat /etc/tinc/vpn/hosts/segment1
+ Address = 123.234.123.42
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
+
+ host# cat /etc/tinc/vpn/hosts/segment2
+ Address = 200.201.202.203
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
### Additional Configuration
There are only a few packages that need to be installed as root to get started:
-> sudo apt-get install gcc-mingw32 mingw64 git-core wget
-> sudo apt-get build-dep tinc
+ sudo apt-get install gcc-mingw32 mingw64 git-core wget
+ sudo apt-get build-dep tinc
Other Linux distributions may also have 64-bit MinGW packages, use their respective
package management tools to install them. Debian installs the cross-compiler
is missing in the amd64-mingw32msvc include directory, a workaround is to
create a symlink to the otherwise identical 32-bit version of that header file:
-> ln -s ../../i586-mingw32msvc/include/getopt.h /usr/amd64-mingw32msvc/include/getopt.h
+ ln -s ../../i586-mingw32msvc/include/getopt.h /usr/amd64-mingw32msvc/include/getopt.h
### Setting up the build directory and getting the sources
apt-get and wget to get the required libraries necessary for tinc, and use
`git` to get the latest development version of tinc.
-> mkdir $HOME/mingw64
-> cd $HOME/mingw64
-> apt-get source liblzo2-dev zlib1g-dev
-> wget http://www.openssl.org/source/openssl-1.0.0.tar.gz
-> tar xzf openssl-1.0.0.tar.gz
-> git clone git://tinc-vpn.org/tinc
+ mkdir $HOME/mingw64
+ cd $HOME/mingw64
+ apt-get source liblzo2-dev zlib1g-dev
+ wget http://www.openssl.org/source/openssl-1.0.0.tar.gz
+ tar xzf openssl-1.0.0.tar.gz
+ git clone git://tinc-vpn.org/tinc
### Making cross-compilation easy
up the necessary environment variables so configure scripts and Makefiles will
use the 64-bit MinGW version of GCC and binutils:
-> mkdir $HOME/bin
-> cat >$HOME/bin/mingw64 << EOF
-> #!/bin/sh
-> export CC=amd64-mingw32msvc-gcc
-> export CXX=amd64-mingw32msvc-g++
-> export CPP=amd64-mingw32msvc-cpp
-> export RANLIB=amd64-mingw32msvc-ranlib
-> export PATH="/usr/amd64-mingw32msvc/bin:$PATH"
-> exec "$@"
-> EOF
+ mkdir $HOME/bin
+ cat >$HOME/bin/mingw64 << EOF
+ #!/bin/sh
+ export CC=amd64-mingw32msvc-gcc
+ export CXX=amd64-mingw32msvc-g++
+ export CPP=amd64-mingw32msvc-cpp
+ export RANLIB=amd64-mingw32msvc-ranlib
+ export PATH="/usr/amd64-mingw32msvc/bin:$PATH"
+ exec "$@"
+ EOF
If `$HOME/bin` is not already part of your `$PATH`, you need to add it:
-> export PATH="$HOME/bin:$PATH"
+ export PATH="$HOME/bin:$PATH"
We use this script to call `./configure` and `make` with the right environment
variables, but only when the `./configure` script doesn't support cross-compilation itself.
Cross-compiling LZO is easy:
-> cd $HOME/mingw64/lzo2-2.03
-> ./configure --host=amd64-mingw32msvc
-> make
-> DESTDIR=$HOME/mingw64 make install
+ cd $HOME/mingw64/lzo2-2.03
+ ./configure --host=amd64-mingw32msvc
+ make
+ DESTDIR=$HOME/mingw64 make install
If it fails with a message about not passing the "ACC" test,
create a symlink for the missing getopt.h file as mentioned above.
Cross-compiling Zlib is also easy, but a plain `make` failed to compile the
tests, so we only build the static library here:
-> cd $HOME/mingw64/zlib-1.2.3.3.dfsg
-> mingw64 ./configure
-> mingw64 make libz.a
-> DESTDIR=$HOME/mingw64 mingw64 make install
+ cd $HOME/mingw64/zlib-1.2.3.3.dfsg
+ mingw64 ./configure
+ mingw64 make libz.a
+ DESTDIR=$HOME/mingw64 mingw64 make install
### Compiling OpenSSL
Although older versions will not compile, OpenSSL 1.0.0 is easy.
Do not use the `-j` option when compiling OpenSSL, it will break.
-> cd $HOME/mingw64/openssl-1.0.0
-> mingw64 ./Configure --openssldir=$HOME/mingw64/usr/local mingw64
-> mingw64 make
-> mingw64 make install
+ cd $HOME/mingw64/openssl-1.0.0
+ mingw64 ./Configure --openssldir=$HOME/mingw64/usr/local mingw64
+ mingw64 make
+ mingw64 make install
### Compiling tinc
`autoreconf` first. If you want to cross-compile tinc from a released tarball,
this is not necessary.
-> cd $HOME/mingw64/tinc
-> autoreconf -fsi
-> ./configure --host=amd64-mingw32msvc --with-openssl=$HOME/mingw64/usr/local
-> make
+ cd $HOME/mingw64/tinc
+ autoreconf -fsi
+ ./configure --host=amd64-mingw32msvc --with-openssl=$HOME/mingw64/usr/local
+ make
There are only a few packages that need to be installed as root to get started:
-> sudo apt-get install mingw32 wine git-core
-> sudo apt-get build-dep tinc
+ sudo apt-get install mingw32 wine git-core
+ sudo apt-get build-dep tinc
Other Linux distributions may also have MinGW packages, use their respective
package management tools to install them. Debian installs the cross-compiler
apt-get to get the required libraries necessary for tinc, and use `git` to get
the latest development version of tinc.
-> mkdir $HOME/mingw
-> cd $HOME/mingw
-> apt-get source openssl liblzo2-dev zlib1g-dev
-> git clone git://tinc-vpn.org/tinc
+ mkdir $HOME/mingw
+ cd $HOME/mingw
+ apt-get source openssl liblzo2-dev zlib1g-dev
+ git clone git://tinc-vpn.org/tinc
### Making cross-compilation easy
up the necessary environment variables so configure scripts and Makefiles will
use the MinGW version of GCC and binutils:
-> mkdir $HOME/bin
-> cat >$HOME/bin/mingw << EOF
-> #!/bin/sh
-> export CC=i586-mingw32msvc-gcc
-> export CXX=i586-mingw32msvc-g++
-> export CPP=i586-mingw32msvc-cpp
-> export RANLIB=i586-mingw32msvc-ranlib
-> export PATH="/usr/i586-mingw32msvc/bin:$PATH"
-> exec "$@"
-> EOF
+ mkdir $HOME/bin
+ cat >$HOME/bin/mingw << EOF
+ #!/bin/sh
+ export CC=i586-mingw32msvc-gcc
+ export CXX=i586-mingw32msvc-g++
+ export CPP=i586-mingw32msvc-cpp
+ export RANLIB=i586-mingw32msvc-ranlib
+ export PATH="/usr/i586-mingw32msvc/bin:$PATH"
+ exec "$@"
+ EOF
If `$HOME/bin` is not already part of your `$PATH`, you need to add it:
-> export PATH="$HOME/bin:$PATH"
+ export PATH="$HOME/bin:$PATH"
We use this script to call `./configure` and `make` with the right environment
variables, but only when the `./configure` script doesn't support cross-compilation itself.
Cross-compiling LZO is easy:
-> cd $HOME/mingw/lzo2-2.03
-> ./configure --host=i586-mingw32msvc
-> make
-> DESTDIR=$HOME/mingw make install
+ cd $HOME/mingw/lzo2-2.03
+ ./configure --host=i586-mingw32msvc
+ make
+ DESTDIR=$HOME/mingw make install
### Compiling Zlib
Cross-compiling Zlib is also easy, but a plain `make` failed to compile the
tests, so we only build the static library here:
-> cd $HOME/mingw/zlib-1.2.3.3.dfsg
-> mingw ./configure
-> mingw make libz.a
-> DESTDIR=$HOME/mingw mingw make install
+ cd $HOME/mingw/zlib-1.2.3.3.dfsg
+ mingw ./configure
+ mingw make libz.a
+ DESTDIR=$HOME/mingw mingw make install
### Compiling OpenSSL
OpenSSL, and then compile as usual. Do not use the `-j` option when compiling
OpenSSL, it will break.
-> cd $HOME/mingw/openssl-0.9.8k
-> patch < $HOME/openssl-cross-compilation.diff
-> mingw ./Configure --openssldir=$HOME/mingw/usr/local mingw
-> mingw make
-> mingw make install
+ cd $HOME/mingw/openssl-0.9.8k
+ patch < $HOME/openssl-cross-compilation.diff
+ mingw ./Configure --openssldir=$HOME/mingw/usr/local mingw
+ mingw make
+ mingw make install
### Compiling tinc
`autoreconf` first. If you want to cross-compile tinc from a released tarball,
this is not necessary.
-> cd $HOME/mingw/tinc
-> autoreconf -fsi
-> ./configure --host=i586-mingw32msvc --with-openssl=$HOME/mingw/usr/local
-> make
+ cd $HOME/mingw/tinc
+ autoreconf -fsi
+ ./configure --host=i586-mingw32msvc --with-openssl=$HOME/mingw/usr/local
+ make
### Testing tinc
You cannot do much however, since tinc requires a TAP-Win32 device, which is
not available in Wine. Still, the following command should work:
-> $HOME/mingw/tinc/src/tincd.exe --help
+ $HOME/mingw/tinc/src/tincd.exe --help
### Configuration of the host running tinc
-> host# ifconfig
-> eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
-> inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0
-> UP BROADCAST RUNNING MTU:1500 Metric:1
-> ...
->
-> lo Link encap:Local Loopback
-> inet addr:127.0.0.1 Mask:255.0.0.0
-> UP LOOPBACK RUNNING MTU:3856 Metric:1
-> ...
->
-> vpn Link encap:Point-to-Point Protocol
-> inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0
-> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
-> ...
->
-> host# route
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
-> 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn
-> default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0
->
-> host# iptables -L -v
-> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
-> pkts bytes target prot opt in out source destination
->
-> host# iptables -L -v -t nat
-> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
+ host# ifconfig
+ eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
+ inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MTU:1500 Metric:1
+ ...
+
+ lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ UP LOOPBACK RUNNING MTU:3856 Metric:1
+ ...
+
+ vpn Link encap:Point-to-Point Protocol
+ inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0
+ UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
+ ...
+
+ host# route
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
+ 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn
+ default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0
+
+ host# iptables -L -v
+ Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
+ pkts bytes target prot opt in out source destination
+
+ host# iptables -L -v -t nat
+ Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
### Configuration of tinc
-> host# cat /etc/tinc/vpn/tinc.conf
-> Name = atwork
-> ConnectTo = home
->
-> host# cat /etc/tinc/vpn/tinc-up
-> #!/bin/sh
->
-> ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0
->
-> host# ls /etc/tinc/vpn/hosts
-> atwork home
->
-> host# cat /etc/tinc/vpn/hosts/atwork
-> Address = 123.234.123.42
-> Subnet = 192.168.10.20/32
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
->
-> host# cat /etc/tinc/vpn/hosts/home
-> Address = 200.201.202.203
-> Subnet = 192.168.1.0/24
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
+ host# cat /etc/tinc/vpn/tinc.conf
+ Name = atwork
+ ConnectTo = home
+
+ host# cat /etc/tinc/vpn/tinc-up
+ #!/bin/sh
+
+ ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0
+
+ host# ls /etc/tinc/vpn/hosts
+ atwork home
+
+ host# cat /etc/tinc/vpn/hosts/atwork
+ Address = 123.234.123.42
+ Subnet = 192.168.10.20/32
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
+
+ host# cat /etc/tinc/vpn/hosts/home
+ Address = 200.201.202.203
+ Subnet = 192.168.1.0/24
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
### Configuration of the firewall
-> firewall# ifconfig
-> ppp0 Link encap:Point-to-Point Protocol
-> inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
-> UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
-> ...
->
-> eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
-> inet addr:123.234.123.1 Bcast:123.234.123.255 Mask:255.255.255.0
-> UP BROADCAST RUNNING MTU:1500 Metric:1
-> ...
->
-> lo Link encap:Local Loopback
-> inet addr:127.0.0.1 Mask:255.0.0.0
-> UP LOOPBACK RUNNING MTU:3856 Metric:1
-> ...
->
-> firewall# route
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
-> default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
->
-> firewall# iptables -L -v
-> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain FORWARD (policy DROP 1234 packets, 123K bytes)
-> pkts bytes target prot opt in out source destination
-> 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 10.20.30.0/24 tcp flags:!SYN,RST,ACK/SYN
-> 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
-> 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 123.234.123.42 tcp dpt:655
-> 1234 123K ACCEPT udp -- ppp0 eth0 anywhere 123.234.123.42 udp dpt:655
->
-> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
-> pkts bytes target prot opt in out source destination
->
-> firewall# iptables -L -v -t nat
-> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> firewall # cat /etc/init.d/firewall
-> #!/bin/sh
->
-> echo 1 >/proc/sys/net/ipv4/ip_forward
->
-> iptables -P FORWARD DROP
-> iptables -F FORWARD
-> iptables -A FORWARD -j ACCEPT -i ppp0 -d 10.20.30.0/24 -p tcp ! --syn
-> iptables -A FORWARD -j ACCEPT -i eth0 -s 10.20.30.0/24
-> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p tcp --dport 655
-> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p udp --dport 655
+ firewall# ifconfig
+ ppp0 Link encap:Point-to-Point Protocol
+ inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
+ UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
+ ...
+
+ eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
+ inet addr:123.234.123.1 Bcast:123.234.123.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MTU:1500 Metric:1
+ ...
+
+ lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ UP LOOPBACK RUNNING MTU:3856 Metric:1
+ ...
+
+ firewall# route
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
+ default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
+
+ firewall# iptables -L -v
+ Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain FORWARD (policy DROP 1234 packets, 123K bytes)
+ pkts bytes target prot opt in out source destination
+ 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 10.20.30.0/24 tcp flags:!SYN,RST,ACK/SYN
+ 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
+ 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 123.234.123.42 tcp dpt:655
+ 1234 123K ACCEPT udp -- ppp0 eth0 anywhere 123.234.123.42 udp dpt:655
+
+ Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
+ pkts bytes target prot opt in out source destination
+
+ firewall# iptables -L -v -t nat
+ Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ firewall # cat /etc/init.d/firewall
+ #!/bin/sh
+
+ echo 1 >/proc/sys/net/ipv4/ip_forward
+
+ iptables -P FORWARD DROP
+ iptables -F FORWARD
+ iptables -A FORWARD -j ACCEPT -i ppp0 -d 10.20.30.0/24 -p tcp ! --syn
+ iptables -A FORWARD -j ACCEPT -i eth0 -s 10.20.30.0/24
+ iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p tcp --dport 655
+ iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p udp --dport 655
### Configuration Files
1. On Debian/Ubuntu systems, an entry in "/etc/network/interfaces" can be used to statically assign the ::1 address for the local LAN. Example:
-> iface eth1 inet6 static
-> address 2001:db8:beef::1::1
-> netmask 64
-> mtu 1280
+ iface eth1 inet6 static
+ address 2001:db8:beef::1::1
+ netmask 64
+ mtu 1280
On non Debian/Ubuntu systems, a line can be put in a boot script, such as "ip -6 addr add 2001:db8:beef:1::1/64 dev eth1".
2. IPv6 forwarding needs to be enabled: put "echo "1" >/proc/sys/net/ipv6/conf/all/forwarding" in a boot script, or "net.ipv6.conf.all.forwarding = 1" in "/etc/sysctl.conf".
4. It is assumed that the config files go into something like "/etc/tinc/link" and "/etc/tinc/nets.boot" has an entry for "link". The following table can be used to guide configuration of routers:
* "routera" configuration for tinc (the master router):
-> >cat tinc.conf
-> Name = routera
-> Mode = switch
-> Interface = vpn6
->
-> >cat tinc-up
-> #!/bin/sh
-> #Enable tinc
-> ip -6 link set $INTERFACE up mtu 1280 txqueuelen 1000
-> ip -6 addr add 2001:db8:beef::1/64 dev $INTERFACE
-> ip -6 route add 2001:db8:beef::/48 dev $INTERFACE
-> #Static routing table
-> ip -6 route add 2001:db8:beef:2::/64 via 2001:db8:beef::2
-> ip -6 route add 2001:db8:beef:3::/64 via 2001:db8:beef::3
-> ip -6 route add 2001:db8:beef:4::/64 via 2001:db8:beef::4
->
-> >cat tinc-down
-> #!/bin/sh
-> #Static routing table
-> ip -6 route del 2001:db8:beef:2::/64 via 2001:db8:beef:::2
-> ip -6 route del 2001:db8:beef:3::/64 via 2001:db8:beef:::3
-> ip -6 route del 2001:db8:beef:4::/64 via 2001:db8:beef:::4
-> #Disable tinc
-> ip -6 route del 2001:db8:beef::/48 dev $INTERFACE
-> ip -6 addr del 2001:db8:beef::1/64 dev $INTERFACE
-> ip -6 link set $INTERFACE down
->
+ >cat tinc.conf
+ Name = routera
+ Mode = switch
+ Interface = vpn6
+
+ >cat tinc-up
+ #!/bin/sh
+ #Enable tinc
+ ip -6 link set $INTERFACE up mtu 1280 txqueuelen 1000
+ ip -6 addr add 2001:db8:beef::1/64 dev $INTERFACE
+ ip -6 route add 2001:db8:beef::/48 dev $INTERFACE
+ #Static routing table
+ ip -6 route add 2001:db8:beef:2::/64 via 2001:db8:beef::2
+ ip -6 route add 2001:db8:beef:3::/64 via 2001:db8:beef::3
+ ip -6 route add 2001:db8:beef:4::/64 via 2001:db8:beef::4
+
+ >cat tinc-down
+ #!/bin/sh
+ #Static routing table
+ ip -6 route del 2001:db8:beef:2::/64 via 2001:db8:beef:::2
+ ip -6 route del 2001:db8:beef:3::/64 via 2001:db8:beef:::3
+ ip -6 route del 2001:db8:beef:4::/64 via 2001:db8:beef:::4
+ #Disable tinc
+ ip -6 route del 2001:db8:beef::/48 dev $INTERFACE
+ ip -6 addr del 2001:db8:beef::1/64 dev $INTERFACE
+ ip -6 link set $INTERFACE down
+
* "routerb" configuration for tinc (the other non-master routers will be like this one):
-> >cat tinc.conf
-> Name=routerb
-> Mode = switch
-> ConnectTo = routera
-> Interface = vpn6
->
-> >cat tinc-up
-> #!/bin/sh
-> ip -6 link set $INTERFACE up mtu 1280
-> ip -6 addr add 2001:db8:beef::2/64 dev $INTERFACE
-> ip -6 route add default via 2001:db8:beef::1
->
-> >cat tinc-down
-> #!/bin/sh
-> ip -6 route del default via 2001:db8:beef::1
-> ip -6 addr del 2001:db8:beef::2/64 dev $INTERFACE
-> ip -6 link set $INTERFACE down
+ >cat tinc.conf
+ Name=routerb
+ Mode = switch
+ ConnectTo = routera
+ Interface = vpn6
+
+ >cat tinc-up
+ #!/bin/sh
+ ip -6 link set $INTERFACE up mtu 1280
+ ip -6 addr add 2001:db8:beef::2/64 dev $INTERFACE
+ ip -6 route add default via 2001:db8:beef::1
+
+ >cat tinc-down
+ #!/bin/sh
+ ip -6 route del default via 2001:db8:beef::1
+ ip -6 addr del 2001:db8:beef::2/64 dev $INTERFACE
+ ip -6 link set $INTERFACE down
5. You can use [radvd](http://www.litech.org/radvd/) or [Quagga](http://www.quagga.net/) to perform [stateless address autoconfiguration](http://www.ietf.org/rfc/rfc2462.txt) on your LAN. This is an example zebra.conf for LAN autoconfiguration (don't forget to enable the zebra daemon):
-> ipv6 forwarding
-> !
-> interface eth1
-> no ipv6 nd suppress-ra
-> ipv6 address 2001:db8:beef:1::1/64
-> ipv6 nd prefix 2001:db8:beef:1::/64
-> ipv6 nd ra-interval 10
-> !
-> interface vpn6
-> !
-> interface lo
+ ipv6 forwarding
+ !
+ interface eth1
+ no ipv6 nd suppress-ra
+ ipv6 address 2001:db8:beef:1::1/64
+ ipv6 nd prefix 2001:db8:beef:1::/64
+ ipv6 nd ra-interval 10
+ !
+ interface vpn6
+ !
+ interface lo
### Configuration of the host running tinc
-> host# ifconfig
-> eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
-> inet addr:10.20.30.42 Bcast:10.20.30.255 Mask:255.255.255.0
-> UP BROADCAST RUNNING MTU:1500 Metric:1
-> ...
->
-> lo Link encap:Local Loopback
-> inet addr:127.0.0.1 Mask:255.0.0.0
-> UP LOOPBACK RUNNING MTU:3856 Metric:1
-> ...
->
-> vpn Link encap:Point-to-Point Protocol
-> inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0
-> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
-> ...
->
-> host# route
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
-> 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn
-> default 10.20.30.1 0.0.0.0 UG 0 0 0 eth0
->
-> host# iptables -L -v
-> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
-> pkts bytes target prot opt in out source destination
->
-> host# iptables -L -v -t nat
-> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
+ host# ifconfig
+ eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
+ inet addr:10.20.30.42 Bcast:10.20.30.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MTU:1500 Metric:1
+ ...
+
+ lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ UP LOOPBACK RUNNING MTU:3856 Metric:1
+ ...
+
+ vpn Link encap:Point-to-Point Protocol
+ inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0
+ UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
+ ...
+
+ host# route
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
+ 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn
+ default 10.20.30.1 0.0.0.0 UG 0 0 0 eth0
+
+ host# iptables -L -v
+ Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
+ pkts bytes target prot opt in out source destination
+
+ host# iptables -L -v -t nat
+ Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
### Configuration of tinc
-> host# cat /etc/tinc/vpn/tinc.conf
-> Name = atwork
-> ConnectTo = home
->
-> host# cat /etc/tinc/vpn/tinc-up
-> #!/bin/sh
->
-> ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0
->
-> host# ls /etc/tinc/vpn/hosts
-> atwork home
->
-> host# cat /etc/tinc/vpn/hosts/atwork
-> Address = 123.234.123.1
-> Subnet = 192.168.10.20/32
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
->
-> host# cat /etc/tinc/vpn/hosts/home
-> Address = 200.201.202.203
-> Subnet = 192.168.1.0/24
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
+ host# cat /etc/tinc/vpn/tinc.conf
+ Name = atwork
+ ConnectTo = home
+
+ host# cat /etc/tinc/vpn/tinc-up
+ #!/bin/sh
+
+ ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0
+
+ host# ls /etc/tinc/vpn/hosts
+ atwork home
+
+ host# cat /etc/tinc/vpn/hosts/atwork
+ Address = 123.234.123.1
+ Subnet = 192.168.10.20/32
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
+
+ host# cat /etc/tinc/vpn/hosts/home
+ Address = 200.201.202.203
+ Subnet = 192.168.1.0/24
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
### Configuration of the firewall
-> firewall# ifconfig
-> ppp0 Link encap:Point-to-Point Protocol
-> inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
-> UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
-> ...
->
-> eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
-> inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
-> UP BROADCAST RUNNING MTU:1500 Metric:1
-> ...
->
-> lo Link encap:Local Loopback
-> inet addr:127.0.0.1 Mask:255.0.0.0
-> UP LOOPBACK RUNNING MTU:3856 Metric:1
-> ...
->
-> firewall# route
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
-> default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
->
-> firewall# iptables -L -v
-> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain FORWARD (policy DROP 1234 packets, 123K bytes)
-> pkts bytes target prot opt in out source destination
-> 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
-> 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
->
-> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
-> pkts bytes target prot opt in out source destination
->
-> firewall# iptables -L -v -t nat
-> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
-> 1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to:10.20.30.42:655
-> 1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to:10.20.30.42:655
->
-> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
-> 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
->
-> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> firewall# cat /etc/init.d/firewall
-> #!/bin/sh
->
-> echo 1 >/proc/sys/net/ipv4/ip_forward
->
-> iptables -P FORWARD DROP
-> iptables -F FORWARD
-> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
-> iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
->
-> iptables -t nat -F POSTROUTING
-> # Next rule prevents masquerading from altering source port of outbound tinc packets
-> iptables -t nat -A POSTROUTING -p udp -m udp --sport 655 -j MASQUERADE -o ppp0 --to-ports 655
-> iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
->
-> iptables -t nat -F PREROUTING
-> # Next two rules forward incoming tinc packets to the host behind the firewall running tinc
-> iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655
-> iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655
+ firewall# ifconfig
+ ppp0 Link encap:Point-to-Point Protocol
+ inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
+ UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
+ ...
+
+ eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
+ inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MTU:1500 Metric:1
+ ...
+
+ lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ UP LOOPBACK RUNNING MTU:3856 Metric:1
+ ...
+
+ firewall# route
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
+ default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
+
+ firewall# iptables -L -v
+ Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain FORWARD (policy DROP 1234 packets, 123K bytes)
+ pkts bytes target prot opt in out source destination
+ 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
+ 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
+
+ Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
+ pkts bytes target prot opt in out source destination
+
+ firewall# iptables -L -v -t nat
+ Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+ 1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to:10.20.30.42:655
+ 1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to:10.20.30.42:655
+
+ Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+ 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
+
+ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ firewall# cat /etc/init.d/firewall
+ #!/bin/sh
+
+ echo 1 >/proc/sys/net/ipv4/ip_forward
+
+ iptables -P FORWARD DROP
+ iptables -F FORWARD
+ iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
+ iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
+
+ iptables -t nat -F POSTROUTING
+ # Next rule prevents masquerading from altering source port of outbound tinc packets
+ iptables -t nat -A POSTROUTING -p udp -m udp --sport 655 -j MASQUERADE -o ppp0 --to-ports 655
+ iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
+
+ iptables -t nat -F PREROUTING
+ # Next two rules forward incoming tinc packets to the host behind the firewall running tinc
+ iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655
+ iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655
### Configuration of the firewall running tinc
-> firewall# ifconfig
-> ppp0 Link encap:Point-to-Point Protocol
-> inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
-> UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
-> ...
->
-> eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
-> inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
-> UP BROADCAST RUNNING MTU:1500 Metric:1
-> ...
->
-> lo Link encap:Local Loopback
-> inet addr:127.0.0.1 Mask:255.0.0.0
-> UP LOOPBACK RUNNING MTU:3856 Metric:1
-> ...
->
-> vpn Link encap:Point-to-Point Protocol
-> inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.0.0
-> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
-> ...
->
-> firewall# route
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
-> 10.20.0.0 * 255.255.0.0 U 0 0 0 vpn
-> default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
->
-> firewall# iptables -L -v
-> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain FORWARD (policy DROP 1234 packets, 123K bytes)
-> pkts bytes target prot opt in out source destination
-> 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
-> 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
-> 1234 123K ACCEPT any -- vpn eth0 10.20.0.0/16 10.20.30.0/24
-> 1234 123K ACCEPT any -- eth0 vpn 10.20.30.0/24 10.20.0.0/16
->
-> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
-> pkts bytes target prot opt in out source destination
->
-> firewall# iptables -L -v -t nat
-> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
-> 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
->
-> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
-> pkts bytes target prot opt in out source destination
->
-> firewall# cat /etc/init.d/firewall
-> #!/bin/sh
->
-> echo 1 >/proc/sys/net/ipv4/ip_forward
->
-> iptables -P FORWARD DROP
-> iptables -F FORWARD
-> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
-> iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
-> iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24
-> iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16
->
-> iptables -t nat -F POSTROUTING
-> iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0
+ firewall# ifconfig
+ ppp0 Link encap:Point-to-Point Protocol
+ inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
+ UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
+ ...
+
+ eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
+ inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MTU:1500 Metric:1
+ ...
+
+ lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ UP LOOPBACK RUNNING MTU:3856 Metric:1
+ ...
+
+ vpn Link encap:Point-to-Point Protocol
+ inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.0.0
+ UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
+ ...
+
+ firewall# route
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
+ 10.20.0.0 * 255.255.0.0 U 0 0 0 vpn
+ default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
+
+ firewall# iptables -L -v
+ Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain FORWARD (policy DROP 1234 packets, 123K bytes)
+ pkts bytes target prot opt in out source destination
+ 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
+ 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
+ 1234 123K ACCEPT any -- vpn eth0 10.20.0.0/16 10.20.30.0/24
+ 1234 123K ACCEPT any -- eth0 vpn 10.20.30.0/24 10.20.0.0/16
+
+ Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
+ pkts bytes target prot opt in out source destination
+
+ firewall# iptables -L -v -t nat
+ Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+ 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
+
+ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+ firewall# cat /etc/init.d/firewall
+ #!/bin/sh
+
+ echo 1 >/proc/sys/net/ipv4/ip_forward
+
+ iptables -P FORWARD DROP
+ iptables -F FORWARD
+ iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
+ iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
+ iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24
+ iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16
+
+ iptables -t nat -F POSTROUTING
+ iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0
### Configuration of tinc
-> firewall# cat /etc/tinc/vpn/tinc.conf
-> Name = office
-> ConnectTo = branch
-> Interface = vpn
->
-> firewall# cat /etc/tinc/vpn/tinc-up
-> #!/bin/sh
->
-> ifconfig $INTERFACE 10.20.30.1 netmask 255.255.0.0
->
-> firewall# ls /etc/tinc/vpn/hosts
-> office branch employee_smith employee_jones ...
->
-> firewall# cat /etc/tinc/vpn/hosts/office
-> Address = 123.234.123.1
-> Subnet = 10.20.30.0/24
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
->
-> firewall# cat /etc/tinc/vpn/hosts/branch
-> Address = 123.234.213.129
-> Subnet = 10.20.40.0/24
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
->
-> firewall# cat /etc/tinc/vpn/hosts/employee_smith
-> Address = 200.201.202.203
-> Subnet = 10.20.50.1/32
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
+ firewall# cat /etc/tinc/vpn/tinc.conf
+ Name = office
+ ConnectTo = branch
+ Interface = vpn
+
+ firewall# cat /etc/tinc/vpn/tinc-up
+ #!/bin/sh
+
+ ifconfig $INTERFACE 10.20.30.1 netmask 255.255.0.0
+
+ firewall# ls /etc/tinc/vpn/hosts
+ office branch employee_smith employee_jones ...
+
+ firewall# cat /etc/tinc/vpn/hosts/office
+ Address = 123.234.123.1
+ Subnet = 10.20.30.0/24
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
+
+ firewall# cat /etc/tinc/vpn/hosts/branch
+ Address = 123.234.213.129
+ Subnet = 10.20.40.0/24
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
+
+ firewall# cat /etc/tinc/vpn/hosts/employee_smith
+ Address = 200.201.202.203
+ Subnet = 10.20.50.1/32
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
### Configuration of tinc at the office
-> host# cat /etc/tinc/vpn/tinc.conf
-> Name = office
-> #Optional:
-> #Mode = switch
->
-> host# cat /etc/tinc/vpn/tinc-up
-> #!/bin/sh
->
-> ifconfig $INTERFACE 192.168.1.2 netmask 255.255.255.255
-> route add 192.168.1.123 dev $INTERFACE
-> echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp
-> echo 1 >/proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
->
-> host# ls /etc/tinc/vpn/hosts
-> office roadwarrior ...
->
-> host# cat /etc/tinc/vpn/hosts/office
-> Address = 123.234.123.42
-> Subnet = 192.168.1.0/24
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
->
-> host# cat /etc/tinc/vpn/hosts/roadwarrior
-> Subnet = 192.168.1.123
-> -----BEGIN RSA PUBLIC KEY-----
-> ...
-> -----END RSA PUBLIC KEY-----
+ host# cat /etc/tinc/vpn/tinc.conf
+ Name = office
+ #Optional:
+ #Mode = switch
+
+ host# cat /etc/tinc/vpn/tinc-up
+ #!/bin/sh
+
+ ifconfig $INTERFACE 192.168.1.2 netmask 255.255.255.255
+ route add 192.168.1.123 dev $INTERFACE
+ echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp
+ echo 1 >/proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
+
+ host# ls /etc/tinc/vpn/hosts
+ office roadwarrior ...
+
+ host# cat /etc/tinc/vpn/hosts/office
+ Address = 123.234.123.42
+ Subnet = 192.168.1.0/24
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
+
+ host# cat /etc/tinc/vpn/hosts/roadwarrior
+ Subnet = 192.168.1.123
+ -----BEGIN RSA PUBLIC KEY-----
+ ...
+ -----END RSA PUBLIC KEY-----
### Configuration of tinc at the road warrior
-> host# cat /etc/tinc/vpn/tinc.conf
-> Name = roadwarrior
-> #Optional:
-> #Mode = switch
->
-> host# cat /etc/tinc/vpn/tinc-up
-> #!/bin/sh
->
-> ifconfig $INTERFACE 192.168.1.123 netmask 255.255.255.0
+ host# cat /etc/tinc/vpn/tinc.conf
+ Name = roadwarrior
+ #Optional:
+ #Mode = switch
+
+ host# cat /etc/tinc/vpn/tinc-up
+ #!/bin/sh
+
+ ifconfig $INTERFACE 192.168.1.123 netmask 255.255.255.0
The host config files are, of course, identical to those on the office node.
necessary routes, remove the `route add` command from the `tinc-up` script, and
instead add this `subnet-up` script:
-> host# cat /etc/tinc/vpn/subnet-up
-> #!/bin/sh
-> [ "$NAME" = "$NODE" ] && exit 0
-> ip route replace $SUBNET dev $INTERFACE
+ host# cat /etc/tinc/vpn/subnet-up
+ #!/bin/sh
+ [ "$NAME" = "$NODE" ] && exit 0
+ ip route replace $SUBNET dev $INTERFACE
-> [[!meta title="simple-bridging-with-dhcp-client-side"]]
->
-> # Company: PowerCraft Technology
-> # Author: Copyright Jelle de Jong <jelledejong@powercraft.nl>
-> # Note: Please send me an email if you enhanced the document
-> # Date: 2010-05-24 / 2010-07-04
-> # License: CC-BY-SA
->
-> # This document is free documentation; you can redistribute it and/or
-> # modify it under the terms of the Creative Commons Attribution Share
-> # Alike as published by the Creative Commons Foundation; either version
-> # 3.0 of the License, or (at your option) any later version.
-> #
-> # This document is distributed in the hope that it will be useful,
-> # but WITHOUT ANY WARRANTY; without even the implied warranty of
-> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-> # Creative Commons BY-SA License for more details.
-> #
-> # http://creativecommons.org/licenses/by-sa/
->
-> #-----------------------------------------------------------------------
->
-> # for commercial support contact me, part of the revenue go back to tinc
->
-> #-----------------------------------------------------------------------
->
-> # http://www.tinc-vpn.org/
-> # http://www.tinc-vpn.org/documentation/tinc_toc
->
-> #-----------------------------------------------------------------------
->
-> # this is the configuration of the roxy system
->
-> #-----------------------------------------------------------------------
->
-> unset LANG LANGUAGE LC_ALL
-> apt-get update; apt-get dist-upgrade
->
-> apt-cache show tinc
-> apt-get install tinc/testing
->
-> #-----------------------------------------------------------------------
->
-> /etc/init.d/tinc stop
->
-> #-----------------------------------------------------------------------
->
-> # ls -hal /dev/net/tun
-> crw------- 1 root root 10, 200 May 24 15:53 /dev/net/tun
->
-> # grep tinc /etc/services
-> tinc 655/tcp # tinc control port
-> tinc 655/udp
->
-> # getent services tinc/udp
-> tinc 655/udp
-> # getent services tinc/tcp
-> tinc 655/tcp
->
-> cat /usr/share/doc/tinc/README.Debian
-> zcat /usr/share/doc/tinc/README.gz | less
-> zcat /usr/share/doc/tinc/NEWS.gz | less
-> cat /usr/share/doc/tinc/examples/tinc-up
-> w3m /usr/share/doc/tinc/tinc_0.html
->
-> #-----------------------------------------------------------------------
->
-> vim /etc/default/tinc
-> EXTRA="-d"
-> cat /etc/default/tinc
->
-> # less /etc/init.d/tinc
->
-> #-----------------------------------------------------------------------
->
-> ifconfig -a
-> route -n
->
-> #-----------------------------------------------------------------------
->
-> # ifconfig -a
-> eth0 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6c
-> inet addr:84.245.9.246 Bcast:84.245.9.255 Mask:255.255.255.0
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> RX packets:4863 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:2958 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:1000
-> RX bytes:4302418 (4.1 MiB) TX bytes:303100 (295.9 KiB)
-> Interrupt:10 Base address:0x1000
->
-> eth1 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6d
-> UP BROADCAST MULTICAST MTU:1500 Metric:1
-> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:1000
-> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
-> Interrupt:11 Base address:0x1400
->
-> eth2 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6e
-> UP BROADCAST MULTICAST MTU:1500 Metric:1
-> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:1000
-> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
-> Interrupt:15 Base address:0x1800
->
-> lo Link encap:Local Loopback
-> inet addr:127.0.0.1 Mask:255.0.0.0
-> UP LOOPBACK RUNNING MTU:16436 Metric:1
-> RX packets:1200 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:1200 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:0
-> RX bytes:96572 (94.3 KiB) TX bytes:96572 (94.3 KiB)
->
-> # route -n
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
-> 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0
->
-> #-----------------------------------------------------------------------
->
-> # client01 configuration
->
-> cat /etc/tinc/nets.boot
-> echo 'powercraft01' | sudo tee --append /etc/tinc/nets.boot
-> cat /etc/tinc/nets.boot
->
-> #-----------------------------------------------------------------------
->
-> sudo mkdir --verbose /etc/tinc/powercraft01/
-> sudo mkdir --verbose /etc/tinc/powercraft01/hosts/
-> sudo touch /etc/tinc/powercraft01/tinc.conf
->
-> #-----------------------------------------------------------------------
->
-> # on server
-> cat /etc/tinc/powercraft01/hosts/server01
->
-> # on client, copy cert data of server to client
-> sudo vim /etc/tinc/powercraft01/hosts/server01
->
-> # on client, add on head of file
-> Address = powercraft.nl 656
-> Address = 84.245.3.195 656
-> Address = tinc-vpn.powercraft.nl 656
-> Address = powercraft.nl 655
-> Address = 84.245.3.195 655
-> Address = tinc-vpn.powercraft.nl 655
->
-> #-----------------------------------------------------------------------
->
-> echo 'ConnectTo = server01
-> Device = /dev/net/tun
-> Interface = tun1
-> Mode = switch
-> Name = client01' | sudo tee /etc/tinc/powercraft01/tinc.conf
->
-> sudo cat /etc/tinc/powercraft01/tinc.conf
-> sudo chmod 644 /etc/tinc/powercraft01/tinc.conf
-> ls -hal /etc/tinc/powercraft01/tinc.conf
->
-> echo '#!/bin/sh
-> ifconfig $INTERFACE 0.0.0.0' | tee /etc/tinc/powercraft01/tinc-up
->
-> sudo cat /etc/tinc/powercraft01/tinc-up
-> sudo chmod 755 /etc/tinc/powercraft01/tinc-up
-> ls -hal /etc/tinc/powercraft01/tinc-up
->
-> echo '#!/bin/sh
-> # ifconfig tun1 hw ether 00:ff:5d:ea:b4:ec
-> ifup $INTERFACE &' | sudo tee /etc/tinc/powercraft01/hosts/server01-up
->
-> sudo cat /etc/tinc/powercraft01/hosts/server01-up
-> sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-up
-> ls -hal /etc/tinc/powercraft01/hosts/server01-up
->
-> echo '#!/bin/sh
-> ifconfig $INTERFACE down' | sudo tee /etc/tinc/powercraft01/tinc-down
->
-> sudo cat /etc/tinc/powercraft01/tinc-down
-> sudo chmod 755 /etc/tinc/powercraft01/tinc-down
-> ls -hal /etc/tinc/powercraft01/tinc-down
->
-> echo '#!/bin/sh
-> ifdown $INTERFACE' | sudo tee /etc/tinc/powercraft01/hosts/server01-down
->
-> sudo cat /etc/tinc/powercraft01/hosts/server01-down
-> sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-down
-> ls -hal /etc/tinc/powercraft01/hosts/server01-down
->
-> #-----------------------------------------------------------------------
->
-> sudo rm /etc/tinc/powercraft01/rsa_key.priv
-> sudo rm /etc/tinc/powercraft01/hosts/client10
-> sudo tincd -n powercraft01 -K
->
-> #-----------------------------------------------------------------------
->
-> # on client add on head of file
-> sudo vim /etc/tinc/powercraft01/hosts/client01
-> Compression = 9
-> PMTU = 1492
-> PMTUDiscovery = yes
-> Port = 656
-> # Cipher = aes-128-cbc
->
-> # on client
-> sudo cat /etc/tinc/powercraft01/hosts/client01
->
-> # on server, copy cert data of client to server
-> vim /etc/tinc/powercraft01/hosts/client01
->
-> #-----------------------------------------------------------------------
->
-> # watch out when using multiple dhcp clients there can be conflicts
->
-> echo 'interface "tun1" {
-> request subnet-mask, broadcast-address, time-offset,
-> host-name, netbios-scope, interface-mtu, ntp-servers;
-> }' | tee --append /etc/dhcp3/dhclient.conf
->
-> cat /etc/dhcp3/dhclient.conf
->
-> #-----------------------------------------------------------------------
->
-> vim /etc/network/interfaces
->
-> iface tun1 inet dhcp
-> pre-up ifconfig tun1 down || true
-> pre-up ifconfig tun1 hw ether 9a:f6:50:3b:c0:48 || true
-> post-up route del default dev tun1 || true
-> # pre-down /etc/init.d/munin-node stop || true
-> # post-up /etc/init.d/munin-node restart || true
-> # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/tun1/proxy_arp || true
-> # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/vlan4/proxy_arp || true
-> # optional # post-up route add -net 192.168.2.0 netmask 255.255.255.0 tun1 || true
-> # optional # pre-down route del -net 192.168.2.0 netmask 255.255.255.0 tun1 || true
->
-> #-----------------------------------------------------------------------
->
-> ifdown tun1; ifdown tun1
->
-> #-----------------------------------------------------------------------
->
-> sudo /etc/init.d/tinc stop
-> fg
-> sudo /usr/sbin/tincd --net powercraft01 --no-detach --debug=5
->
-> #-----------------------------------------------------------------------
->
-> sudo /etc/init.d/tinc start
->
-> #-----------------------------------------------------------------------
->
-> # tincd --version
-> tinc version 1.0.13 (built Apr 13 2010 10:27:56, protocol 17)
->
-> #-----------------------------------------------------------------------
->
-> tincd -n powercraft01 -kUSR2
-> tail -n 100 /var/log/syslog
->
-> #-----------------------------------------------------------------------
->
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun:
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes in: 830
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes out: 914
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: Nodes:
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop client01 via client01 pmtu 1518 (min 0 max 1518)
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 at 84.245.3.195 port 656 cipher 91 digest 64 maclength 4 compression 9 options c status 001a nexthop server01 via server01 pmtu 1416 (min 1416 max 1416)
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: End of nodes.
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: Edges:
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 to server01 at 84.245.3.195 port 656 options c weight 413
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 to client01 at 84.245.9.246 port 655 options c weight 413
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: End of edges.
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: Subnet list:
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: 0:1b:21:61:af:d7#10 owner server01
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: 56:fc:c2:fd:69:10#10 owner server01
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: ea:3:e7:3d:46:20#10 owner client01
-> May 24 19:43:59 roxy tinc.powercraft01[5104]: End of subnet list.
->
-> #-----------------------------------------------------------------------
->
-> # ifconfig -a
-> ifconfig tun1
-> route -n
->
-> #-----------------------------------------------------------------------
->
-> # ifconfig tun1
-> tun1 Link encap:Ethernet HWaddr ea:03:e7:3d:46:20
-> inet addr:192.168.3.201 Bcast:192.168.3.255 Mask:255.255.255.0
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> RX packets:27 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:500
-> RX bytes:9342 (9.1 KiB) TX bytes:9088 (8.8 KiB)
->
-> # route -n
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
-> 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
-> 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0
->
-> #-----------------------------------------------------------------------
->
-> ping -c 2 192.168.3.1
-> ping -c 2 -M dont -s 1500 192.168.3.1
->
-> #-----------------------------------------------------------------------
->
-> lsof -i :655
-> lsof -i :656
->
-> #-----------------------------------------------------------------------
->
-> # Accept new connections for fordwarding designated from our virtual private netwerk to the local network
-> /sbin/iptables --append FORWARD --in-interface ${VPN01} --out-interface ${LAN01} --jump ACCEPT
-> /sbin/iptables --append FORWARD --in-interface ${LAN01} --out-interface ${VPN01} --jump ACCEPT
->
-> # Use masquerade so the outside world sees only one ip source for all outgoing trafic
-> /sbin/iptables --table nat --append POSTROUTING --out-interface ${VPN01} --jump MASQUERADE
->
-> #-----------------------------------------------------------------------
+ [[!meta title="simple-bridging-with-dhcp-client-side"]]
+
+ # Company: PowerCraft Technology
+ # Author: Copyright Jelle de Jong <jelledejong@powercraft.nl>
+ # Note: Please send me an email if you enhanced the document
+ # Date: 2010-05-24 / 2010-07-04
+ # License: CC-BY-SA
+
+ # This document is free documentation; you can redistribute it and/or
+ # modify it under the terms of the Creative Commons Attribution Share
+ # Alike as published by the Creative Commons Foundation; either version
+ # 3.0 of the License, or (at your option) any later version.
+ #
+ # This document is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ # Creative Commons BY-SA License for more details.
+ #
+ # http://creativecommons.org/licenses/by-sa/
+
+ #-----------------------------------------------------------------------
+
+ # for commercial support contact me, part of the revenue go back to tinc
+
+ #-----------------------------------------------------------------------
+
+ # http://www.tinc-vpn.org/
+ # http://www.tinc-vpn.org/documentation/tinc_toc
+
+ #-----------------------------------------------------------------------
+
+ # this is the configuration of the roxy system
+
+ #-----------------------------------------------------------------------
+
+ unset LANG LANGUAGE LC_ALL
+ apt-get update; apt-get dist-upgrade
+
+ apt-cache show tinc
+ apt-get install tinc/testing
+
+ #-----------------------------------------------------------------------
+
+ /etc/init.d/tinc stop
+
+ #-----------------------------------------------------------------------
+
+ # ls -hal /dev/net/tun
+ crw------- 1 root root 10, 200 May 24 15:53 /dev/net/tun
+
+ # grep tinc /etc/services
+ tinc 655/tcp # tinc control port
+ tinc 655/udp
+
+ # getent services tinc/udp
+ tinc 655/udp
+ # getent services tinc/tcp
+ tinc 655/tcp
+
+ cat /usr/share/doc/tinc/README.Debian
+ zcat /usr/share/doc/tinc/README.gz | less
+ zcat /usr/share/doc/tinc/NEWS.gz | less
+ cat /usr/share/doc/tinc/examples/tinc-up
+ w3m /usr/share/doc/tinc/tinc_0.html
+
+ #-----------------------------------------------------------------------
+
+ vim /etc/default/tinc
+ EXTRA="-d"
+ cat /etc/default/tinc
+
+ # less /etc/init.d/tinc
+
+ #-----------------------------------------------------------------------
+
+ ifconfig -a
+ route -n
+
+ #-----------------------------------------------------------------------
+
+ # ifconfig -a
+ eth0 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6c
+ inet addr:84.245.9.246 Bcast:84.245.9.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:4863 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:2958 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:1000
+ RX bytes:4302418 (4.1 MiB) TX bytes:303100 (295.9 KiB)
+ Interrupt:10 Base address:0x1000
+
+ eth1 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6d
+ UP BROADCAST MULTICAST MTU:1500 Metric:1
+ RX packets:0 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:1000
+ RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
+ Interrupt:11 Base address:0x1400
+
+ eth2 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6e
+ UP BROADCAST MULTICAST MTU:1500 Metric:1
+ RX packets:0 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:1000
+ RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
+ Interrupt:15 Base address:0x1800
+
+ lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Mask:255.0.0.0
+ UP LOOPBACK RUNNING MTU:16436 Metric:1
+ RX packets:1200 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:1200 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:0
+ RX bytes:96572 (94.3 KiB) TX bytes:96572 (94.3 KiB)
+
+ # route -n
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
+ 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0
+
+ #-----------------------------------------------------------------------
+
+ # client01 configuration
+
+ cat /etc/tinc/nets.boot
+ echo 'powercraft01' | sudo tee --append /etc/tinc/nets.boot
+ cat /etc/tinc/nets.boot
+
+ #-----------------------------------------------------------------------
+
+ sudo mkdir --verbose /etc/tinc/powercraft01/
+ sudo mkdir --verbose /etc/tinc/powercraft01/hosts/
+ sudo touch /etc/tinc/powercraft01/tinc.conf
+
+ #-----------------------------------------------------------------------
+
+ # on server
+ cat /etc/tinc/powercraft01/hosts/server01
+
+ # on client, copy cert data of server to client
+ sudo vim /etc/tinc/powercraft01/hosts/server01
+
+ # on client, add on head of file
+ Address = powercraft.nl 656
+ Address = 84.245.3.195 656
+ Address = tinc-vpn.powercraft.nl 656
+ Address = powercraft.nl 655
+ Address = 84.245.3.195 655
+ Address = tinc-vpn.powercraft.nl 655
+
+ #-----------------------------------------------------------------------
+
+ echo 'ConnectTo = server01
+ Device = /dev/net/tun
+ Interface = tun1
+ Mode = switch
+ Name = client01' | sudo tee /etc/tinc/powercraft01/tinc.conf
+
+ sudo cat /etc/tinc/powercraft01/tinc.conf
+ sudo chmod 644 /etc/tinc/powercraft01/tinc.conf
+ ls -hal /etc/tinc/powercraft01/tinc.conf
+
+ echo '#!/bin/sh
+ ifconfig $INTERFACE 0.0.0.0' | tee /etc/tinc/powercraft01/tinc-up
+
+ sudo cat /etc/tinc/powercraft01/tinc-up
+ sudo chmod 755 /etc/tinc/powercraft01/tinc-up
+ ls -hal /etc/tinc/powercraft01/tinc-up
+
+ echo '#!/bin/sh
+ # ifconfig tun1 hw ether 00:ff:5d:ea:b4:ec
+ ifup $INTERFACE &' | sudo tee /etc/tinc/powercraft01/hosts/server01-up
+
+ sudo cat /etc/tinc/powercraft01/hosts/server01-up
+ sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-up
+ ls -hal /etc/tinc/powercraft01/hosts/server01-up
+
+ echo '#!/bin/sh
+ ifconfig $INTERFACE down' | sudo tee /etc/tinc/powercraft01/tinc-down
+
+ sudo cat /etc/tinc/powercraft01/tinc-down
+ sudo chmod 755 /etc/tinc/powercraft01/tinc-down
+ ls -hal /etc/tinc/powercraft01/tinc-down
+
+ echo '#!/bin/sh
+ ifdown $INTERFACE' | sudo tee /etc/tinc/powercraft01/hosts/server01-down
+
+ sudo cat /etc/tinc/powercraft01/hosts/server01-down
+ sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-down
+ ls -hal /etc/tinc/powercraft01/hosts/server01-down
+
+ #-----------------------------------------------------------------------
+
+ sudo rm /etc/tinc/powercraft01/rsa_key.priv
+ sudo rm /etc/tinc/powercraft01/hosts/client10
+ sudo tincd -n powercraft01 -K
+
+ #-----------------------------------------------------------------------
+
+ # on client add on head of file
+ sudo vim /etc/tinc/powercraft01/hosts/client01
+ Compression = 9
+ PMTU = 1492
+ PMTUDiscovery = yes
+ Port = 656
+ # Cipher = aes-128-cbc
+
+ # on client
+ sudo cat /etc/tinc/powercraft01/hosts/client01
+
+ # on server, copy cert data of client to server
+ vim /etc/tinc/powercraft01/hosts/client01
+
+ #-----------------------------------------------------------------------
+
+ # watch out when using multiple dhcp clients there can be conflicts
+
+ echo 'interface "tun1" {
+ request subnet-mask, broadcast-address, time-offset,
+ host-name, netbios-scope, interface-mtu, ntp-servers;
+ }' | tee --append /etc/dhcp3/dhclient.conf
+
+ cat /etc/dhcp3/dhclient.conf
+
+ #-----------------------------------------------------------------------
+
+ vim /etc/network/interfaces
+
+ iface tun1 inet dhcp
+ pre-up ifconfig tun1 down || true
+ pre-up ifconfig tun1 hw ether 9a:f6:50:3b:c0:48 || true
+ post-up route del default dev tun1 || true
+ # pre-down /etc/init.d/munin-node stop || true
+ # post-up /etc/init.d/munin-node restart || true
+ # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/tun1/proxy_arp || true
+ # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/vlan4/proxy_arp || true
+ # optional # post-up route add -net 192.168.2.0 netmask 255.255.255.0 tun1 || true
+ # optional # pre-down route del -net 192.168.2.0 netmask 255.255.255.0 tun1 || true
+
+ #-----------------------------------------------------------------------
+
+ ifdown tun1; ifdown tun1
+
+ #-----------------------------------------------------------------------
+
+ sudo /etc/init.d/tinc stop
+ fg
+ sudo /usr/sbin/tincd --net powercraft01 --no-detach --debug=5
+
+ #-----------------------------------------------------------------------
+
+ sudo /etc/init.d/tinc start
+
+ #-----------------------------------------------------------------------
+
+ # tincd --version
+ tinc version 1.0.13 (built Apr 13 2010 10:27:56, protocol 17)
+
+ #-----------------------------------------------------------------------
+
+ tincd -n powercraft01 -kUSR2
+ tail -n 100 /var/log/syslog
+
+ #-----------------------------------------------------------------------
+
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun:
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes in: 830
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes out: 914
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: Nodes:
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop client01 via client01 pmtu 1518 (min 0 max 1518)
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 at 84.245.3.195 port 656 cipher 91 digest 64 maclength 4 compression 9 options c status 001a nexthop server01 via server01 pmtu 1416 (min 1416 max 1416)
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: End of nodes.
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: Edges:
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 to server01 at 84.245.3.195 port 656 options c weight 413
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 to client01 at 84.245.9.246 port 655 options c weight 413
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: End of edges.
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: Subnet list:
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: 0:1b:21:61:af:d7#10 owner server01
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: 56:fc:c2:fd:69:10#10 owner server01
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: ea:3:e7:3d:46:20#10 owner client01
+ May 24 19:43:59 roxy tinc.powercraft01[5104]: End of subnet list.
+
+ #-----------------------------------------------------------------------
+
+ # ifconfig -a
+ ifconfig tun1
+ route -n
+
+ #-----------------------------------------------------------------------
+
+ # ifconfig tun1
+ tun1 Link encap:Ethernet HWaddr ea:03:e7:3d:46:20
+ inet addr:192.168.3.201 Bcast:192.168.3.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:27 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:500
+ RX bytes:9342 (9.1 KiB) TX bytes:9088 (8.8 KiB)
+
+ # route -n
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
+ 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
+ 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0
+
+ #-----------------------------------------------------------------------
+
+ ping -c 2 192.168.3.1
+ ping -c 2 -M dont -s 1500 192.168.3.1
+
+ #-----------------------------------------------------------------------
+
+ lsof -i :655
+ lsof -i :656
+
+ #-----------------------------------------------------------------------
+
+ # Accept new connections for fordwarding designated from our virtual private netwerk to the local network
+ /sbin/iptables --append FORWARD --in-interface ${VPN01} --out-interface ${LAN01} --jump ACCEPT
+ /sbin/iptables --append FORWARD --in-interface ${LAN01} --out-interface ${VPN01} --jump ACCEPT
+
+ # Use masquerade so the outside world sees only one ip source for all outgoing trafic
+ /sbin/iptables --table nat --append POSTROUTING --out-interface ${VPN01} --jump MASQUERADE
+
+ #-----------------------------------------------------------------------
-> [[!meta title="simple-bridging-with-dhcp-server-side"]]
->
-> # Company: PowerCraft Technology
-> # Author: Copyright Jelle de Jong <jelledejong@powercraft.nl>
-> # Note: Please send me an email if you enhanced the document
-> # Date: 2010-05-24 / 2010-07-04
-> # License: CC-BY-SA
->
-> # This document is free documentation; you can redistribute it and/or
-> # modify it under the terms of the Creative Commons Attribution Share
-> # Alike as published by the Creative Commons Foundation; either version
-> # 3.0 of the License, or (at your option) any later version.
-> #
-> # This document is distributed in the hope that it will be useful,
-> # but WITHOUT ANY WARRANTY; without even the implied warranty of
-> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-> # Creative Commons BY-SA License for more details.
-> #
-> # http://creativecommons.org/licenses/by-sa/
->
-> #-----------------------------------------------------------------------
->
-> # for commercial support contact me, part of the revenue go back to tinc
->
-> #-----------------------------------------------------------------------
->
-> # http://www.tinc-vpn.org/
-> # http://www.tinc-vpn.org/examples/bridging
-> # http://www.tinc-vpn.org/documentation/tinc_toc
->
-> #-----------------------------------------------------------------------
->
-> # <@guus> Well all the tinc daemons together act like a single switcch
-> # <@guus> And each node in the VPN is connected to a port of that switch
-> # <@guus> And if you bridge the VPN interface with eth0, then it's like you plug a cable in a port of your eth0 LAN and the other end of that cable into the tinc switch
->
-> #-----------------------------------------------------------------------
->
-> unset LANG LANGUAGE LC_ALL
-> apt-get update; apt-get dist-upgrade
->
-> apt-cache show tinc
-> apt-get install tinc
-> apt-get install bridge-utils
->
-> #-----------------------------------------------------------------------
->
-> /etc/init.d/tinc stop
->
-> #-----------------------------------------------------------------------
->
-> # ls -hal /dev/net/tun
-> crw-rw-rw- 1 root root 10, 200 May 20 20:07 /dev/net/tun
->
-> # grep tinc /etc/services
-> tinc 655/tcp # tinc control port
-> tinc 655/udp
->
-> cat /usr/share/doc/tinc/README.Debian
-> zcat /usr/share/doc/tinc/README.gz | less
-> zcat /usr/share/doc/tinc/NEWS.gz | less
-> cat /usr/share/doc/tinc/examples/tinc-up
-> w3m /usr/share/doc/tinc/tinc_0.html
->
-> cat /etc/default/tinc
-> less /etc/init.d/tinc
->
-> #-----------------------------------------------------------------------
->
-> vim /etc/default/tinc
-> EXTRA="-d"
-> cat /etc/default/tinc
->
-> #-----------------------------------------------------------------------
->
-> cat /etc/tinc/nets.boot
-> echo 'powercraft01' | tee --append /etc/tinc/nets.boot
-> cat /etc/tinc/nets.boot
->
-> #-----------------------------------------------------------------------
->
-> ls -hal /etc/tinc/scallab01/
-> mkdir --verbose /etc/tinc/powercraft01/
-> mkdir --verbose /etc/tinc/powercraft01/hosts/
-> touch /etc/tinc/powercraft01/tinc.conf
->
-> #-----------------------------------------------------------------------
->
-> vim /etc/network/interfaces
->
-> # tinc-vpn: dhcp bridge
-> auto br0
-> iface br0 inet static
-> address 192.168.3.1
-> netmask 255.255.255.0
-> # pre-up /sbin/ifconfig eth2 hw ether 00:1b:21:61:af:d7
-> # pre-up /sbin/ifconfig eth2 0.0.0.0
-> # bridge_ports eth2
-> bridge_ports tun1
-> bridge_maxwait 1
-> bridge_fd 2.5
-> post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp # optional
->
-> cat /etc/network/interfaces
->
-> #-----------------------------------------------------------------------
->
-> echo 'interface "br0" {
-> request subnet-mask, broadcast-address, time-offset,
-> host-name, netbios-scope, interface-mtu, ntp-servers;
-> }' | tee --append /etc/dhcp3/dhclient.conf
->
-> cat /etc/dhcp3/dhclient.conf
->
-> #-----------------------------------------------------------------------
->
-> vim /etc/dhcp3/dhcpd.conf
->
-> subnet 192.168.3.0 netmask 255.255.255.0 {
-> range 192.168.3.200 192.168.3.240;
-> option routers 192.168.3.1;
-> option domain-name-servers 192.168.3.1;
-> }
->
-> #-----------------------------------------------------------------------
->
-> ifdown br0
-> ifup br0
->
-> #-----------------------------------------------------------------------
->
-> vim /etc/default/dhcp3-server
-> INTERFACES="vlan2 eth0 br0" # add the br0 to the correct location
->
-> /etc/init.d/dhcp3-server restart
-> ps aux | grep dhcp
-> tail -n 400 -f /var/log/syslog
->
-> #-----------------------------------------------------------------------
->
-> ifconfig br0
-> route -n
-> brctl show
->
-> #-----------------------------------------------------------------------
->
-> # ifconfig br0
-> br0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
-> inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
-> inet6 addr: fe80::dc56:d3ff:fe1a:31df/64 Scope:Link
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> RX packets:12 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:0
-> RX bytes:2568 (2.5 KB) TX bytes:1536 (1.5 KB)
->
-> # route -n
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
-> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
-> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
-> 84.245.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
-> 0.0.0.0 84.245.3.1 0.0.0.0 UG 100 0 0 eth1
->
-> # brctl show
-> bridge name bridge id STP enabled interfaces
-> br0 8000.000000000000 no
->
-> #-----------------------------------------------------------------------
->
-> echo 'AddressFamily = ipv4
-> Device = /dev/net/tun
-> Interface = tun1
-> Mode = switch
-> Name = server01' | tee /etc/tinc/powercraft01/tinc.conf
->
-> cat /etc/tinc/powercraft01/tinc.conf
-> chmod 640 /etc/tinc/powercraft01/tinc.conf
-> ls -hal /etc/tinc/powercraft01/tinc.conf
->
-> echo '#!/bin/sh
-> ifconfig $INTERFACE 0.0.0.0
-> route add -net 192.168.30.0 netmask 255.255.255.0 br0 # optional subnet
-> brctl addif br0 $INTERFACE' | tee /etc/tinc/powercraft01/tinc-up
->
-> cat /etc/tinc/powercraft01/tinc-up
-> chmod 750 /etc/tinc/powercraft01/tinc-up
-> ls -hal /etc/tinc/powercraft01/tinc-up
->
-> echo '#!/bin/sh
-> brctl delif br0 $INTERFACE
-> route del -net 192.168.30.0 netmask 255.255.255.0 br0 # optional subnet
-> ifconfig $INTERFACE down' | tee /etc/tinc/powercraft01/tinc-down
->
-> cat /etc/tinc/powercraft01/tinc-down
-> chmod 750 /etc/tinc/powercraft01/tinc-down
-> ls -hal /etc/tinc/powercraft01/tinc-down
->
-> #-----------------------------------------------------------------------
->
-> rm /etc/tinc/powercraft01/rsa_key.priv
-> rm /etc/tinc/powercraft01/hosts/server01
-> tincd -n powercraft01 -K
->
-> #-----------------------------------------------------------------------
->
-> getent services | grep 656
->
-> #-----------------------------------------------------------------------
->
-> vim /etc/tinc/powercraft01/hosts/server01
->
-> # add on head of file
-> Compression = 9
-> PMTU = 1492
-> PMTUDiscovery = yes
-> Port = 656
->
-> cat /etc/tinc/powercraft01/hosts/server01
->
-> #-----------------------------------------------------------------------
->
-> /etc/init.d/tinc stop
-> fg
-> /usr/sbin/tincd --net powercraft01 --no-detach --debug=5
->
-> #-----------------------------------------------------------------------
->
-> /etc/init.d/tinc restart
-> tail --line=500 --follow /var/log/syslog
->
-> #-----------------------------------------------------------------------
->
-> ifconfig br0
-> ifconfig tun1
-> route -n
-> brctl show br0
-> brctl showmacs br0
->
-> #-----------------------------------------------------------------------
->
-> # ifconfig br0
-> br0 Link encap:Ethernet HWaddr 1e:eb:95:c3:04:d8
-> inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
-> inet6 addr: fe80::dc56:d3ff:fe1a:31df/64 Scope:Link
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> RX packets:17 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:0
-> RX bytes:3328 (3.3 KB) TX bytes:2408 (2.4 KB)
->
-> # ifconfig tun1
-> tun1 Link encap:Ethernet HWaddr 1e:eb:95:c3:04:d8
-> inet6 addr: fe80::1ceb:95ff:fec3:4d8/64 Scope:Link
-> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-> RX packets:8 errors:0 dropped:0 overruns:0 frame:0
-> TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
-> collisions:0 txqueuelen:500
-> RX bytes:2627 (2.6 KB) TX bytes:1340 (1.3 KB)
->
-> # route -n
-> Kernel IP routing table
-> Destination Gateway Genmask Flags Metric Ref Use Iface
-> 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
-> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
-> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
-> 84.245.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
-> 0.0.0.0 84.245.3.1 0.0.0.0 UG 100 0 0 eth1
->
-> # brctl show br0
-> bridge name bridge id STP enabled interfaces
-> br0 8000.1eeb95c304d8 no tun1
->
-> # brctl showmacs br0
-> port no mac addr is local? ageing timer
-> 1 1e:eb:95:c3:04:d8 yes 0.00
-> 1 86:03:27:21:2e:60 no 44.19
->
-> #-----------------------------------------------------------------------
->
-> ps aux | grep tincd
-> tincd -n powercraft01 -kUSR2
-> tail -n 100 /var/log/syslog
->
-> #-----------------------------------------------------------------------
->
-> May 24 17:29:31 ashley tinc.powercraft01[11557]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun:
-> May 24 17:29:31 ashley tinc.powercraft01[11557]: total bytes in: 468
-> May 24 17:29:31 ashley tinc.powercraft01[11557]: total bytes out: 0
-> May 24 17:29:31 ashley tinc.powercraft01[11557]: Nodes:
-> May 24 17:29:31 ashley tinc.powercraft01[11557]: server01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options 4 status 0018 nexthop server01 via server01 pmtu 1518 (min 0 max 1518)
-> May 24 17:29:31 ashley tinc.powercraft01[11557]: End of nodes.
-> May 24 17:29:31 ashley tinc.powercraft01[11557]: Edges:
-> May 24 17:29:31 ashley tinc.powercraft01[11557]: End of edges.
-> May 24 17:29:31 ashley tinc.powercraft01[11557]: Subnet list:
-> May 24 17:29:31 ashley tinc.powercraft01[11557]: a2:63:0:96:a:c8#10 owner server01
-> May 24 17:29:31 ashley tinc.powercraft01[11557]: End of subnet list.
->
-> #-----------------------------------------------------------------------
->
-> tcpdump -n -i br0 broadcast
-> tcpdump -n -i tun0 broadcast
->
-> #-----------------------------------------------------------------------
->
-> tcpdump -n -e -i br0 icmp
-> tcpdump -A -p -n -i br0 port 80
-> tcpdump -A -p -n -i br0
->
-> tcpdump -i br0 host 84.245.3.195 -l
->
-> #-----------------------------------------------------------------------
->
-> cat /var/lib/dhcp3/dhcpd.leases
->
-> #-----------------------------------------------------------------------
->
-> # optional
-> export LAN01=vlan2
-> export VPN02=br0
-> # /sbin/iptables --append FORWARD --in-interface br0 --out-interface vlan2 --jump ACCEPT
-> /sbin/iptables --append FORWARD --in-interface ${VPN02} --source 192.168.3.150 --destination 192.168.2.206 --out-interface ${LAN01} --jump ACCEPT
->
-> #-----------------------------------------------------------------------
+ [[!meta title="simple-bridging-with-dhcp-server-side"]]
+
+ # Company: PowerCraft Technology
+ # Author: Copyright Jelle de Jong <jelledejong@powercraft.nl>
+ # Note: Please send me an email if you enhanced the document
+ # Date: 2010-05-24 / 2010-07-04
+ # License: CC-BY-SA
+
+ # This document is free documentation; you can redistribute it and/or
+ # modify it under the terms of the Creative Commons Attribution Share
+ # Alike as published by the Creative Commons Foundation; either version
+ # 3.0 of the License, or (at your option) any later version.
+ #
+ # This document is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ # Creative Commons BY-SA License for more details.
+ #
+ # http://creativecommons.org/licenses/by-sa/
+
+ #-----------------------------------------------------------------------
+
+ # for commercial support contact me, part of the revenue go back to tinc
+
+ #-----------------------------------------------------------------------
+
+ # http://www.tinc-vpn.org/
+ # http://www.tinc-vpn.org/examples/bridging
+ # http://www.tinc-vpn.org/documentation/tinc_toc
+
+ #-----------------------------------------------------------------------
+
+ # <@guus> Well all the tinc daemons together act like a single switcch
+ # <@guus> And each node in the VPN is connected to a port of that switch
+ # <@guus> And if you bridge the VPN interface with eth0, then it's like you plug a cable in a port of your eth0 LAN and the other end of that cable into the tinc switch
+
+ #-----------------------------------------------------------------------
+
+ unset LANG LANGUAGE LC_ALL
+ apt-get update; apt-get dist-upgrade
+
+ apt-cache show tinc
+ apt-get install tinc
+ apt-get install bridge-utils
+
+ #-----------------------------------------------------------------------
+
+ /etc/init.d/tinc stop
+
+ #-----------------------------------------------------------------------
+
+ # ls -hal /dev/net/tun
+ crw-rw-rw- 1 root root 10, 200 May 20 20:07 /dev/net/tun
+
+ # grep tinc /etc/services
+ tinc 655/tcp # tinc control port
+ tinc 655/udp
+
+ cat /usr/share/doc/tinc/README.Debian
+ zcat /usr/share/doc/tinc/README.gz | less
+ zcat /usr/share/doc/tinc/NEWS.gz | less
+ cat /usr/share/doc/tinc/examples/tinc-up
+ w3m /usr/share/doc/tinc/tinc_0.html
+
+ cat /etc/default/tinc
+ less /etc/init.d/tinc
+
+ #-----------------------------------------------------------------------
+
+ vim /etc/default/tinc
+ EXTRA="-d"
+ cat /etc/default/tinc
+
+ #-----------------------------------------------------------------------
+
+ cat /etc/tinc/nets.boot
+ echo 'powercraft01' | tee --append /etc/tinc/nets.boot
+ cat /etc/tinc/nets.boot
+
+ #-----------------------------------------------------------------------
+
+ ls -hal /etc/tinc/scallab01/
+ mkdir --verbose /etc/tinc/powercraft01/
+ mkdir --verbose /etc/tinc/powercraft01/hosts/
+ touch /etc/tinc/powercraft01/tinc.conf
+
+ #-----------------------------------------------------------------------
+
+ vim /etc/network/interfaces
+
+ # tinc-vpn: dhcp bridge
+ auto br0
+ iface br0 inet static
+ address 192.168.3.1
+ netmask 255.255.255.0
+ # pre-up /sbin/ifconfig eth2 hw ether 00:1b:21:61:af:d7
+ # pre-up /sbin/ifconfig eth2 0.0.0.0
+ # bridge_ports eth2
+ bridge_ports tun1
+ bridge_maxwait 1
+ bridge_fd 2.5
+ post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp # optional
+
+ cat /etc/network/interfaces
+
+ #-----------------------------------------------------------------------
+
+ echo 'interface "br0" {
+ request subnet-mask, broadcast-address, time-offset,
+ host-name, netbios-scope, interface-mtu, ntp-servers;
+ }' | tee --append /etc/dhcp3/dhclient.conf
+
+ cat /etc/dhcp3/dhclient.conf
+
+ #-----------------------------------------------------------------------
+
+ vim /etc/dhcp3/dhcpd.conf
+
+ subnet 192.168.3.0 netmask 255.255.255.0 {
+ range 192.168.3.200 192.168.3.240;
+ option routers 192.168.3.1;
+ option domain-name-servers 192.168.3.1;
+ }
+
+ #-----------------------------------------------------------------------
+
+ ifdown br0
+ ifup br0
+
+ #-----------------------------------------------------------------------
+
+ vim /etc/default/dhcp3-server
+ INTERFACES="vlan2 eth0 br0" # add the br0 to the correct location
+
+ /etc/init.d/dhcp3-server restart
+ ps aux | grep dhcp
+ tail -n 400 -f /var/log/syslog
+
+ #-----------------------------------------------------------------------
+
+ ifconfig br0
+ route -n
+ brctl show
+
+ #-----------------------------------------------------------------------
+
+ # ifconfig br0
+ br0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
+ inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
+ inet6 addr: fe80::dc56:d3ff:fe1a:31df/64 Scope:Link
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:12 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:0
+ RX bytes:2568 (2.5 KB) TX bytes:1536 (1.5 KB)
+
+ # route -n
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
+ 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
+ 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
+ 84.245.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
+ 0.0.0.0 84.245.3.1 0.0.0.0 UG 100 0 0 eth1
+
+ # brctl show
+ bridge name bridge id STP enabled interfaces
+ br0 8000.000000000000 no
+
+ #-----------------------------------------------------------------------
+
+ echo 'AddressFamily = ipv4
+ Device = /dev/net/tun
+ Interface = tun1
+ Mode = switch
+ Name = server01' | tee /etc/tinc/powercraft01/tinc.conf
+
+ cat /etc/tinc/powercraft01/tinc.conf
+ chmod 640 /etc/tinc/powercraft01/tinc.conf
+ ls -hal /etc/tinc/powercraft01/tinc.conf
+
+ echo '#!/bin/sh
+ ifconfig $INTERFACE 0.0.0.0
+ route add -net 192.168.30.0 netmask 255.255.255.0 br0 # optional subnet
+ brctl addif br0 $INTERFACE' | tee /etc/tinc/powercraft01/tinc-up
+
+ cat /etc/tinc/powercraft01/tinc-up
+ chmod 750 /etc/tinc/powercraft01/tinc-up
+ ls -hal /etc/tinc/powercraft01/tinc-up
+
+ echo '#!/bin/sh
+ brctl delif br0 $INTERFACE
+ route del -net 192.168.30.0 netmask 255.255.255.0 br0 # optional subnet
+ ifconfig $INTERFACE down' | tee /etc/tinc/powercraft01/tinc-down
+
+ cat /etc/tinc/powercraft01/tinc-down
+ chmod 750 /etc/tinc/powercraft01/tinc-down
+ ls -hal /etc/tinc/powercraft01/tinc-down
+
+ #-----------------------------------------------------------------------
+
+ rm /etc/tinc/powercraft01/rsa_key.priv
+ rm /etc/tinc/powercraft01/hosts/server01
+ tincd -n powercraft01 -K
+
+ #-----------------------------------------------------------------------
+
+ getent services | grep 656
+
+ #-----------------------------------------------------------------------
+
+ vim /etc/tinc/powercraft01/hosts/server01
+
+ # add on head of file
+ Compression = 9
+ PMTU = 1492
+ PMTUDiscovery = yes
+ Port = 656
+
+ cat /etc/tinc/powercraft01/hosts/server01
+
+ #-----------------------------------------------------------------------
+
+ /etc/init.d/tinc stop
+ fg
+ /usr/sbin/tincd --net powercraft01 --no-detach --debug=5
+
+ #-----------------------------------------------------------------------
+
+ /etc/init.d/tinc restart
+ tail --line=500 --follow /var/log/syslog
+
+ #-----------------------------------------------------------------------
+
+ ifconfig br0
+ ifconfig tun1
+ route -n
+ brctl show br0
+ brctl showmacs br0
+
+ #-----------------------------------------------------------------------
+
+ # ifconfig br0
+ br0 Link encap:Ethernet HWaddr 1e:eb:95:c3:04:d8
+ inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
+ inet6 addr: fe80::dc56:d3ff:fe1a:31df/64 Scope:Link
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:17 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:0
+ RX bytes:3328 (3.3 KB) TX bytes:2408 (2.4 KB)
+
+ # ifconfig tun1
+ tun1 Link encap:Ethernet HWaddr 1e:eb:95:c3:04:d8
+ inet6 addr: fe80::1ceb:95ff:fec3:4d8/64 Scope:Link
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:8 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:500
+ RX bytes:2627 (2.6 KB) TX bytes:1340 (1.3 KB)
+
+ # route -n
+ Kernel IP routing table
+ Destination Gateway Genmask Flags Metric Ref Use Iface
+ 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
+ 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
+ 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
+ 84.245.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
+ 0.0.0.0 84.245.3.1 0.0.0.0 UG 100 0 0 eth1
+
+ # brctl show br0
+ bridge name bridge id STP enabled interfaces
+ br0 8000.1eeb95c304d8 no tun1
+
+ # brctl showmacs br0
+ port no mac addr is local? ageing timer
+ 1 1e:eb:95:c3:04:d8 yes 0.00
+ 1 86:03:27:21:2e:60 no 44.19
+
+ #-----------------------------------------------------------------------
+
+ ps aux | grep tincd
+ tincd -n powercraft01 -kUSR2
+ tail -n 100 /var/log/syslog
+
+ #-----------------------------------------------------------------------
+
+ May 24 17:29:31 ashley tinc.powercraft01[11557]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun:
+ May 24 17:29:31 ashley tinc.powercraft01[11557]: total bytes in: 468
+ May 24 17:29:31 ashley tinc.powercraft01[11557]: total bytes out: 0
+ May 24 17:29:31 ashley tinc.powercraft01[11557]: Nodes:
+ May 24 17:29:31 ashley tinc.powercraft01[11557]: server01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options 4 status 0018 nexthop server01 via server01 pmtu 1518 (min 0 max 1518)
+ May 24 17:29:31 ashley tinc.powercraft01[11557]: End of nodes.
+ May 24 17:29:31 ashley tinc.powercraft01[11557]: Edges:
+ May 24 17:29:31 ashley tinc.powercraft01[11557]: End of edges.
+ May 24 17:29:31 ashley tinc.powercraft01[11557]: Subnet list:
+ May 24 17:29:31 ashley tinc.powercraft01[11557]: a2:63:0:96:a:c8#10 owner server01
+ May 24 17:29:31 ashley tinc.powercraft01[11557]: End of subnet list.
+
+ #-----------------------------------------------------------------------
+
+ tcpdump -n -i br0 broadcast
+ tcpdump -n -i tun0 broadcast
+
+ #-----------------------------------------------------------------------
+
+ tcpdump -n -e -i br0 icmp
+ tcpdump -A -p -n -i br0 port 80
+ tcpdump -A -p -n -i br0
+
+ tcpdump -i br0 host 84.245.3.195 -l
+
+ #-----------------------------------------------------------------------
+
+ cat /var/lib/dhcp3/dhcpd.leases
+
+ #-----------------------------------------------------------------------
+
+ # optional
+ export LAN01=vlan2
+ export VPN02=br0
+ # /sbin/iptables --append FORWARD --in-interface br0 --out-interface vlan2 --jump ACCEPT
+ /sbin/iptables --append FORWARD --in-interface ${VPN02} --source 192.168.3.150 --destination 192.168.2.206 --out-interface ${LAN01} --jump ACCEPT
+
+ #-----------------------------------------------------------------------
projects / wiki / commitdiff