From: Guus Sliepen Date: Mon, 7 Jun 2010 11:28:58 +0000 (+0200) Subject: Add a proxy ARP example. X-Git-Url: http://git.tinc-vpn.org/git/browse?a=commitdiff_plain;h=13c2c7fa8d86e8543321a58ec30e7d4fb43053d9;p=wiki Add a proxy ARP example. --- diff --git a/examples/bridging.mdwn b/examples/bridging.mdwn index 8d43427..c7c0d8f 100644 --- a/examples/bridging.mdwn +++ b/examples/bridging.mdwn @@ -15,6 +15,11 @@ In switch and hub mode, broadcast packets are broadcast to other daemons and in order to route packets. With these mode tinc can be used to act as a bridge between two or more Ethernet segments. +Bridging allows all nodes in the VPN to share the same subnet. However, if +this is the only reason for bridging, and you do not need to tunnel broadcast +or non-IP packets, you can alternatively use [[proxy ARP|examples/proxy-arp]] +instead of bridging. + ### Overview The network setup is as follows: diff --git a/examples/proxy-arp.mdwn b/examples/proxy-arp.mdwn new file mode 100644 index 0000000..5d25f21 --- /dev/null +++ b/examples/proxy-arp.mdwn @@ -0,0 +1,78 @@ +[[!meta title="proxy ARP as an alternative to bridging"]] + +## Example: proxy ARP as an alternative to bridging + +If one wants to have a remote node appear to be on a local LAN (i.e., having an +IP address inside the local LAN's subnet), one can set up a bridge at the local +node, as described in the [[bridging example|examples/bridging]]. However, +setting up a bridge is rather complex, and if one only needs unicast IP traffic +to work, and broadcast or non-IP traffic is not a requirement, one can use the +[proxy ARP](http://en.wikipedia.org/wiki/Proxy_ARP) features of the operating +instead. + +Since we only use unicast IP traffic, proxy ARP works with both router and +switch mode. + +### Overview + +The network setup is as follows: + +* Office LAN, the LAN on interface eth0 uses the range 192.168.1.0/24. The office node uses the address 192.168.1.2. +* Road warrior, using the address 192.168.1.123. + +### Configuration of tinc at the office + +> host# cat /etc/tinc/vpn/tinc.conf +> Name = office +> #Optional: +> #Mode = switch +> +> host# cat /etc/tinc/vpn/tinc-up +> #!/bin/sh +> +> ifconfig $INTERFACE 192.168.1.2 netmask 255.255.255.255 +> route add 192.168.1.123 dev $INTERFACE +> echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp +> echo 1 >/proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp +> +> host# ls /etc/tinc/vpn/hosts +> office roadwarrior ... +> +> host# cat /etc/tinc/vpn/hosts/office +> Address = 123.234.123.42 +> Subnet = 192.168.1.0/24 +> -----BEGIN RSA PUBLIC KEY----- +> ... +> -----END RSA PUBLIC KEY----- +> +> host# cat /etc/tinc/vpn/hosts/roadwarrior +> Subnet = 192.168.1.123 +> -----BEGIN RSA PUBLIC KEY----- +> ... +> -----END RSA PUBLIC KEY----- + +### Configuration of tinc at the road warrior + +> host# cat /etc/tinc/vpn/tinc.conf +> Name = roadwarrior +> #Optional: +> #Mode = switch +> +> host# cat /etc/tinc/vpn/tinc-up +> #!/bin/sh +> +> ifconfig $INTERFACE 192.168.1.123 netmask 255.255.255.0 + +The host config files are, of course, identical to those on the office node. + +### Automatically adding routes + +In the above configuration, the `tinc-up` script of the office node has a route +to the roadwarrior's address hardcoded. To have tinc automatically add the +necessary routes, remove the `route add` command from the `tinc-up` script, and +instead add this `subnet-up` script: + +> host# cat /etc/tinc/vpn/subnet-up +> #!/bin/sh +> [ "$NAME" = "$NODE" ] && exit 0 +> ip route replace $SUBNET dev $INTERFACE