From: Guus Sliepen Date: Sun, 21 Nov 2010 11:38:34 +0000 (+0100) Subject: Don't blockquote pre blocks. X-Git-Url: http://git.tinc-vpn.org/git/browse?a=commitdiff_plain;h=92c1ef34e1f369278a63eb7ffd0d4cd72ebfbeeb;p=wiki Don't blockquote pre blocks. --- diff --git a/examples/bridging-with-dhcp.mdwn b/examples/bridging-with-dhcp.mdwn index 354d805..70d77ca 100644 --- a/examples/bridging-with-dhcp.mdwn +++ b/examples/bridging-with-dhcp.mdwn @@ -1,356 +1,356 @@ -> [[!meta title="creating a bridge to bridge tinc-vpn dhcp system to connect netwerk segments"]] -> -> # this docu is still in progress # jelle -> -> ------------------------------------------------------------------------ -> -> # Company: PowerCraft Technology -> # Author: Copyright Jelle de Jong -> # Note: Please send me an email if you enhanced the document -> # Date: 2009-09-15 -> # License: CC-BY-SA -> -> # This document is free documentation; you can redistribute it and/or -> # modify it under the terms of the Creative Commons Attribution Share -> # Alike as published by the Creative Commons Foundation; either version -> # 3.0 of the License, or (at your option) any later version. -> # -> # This document is distributed in the hope that it will be useful, -> # but WITHOUT ANY WARRANTY; without even the implied warranty of -> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -> # Creative Commons BY-SA License for more details. -> # -> # http://creativecommons.org/licenses/by-sa/ -> -> ------------------------------------------------------------------------ -> -> # information: http://www.tinc-vpn.org/ -> -> ------------------------------------------------------------------------ -> -> apt-get update; apt-get dist-upgrade -> -> apt-cache show tinc -> apt-get install tinc/unstable -> apt-get install bridge-utils/unstable -> -> ------------------------------------------------------------------------ -> -> /etc/init.d/tinc stop -> -> ------------------------------------------------------------------------ -> -> # ls -hal /dev/net/tun -> crw-rw-rw- 1 root root 10, 200 2009-09-11 15:37 /dev/net/tun -> -> # grep tinc /etc/services -> tinc 655/tcp # tinc control port -> tinc 655/udp -> -> cat /usr/share/doc/tinc/README.Debian -> zcat /usr/share/doc/tinc/README.gz | less -> zcat /usr/share/doc/tinc/NEWS.gz | less -> cat /usr/share/doc/tinc/examples/tinc-up -> w3m /usr/share/doc/tinc/tinc_0.html -> -> http://www.tinc-vpn.org/documentation/tinc_toc -> -> sudo vim /etc/default/tinc -> EXTRA="-d" -> cat /etc/default/tinc -> -> less /etc/init.d/tinc -> -> ------------------------------------------------------------------------ -> -> ifconfig -a -> route -n -> -> ------------------------------------------------------------------------ -> -> # ifconfig -a -> eth0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52 -> inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> RX packets:35 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:5879 errors:0 dropped:0 overruns:0 carrier:1 -> collisions:0 txqueuelen:1000 -> RX bytes:5958 (5.8 KiB) TX bytes:594793 (580.8 KiB) -> Interrupt:28 -> -> lo Link encap:Local Loopback -> inet addr:127.0.0.1 Mask:255.0.0.0 -> inet6 addr: ::1/128 Scope:Host -> UP LOOPBACK RUNNING MTU:16436 Metric:1 -> RX packets:838 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:838 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:0 -> RX bytes:87938 (85.8 KiB) TX bytes:87938 (85.8 KiB) -> -> ppp0 Link encap:Point-to-Point Protocol -> inet addr:10.79.163.113 P-t-P:10.64.64.64 Mask:255.255.255.255 -> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 -> RX packets:4833 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:4645 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:3 -> RX bytes:952105 (929.7 KiB) TX bytes:319496 (312.0 KiB) -> -> # route -n -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 -> 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0 -> -> ------------------------------------------------------------------------ -> -> # client02 configuration -> ------------------------------------------------------------------------ -> -> cat /etc/tinc/nets.boot -> echo 'myvpn01' | sudo tee --append /etc/tinc/nets.boot -> cat /etc/tinc/nets.boot -> -> ------------------------------------------------------------------------ -> -> sudo mkdir --verbose /etc/tinc/myvpn01/ -> sudo mkdir --verbose /etc/tinc/myvpn01/hosts/ -> sudo touch /etc/tinc/myvpn01/tinc.conf -> -> ------------------------------------------------------------------------ -> -> # on server -> cat /etc/tinc/myvpn01/hosts/server01 -> -> # on client, copy cert data of server to client -> sudo vim /etc/tinc/myvpn01/hosts/server01 -> -> # add on head of file -> Address = 712.661.21.23 # only on client -> -> ------------------------------------------------------------------------ -> -> echo 'ConnectTo = server01 -> Device = /dev/net/tun -> Interface = tun0 -> Mode = switch -> Name = client02' | sudo tee /etc/tinc/myvpn01/tinc.conf -> -> sudo cat /etc/tinc/myvpn01/tinc.conf -> sudo chmod 644 /etc/tinc/myvpn01/tinc.conf -> ls -hal /etc/tinc/myvpn01/tinc.conf -> -> echo '#!/bin/sh -> ifconfig $INTERFACE 0.0.0.0 -> brctl addif br0 $INTERFACE -> ifconfig $INTERFACE up' | tee /etc/tinc/myvpn01/tinc-up -> -> sudo cat /etc/tinc/myvpn01/tinc-up -> sudo chmod 755 /etc/tinc/myvpn01/tinc-up -> ls -hal /etc/tinc/myvpn01/tinc-up -> -> echo '#!/bin/sh -> ifup br0 &' | sudo tee /etc/tinc/myvpn01/hosts/server01-up -> -> sudo cat /etc/tinc/myvpn01/hosts/server01-up -> sudo chmod 755 /etc/tinc/myvpn01/hosts/server01-up -> ls -hal /etc/tinc/myvpn01/hosts/server01-up -> -> echo '#!/bin/sh -> brctl delif br0 $INTERFACE -> ifconfig $INTERFACE down' | sudo tee /etc/tinc/myvpn01/tinc-down -> -> sudo cat /etc/tinc/myvpn01/tinc-down -> sudo chmod 755 /etc/tinc/myvpn01/tinc-down -> ls -hal /etc/tinc/myvpn01/tinc-down -> -> echo '#!/bin/sh -> ifdown br0 -> ifconfig br0 0.0.0.0' | sudo tee /etc/tinc/myvpn01/hosts/server01-down -> -> sudo cat /etc/tinc/myvpn01/hosts/server01-down -> sudo chmod 755 /etc/tinc/myvpn01/hosts/server01-down -> ls -hal /etc/tinc/myvpn01/hosts/server01-down -> -> ------------------------------------------------------------------------ -> -> sudo rm /etc/tinc/myvpn01/rsa_key.priv -> sudo rm /etc/tinc/myvpn01/hosts/client02 -> echo 'PMTU = 1280 -> PMTUDiscovery = yes' | sudo tee --append /etc/tinc/myvpn01/hosts/client02 -> sudo tincd -n myvpn01 -K -> -> ------------------------------------------------------------------------ -> -> # on client add on head of file -> sudo vim /etc/tinc/myvpn01/hosts/client02 -> Compression = 9 -> TCPOnly = yes -> -> # on client -> sudo cat /etc/tinc/myvpn01/hosts/client02 -> -> # on server, copy cert data of client to server -> vim /etc/tinc/myvpn01/hosts/client02 -> -> ------------------------------------------------------------------------ -> -> # cat /etc/network/interfaces -> auto lo -> iface lo inet loopback -> -> auto ppp0 -> iface ppp0 inet ppp -> provider mobile-vodafone -> -> auto eth0 -> iface eth0 inet manual -> pre-up brctl addbr br0 -> pre-up ifconfig eth0 down -> pre-up brctl addif br0 eth0 -> pre-up ifconfig eth0 up -> post-down ifconfig eth0 down -> post-down brctl delif br0 eth0 -> post-down ifconfig br0 down -> post-down brctl delbr br0 -> -> iface br0 inet dhcp -> post-up route del default dev br0 -> -> ------------------------------------------------------------------------ -> -> echo 'interface "br0" { -> request subnet-mask, broadcast-address, time-offset, -> host-name, netbios-scope, interface-mtu, ntp-servers; -> }' | tee --append /etc/dhcp3/dhclient.conf -> -> cat /etc/dhcp3/dhclient.conf -> -> ------------------------------------------------------------------------ -> -> sudo /etc/init.d/tinc stop -> fg -> sudo /usr/sbin/tincd --net myvpn01 --no-detach --debug=5 -> -> ------------------------------------------------------------------------ -> -> # sudo /usr/sbin/tincd --net myvpn01 --no-detach --debug=5 -> tincd 1.0.9 (Dec 26 2008 14:50:38) starting, debug level 5 -> -> ------------------------------------------------------------------------ -> -> ifconfig -a -> route -n -> brctl show -> brctl showmacs br0 -> -> ------------------------------------------------------------------------ -> -> # ifconfig -a -> br0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52 -> inet addr:10.10.3.116 Bcast:10.10.255.255 Mask:255.255.0.0 -> inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> RX packets:2479 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:66 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:0 -> RX bytes:209742 (204.8 KiB) TX bytes:10280 (10.0 KiB) -> -> eth0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52 -> inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> RX packets:11 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:2430 errors:0 dropped:0 overruns:0 carrier:1 -> collisions:0 txqueuelen:1000 -> RX bytes:1079 (1.0 KiB) TX bytes:237231 (231.6 KiB) -> Interrupt:28 -> -> lo Link encap:Local Loopback -> inet addr:127.0.0.1 Mask:255.0.0.0 -> inet6 addr: ::1/128 Scope:Host -> UP LOOPBACK RUNNING MTU:16436 Metric:1 -> RX packets:516 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:516 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:0 -> RX bytes:63488 (62.0 KiB) TX bytes:63488 (62.0 KiB) -> -> ppp0 Link encap:Point-to-Point Protocol -> inet addr:10.79.163.113 P-t-P:10.64.64.64 Mask:255.255.255.255 -> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 -> RX packets:2028 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:1967 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:3 -> RX bytes:388056 (378.9 KiB) TX bytes:152260 (148.6 KiB) -> -> tun0 Link encap:Ethernet HWaddr 42:8f:ff:cf:51:a8 -> inet6 addr: fe80::408f:ffff:fecf:51a8/64 Scope:Link -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> RX packets:2545 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:70 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:500 -> RX bytes:249926 (244.0 KiB) TX bytes:10375 (10.1 KiB) -> -> # route -n -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 -> 10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0 -> 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0 -> -> # brctl show -> bridge name bridge id STP enabled interfaces -> br0 8000.0026186aa052 no eth0 -> tun0 -> # brctl showmacs br0 -> port no mac addr is local? ageing timer -> 2 00:01:36:05:ba:5f no 0.00 -> 2 00:02:44:b0:d6:4a no 32.81 -> 2 00:04:23:02:14:d2 no 32.36 -> 2 00:04:75:f6:fb:34 no 181.26 -> 2 00:08:02:1f:bb:2f no 116.37 -> 2 00:08:a1:3f:f9:c6 no 181.46 -> 2 00:08:a1:3f:f9:d8 no 32.93 -> 2 00:0a:5e:43:85:80 no 7.87 -> 2 00:0c:76:50:3a:1e no 226.27 -> 2 00:10:22:fd:87:0d no 80.60 -> 2 00:10:22:fd:88:66 no 78.88 -> 2 00:10:83:57:a9:d9 no 51.13 -> 2 00:10:b5:e8:04:5b no 6.80 -> 2 00:11:09:a9:66:0c no 247.43 -> 2 00:11:09:a9:66:49 no 149.78 -> 2 00:11:09:a9:66:7c no 151.98 -> 2 00:11:09:a9:66:b1 no 24.24 -> 2 00:11:2f:48:16:ac no 0.25 -> 2 00:11:85:d5:ae:b2 no 62.16 -> 2 00:11:85:e9:de:ec no 2.29 -> 2 00:12:79:91:3d:de no 15.00 -> 2 00:13:20:82:bc:19 no 210.92 -> 2 00:13:20:82:bc:82 no 266.75 -> 2 00:13:21:cc:f1:42 no 12.52 -> 2 00:15:f2:0b:c2:6a no 31.42 -> 2 00:15:f2:4b:e9:8a no 13.65 -> 2 00:17:31:77:d7:10 no 166.02 -> 2 00:17:a4:df:77:99 no 288.48 -> 2 00:18:f3:20:f3:aa no 128.37 -> 2 00:18:f3:a3:a5:ec no 15.15 -> 2 00:18:f3:a3:a5:f5 no 107.42 -> 2 00:1b:11:63:e4:08 no 15.46 -> 2 00:1b:11:63:e6:6a no 232.79 -> 2 00:1b:11:63:ff:a7 no 251.39 -> 2 00:1b:21:43:7c:85 no 3.41 -> 2 00:1b:21:44:27:8b no 186.89 -> 2 00:1c:c4:be:54:2e no 9.67 -> 2 00:1e:8c:92:b3:bb no 6.91 -> 2 00:20:6b:54:c1:85 no 202.51 -> 2 00:20:af:aa:71:3d no 25.63 -> 2 00:24:8c:3d:9e:e1 no 0.22 -> 2 00:24:8c:8f:bb:68 no 127.07 -> 1 00:26:18:6a:a0:52 yes 0.00 -> 2 00:40:01:30:29:01 no 27.75 -> 2 00:69:00:12:1e:5c no 218.41 -> 2 00:69:00:12:25:84 no 133.35 -> 2 00:e0:4b:0c:75:2d no 54.79 -> 2 00:e0:4c:02:7c:fb no 9.09 -> 2 00:e0:4c:43:c0:e2 no 194.68 -> 2 42:8f:ff:cf:51:a8 yes 0.00 -> -> ------------------------------------------------------------------------ + [[!meta title="creating a bridge to bridge tinc-vpn dhcp system to connect netwerk segments"]] + + # this docu is still in progress # jelle + + ------------------------------------------------------------------------ + + # Company: PowerCraft Technology + # Author: Copyright Jelle de Jong + # Note: Please send me an email if you enhanced the document + # Date: 2009-09-15 + # License: CC-BY-SA + + # This document is free documentation; you can redistribute it and/or + # modify it under the terms of the Creative Commons Attribution Share + # Alike as published by the Creative Commons Foundation; either version + # 3.0 of the License, or (at your option) any later version. + # + # This document is distributed in the hope that it will be useful, + # but WITHOUT ANY WARRANTY; without even the implied warranty of + # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + # Creative Commons BY-SA License for more details. + # + # http://creativecommons.org/licenses/by-sa/ + + ------------------------------------------------------------------------ + + # information: http://www.tinc-vpn.org/ + + ------------------------------------------------------------------------ + + apt-get update; apt-get dist-upgrade + + apt-cache show tinc + apt-get install tinc/unstable + apt-get install bridge-utils/unstable + + ------------------------------------------------------------------------ + + /etc/init.d/tinc stop + + ------------------------------------------------------------------------ + + # ls -hal /dev/net/tun + crw-rw-rw- 1 root root 10, 200 2009-09-11 15:37 /dev/net/tun + + # grep tinc /etc/services + tinc 655/tcp # tinc control port + tinc 655/udp + + cat /usr/share/doc/tinc/README.Debian + zcat /usr/share/doc/tinc/README.gz | less + zcat /usr/share/doc/tinc/NEWS.gz | less + cat /usr/share/doc/tinc/examples/tinc-up + w3m /usr/share/doc/tinc/tinc_0.html + + http://www.tinc-vpn.org/documentation/tinc_toc + + sudo vim /etc/default/tinc + EXTRA="-d" + cat /etc/default/tinc + + less /etc/init.d/tinc + + ------------------------------------------------------------------------ + + ifconfig -a + route -n + + ------------------------------------------------------------------------ + + # ifconfig -a + eth0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52 + inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:35 errors:0 dropped:0 overruns:0 frame:0 + TX packets:5879 errors:0 dropped:0 overruns:0 carrier:1 + collisions:0 txqueuelen:1000 + RX bytes:5958 (5.8 KiB) TX bytes:594793 (580.8 KiB) + Interrupt:28 + + lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + inet6 addr: ::1/128 Scope:Host + UP LOOPBACK RUNNING MTU:16436 Metric:1 + RX packets:838 errors:0 dropped:0 overruns:0 frame:0 + TX packets:838 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:0 + RX bytes:87938 (85.8 KiB) TX bytes:87938 (85.8 KiB) + + ppp0 Link encap:Point-to-Point Protocol + inet addr:10.79.163.113 P-t-P:10.64.64.64 Mask:255.255.255.255 + UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 + RX packets:4833 errors:0 dropped:0 overruns:0 frame:0 + TX packets:4645 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:3 + RX bytes:952105 (929.7 KiB) TX bytes:319496 (312.0 KiB) + + # route -n + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 + 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0 + + ------------------------------------------------------------------------ + + # client02 configuration + ------------------------------------------------------------------------ + + cat /etc/tinc/nets.boot + echo 'myvpn01' | sudo tee --append /etc/tinc/nets.boot + cat /etc/tinc/nets.boot + + ------------------------------------------------------------------------ + + sudo mkdir --verbose /etc/tinc/myvpn01/ + sudo mkdir --verbose /etc/tinc/myvpn01/hosts/ + sudo touch /etc/tinc/myvpn01/tinc.conf + + ------------------------------------------------------------------------ + + # on server + cat /etc/tinc/myvpn01/hosts/server01 + + # on client, copy cert data of server to client + sudo vim /etc/tinc/myvpn01/hosts/server01 + + # add on head of file + Address = 712.661.21.23 # only on client + + ------------------------------------------------------------------------ + + echo 'ConnectTo = server01 + Device = /dev/net/tun + Interface = tun0 + Mode = switch + Name = client02' | sudo tee /etc/tinc/myvpn01/tinc.conf + + sudo cat /etc/tinc/myvpn01/tinc.conf + sudo chmod 644 /etc/tinc/myvpn01/tinc.conf + ls -hal /etc/tinc/myvpn01/tinc.conf + + echo '#!/bin/sh + ifconfig $INTERFACE 0.0.0.0 + brctl addif br0 $INTERFACE + ifconfig $INTERFACE up' | tee /etc/tinc/myvpn01/tinc-up + + sudo cat /etc/tinc/myvpn01/tinc-up + sudo chmod 755 /etc/tinc/myvpn01/tinc-up + ls -hal /etc/tinc/myvpn01/tinc-up + + echo '#!/bin/sh + ifup br0 &' | sudo tee /etc/tinc/myvpn01/hosts/server01-up + + sudo cat /etc/tinc/myvpn01/hosts/server01-up + sudo chmod 755 /etc/tinc/myvpn01/hosts/server01-up + ls -hal /etc/tinc/myvpn01/hosts/server01-up + + echo '#!/bin/sh + brctl delif br0 $INTERFACE + ifconfig $INTERFACE down' | sudo tee /etc/tinc/myvpn01/tinc-down + + sudo cat /etc/tinc/myvpn01/tinc-down + sudo chmod 755 /etc/tinc/myvpn01/tinc-down + ls -hal /etc/tinc/myvpn01/tinc-down + + echo '#!/bin/sh + ifdown br0 + ifconfig br0 0.0.0.0' | sudo tee /etc/tinc/myvpn01/hosts/server01-down + + sudo cat /etc/tinc/myvpn01/hosts/server01-down + sudo chmod 755 /etc/tinc/myvpn01/hosts/server01-down + ls -hal /etc/tinc/myvpn01/hosts/server01-down + + ------------------------------------------------------------------------ + + sudo rm /etc/tinc/myvpn01/rsa_key.priv + sudo rm /etc/tinc/myvpn01/hosts/client02 + echo 'PMTU = 1280 + PMTUDiscovery = yes' | sudo tee --append /etc/tinc/myvpn01/hosts/client02 + sudo tincd -n myvpn01 -K + + ------------------------------------------------------------------------ + + # on client add on head of file + sudo vim /etc/tinc/myvpn01/hosts/client02 + Compression = 9 + TCPOnly = yes + + # on client + sudo cat /etc/tinc/myvpn01/hosts/client02 + + # on server, copy cert data of client to server + vim /etc/tinc/myvpn01/hosts/client02 + + ------------------------------------------------------------------------ + + # cat /etc/network/interfaces + auto lo + iface lo inet loopback + + auto ppp0 + iface ppp0 inet ppp + provider mobile-vodafone + + auto eth0 + iface eth0 inet manual + pre-up brctl addbr br0 + pre-up ifconfig eth0 down + pre-up brctl addif br0 eth0 + pre-up ifconfig eth0 up + post-down ifconfig eth0 down + post-down brctl delif br0 eth0 + post-down ifconfig br0 down + post-down brctl delbr br0 + + iface br0 inet dhcp + post-up route del default dev br0 + + ------------------------------------------------------------------------ + + echo 'interface "br0" { + request subnet-mask, broadcast-address, time-offset, + host-name, netbios-scope, interface-mtu, ntp-servers; + }' | tee --append /etc/dhcp3/dhclient.conf + + cat /etc/dhcp3/dhclient.conf + + ------------------------------------------------------------------------ + + sudo /etc/init.d/tinc stop + fg + sudo /usr/sbin/tincd --net myvpn01 --no-detach --debug=5 + + ------------------------------------------------------------------------ + + # sudo /usr/sbin/tincd --net myvpn01 --no-detach --debug=5 + tincd 1.0.9 (Dec 26 2008 14:50:38) starting, debug level 5 + + ------------------------------------------------------------------------ + + ifconfig -a + route -n + brctl show + brctl showmacs br0 + + ------------------------------------------------------------------------ + + # ifconfig -a + br0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52 + inet addr:10.10.3.116 Bcast:10.10.255.255 Mask:255.255.0.0 + inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:2479 errors:0 dropped:0 overruns:0 frame:0 + TX packets:66 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:0 + RX bytes:209742 (204.8 KiB) TX bytes:10280 (10.0 KiB) + + eth0 Link encap:Ethernet HWaddr 00:26:18:6a:a0:52 + inet6 addr: fe80::226:18ff:fe6a:a052/64 Scope:Link + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:11 errors:0 dropped:0 overruns:0 frame:0 + TX packets:2430 errors:0 dropped:0 overruns:0 carrier:1 + collisions:0 txqueuelen:1000 + RX bytes:1079 (1.0 KiB) TX bytes:237231 (231.6 KiB) + Interrupt:28 + + lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + inet6 addr: ::1/128 Scope:Host + UP LOOPBACK RUNNING MTU:16436 Metric:1 + RX packets:516 errors:0 dropped:0 overruns:0 frame:0 + TX packets:516 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:0 + RX bytes:63488 (62.0 KiB) TX bytes:63488 (62.0 KiB) + + ppp0 Link encap:Point-to-Point Protocol + inet addr:10.79.163.113 P-t-P:10.64.64.64 Mask:255.255.255.255 + UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 + RX packets:2028 errors:0 dropped:0 overruns:0 frame:0 + TX packets:1967 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:3 + RX bytes:388056 (378.9 KiB) TX bytes:152260 (148.6 KiB) + + tun0 Link encap:Ethernet HWaddr 42:8f:ff:cf:51:a8 + inet6 addr: fe80::408f:ffff:fecf:51a8/64 Scope:Link + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:2545 errors:0 dropped:0 overruns:0 frame:0 + TX packets:70 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:500 + RX bytes:249926 (244.0 KiB) TX bytes:10375 (10.1 KiB) + + # route -n + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 + 10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0 + 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0 + + # brctl show + bridge name bridge id STP enabled interfaces + br0 8000.0026186aa052 no eth0 + tun0 + # brctl showmacs br0 + port no mac addr is local? ageing timer + 2 00:01:36:05:ba:5f no 0.00 + 2 00:02:44:b0:d6:4a no 32.81 + 2 00:04:23:02:14:d2 no 32.36 + 2 00:04:75:f6:fb:34 no 181.26 + 2 00:08:02:1f:bb:2f no 116.37 + 2 00:08:a1:3f:f9:c6 no 181.46 + 2 00:08:a1:3f:f9:d8 no 32.93 + 2 00:0a:5e:43:85:80 no 7.87 + 2 00:0c:76:50:3a:1e no 226.27 + 2 00:10:22:fd:87:0d no 80.60 + 2 00:10:22:fd:88:66 no 78.88 + 2 00:10:83:57:a9:d9 no 51.13 + 2 00:10:b5:e8:04:5b no 6.80 + 2 00:11:09:a9:66:0c no 247.43 + 2 00:11:09:a9:66:49 no 149.78 + 2 00:11:09:a9:66:7c no 151.98 + 2 00:11:09:a9:66:b1 no 24.24 + 2 00:11:2f:48:16:ac no 0.25 + 2 00:11:85:d5:ae:b2 no 62.16 + 2 00:11:85:e9:de:ec no 2.29 + 2 00:12:79:91:3d:de no 15.00 + 2 00:13:20:82:bc:19 no 210.92 + 2 00:13:20:82:bc:82 no 266.75 + 2 00:13:21:cc:f1:42 no 12.52 + 2 00:15:f2:0b:c2:6a no 31.42 + 2 00:15:f2:4b:e9:8a no 13.65 + 2 00:17:31:77:d7:10 no 166.02 + 2 00:17:a4:df:77:99 no 288.48 + 2 00:18:f3:20:f3:aa no 128.37 + 2 00:18:f3:a3:a5:ec no 15.15 + 2 00:18:f3:a3:a5:f5 no 107.42 + 2 00:1b:11:63:e4:08 no 15.46 + 2 00:1b:11:63:e6:6a no 232.79 + 2 00:1b:11:63:ff:a7 no 251.39 + 2 00:1b:21:43:7c:85 no 3.41 + 2 00:1b:21:44:27:8b no 186.89 + 2 00:1c:c4:be:54:2e no 9.67 + 2 00:1e:8c:92:b3:bb no 6.91 + 2 00:20:6b:54:c1:85 no 202.51 + 2 00:20:af:aa:71:3d no 25.63 + 2 00:24:8c:3d:9e:e1 no 0.22 + 2 00:24:8c:8f:bb:68 no 127.07 + 1 00:26:18:6a:a0:52 yes 0.00 + 2 00:40:01:30:29:01 no 27.75 + 2 00:69:00:12:1e:5c no 218.41 + 2 00:69:00:12:25:84 no 133.35 + 2 00:e0:4b:0c:75:2d no 54.79 + 2 00:e0:4c:02:7c:fb no 9.09 + 2 00:e0:4c:43:c0:e2 no 194.68 + 2 42:8f:ff:cf:51:a8 yes 0.00 + + ------------------------------------------------------------------------ diff --git a/examples/bridging.mdwn b/examples/bridging.mdwn index c7c0d8f..d1c1867 100644 --- a/examples/bridging.mdwn +++ b/examples/bridging.mdwn @@ -43,49 +43,49 @@ a tinc VPN be contained within the same subnet (in this example, the subnet is 192.168.0.0/16). This is no different from the configuration that would be required if tinc was replaced with an actual switch or hub. -> host# brctl addbr bridge -> host# ifconfig bridge 192.168.10.20 netmask 255.255.0.0 -> -> host# ifconfig eth1 0.0.0.0 -> host# brctl addif bridge eth1 -> host# ifconfig eth1 up -> -> After starting tinc: -> -> host# brctl show -> bridge name bridge id STP enabled interfaces -> bridge 8000.005004003002 yes eth1 -> vpn -> -> host# ifconfig -> eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60 -> inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0 -> UP BROADCAST RUNNING MTU:1500 Metric:1 -> ... -> -> eth1 Link encap:Ethernet HWaddr 00:11:22:33:44:55 -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> ... -> -> lo Link encap:Local Loopback -> inet addr:127.0.0.1 Mask:255.0.0.0 -> UP LOOPBACK RUNNING MTU:3856 Metric:1 -> ... -> -> bridge Link encap:Ethernet HWaddr 00:11:22:33:44:55 -> inet addr:192.168.10.20 Bcast:192.168.255.255 Mask:255.255.0.0 -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> -> vpn Link encap:Ethernet HWaddr 00:11:22:33:44:55 -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> ... -> -> host# route -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0 -> 192.168.0.0 * 255.255.0.0 U 0 0 0 bridge -> default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0 + host# brctl addbr bridge + host# ifconfig bridge 192.168.10.20 netmask 255.255.0.0 + + host# ifconfig eth1 0.0.0.0 + host# brctl addif bridge eth1 + host# ifconfig eth1 up + + After starting tinc: + + host# brctl show + bridge name bridge id STP enabled interfaces + bridge 8000.005004003002 yes eth1 + vpn + + host# ifconfig + eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60 + inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0 + UP BROADCAST RUNNING MTU:1500 Metric:1 + ... + + eth1 Link encap:Ethernet HWaddr 00:11:22:33:44:55 + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + ... + + lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + UP LOOPBACK RUNNING MTU:3856 Metric:1 + ... + + bridge Link encap:Ethernet HWaddr 00:11:22:33:44:55 + inet addr:192.168.10.20 Bcast:192.168.255.255 Mask:255.255.0.0 + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + + vpn Link encap:Ethernet HWaddr 00:11:22:33:44:55 + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + ... + + host# route + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0 + 192.168.0.0 * 255.255.0.0 U 0 0 0 bridge + default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0 ### Configuration of tinc @@ -96,32 +96,32 @@ mode, all packets are forwarded to the remote tinc instance. In switch mode, tinc maintains an ARP cache to determine whether any received packet should be forwarded to the remote tinc instance. -> host# cat /etc/tinc/vpn/tinc.conf -> Name = segment1 -> Mode = switch -> ConnectTo = segment2 -> -> host# cat /etc/tinc/vpn/tinc-up -> #!/bin/sh -> -> ifconfig $INTERFACE 0.0.0.0 -> brctl addif bridge $INTERFACE -> ifconfig $INTERFACE up -> -> host# ls /etc/tinc/vpn/hosts -> segment1 segment2 ... -> -> host# cat /etc/tinc/vpn/hosts/segment1 -> Address = 123.234.123.42 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- -> -> host# cat /etc/tinc/vpn/hosts/segment2 -> Address = 200.201.202.203 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- + host# cat /etc/tinc/vpn/tinc.conf + Name = segment1 + Mode = switch + ConnectTo = segment2 + + host# cat /etc/tinc/vpn/tinc-up + #!/bin/sh + + ifconfig $INTERFACE 0.0.0.0 + brctl addif bridge $INTERFACE + ifconfig $INTERFACE up + + host# ls /etc/tinc/vpn/hosts + segment1 segment2 ... + + host# cat /etc/tinc/vpn/hosts/segment1 + Address = 123.234.123.42 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- + + host# cat /etc/tinc/vpn/hosts/segment2 + Address = 200.201.202.203 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- ### Additional Configuration diff --git a/examples/cross-compiling-64-bit-windows-binary.mdwn b/examples/cross-compiling-64-bit-windows-binary.mdwn index 3e166f3..be17ae2 100644 --- a/examples/cross-compiling-64-bit-windows-binary.mdwn +++ b/examples/cross-compiling-64-bit-windows-binary.mdwn @@ -21,8 +21,8 @@ The idea is simple: There are only a few packages that need to be installed as root to get started: -> sudo apt-get install gcc-mingw32 mingw64 git-core wget -> sudo apt-get build-dep tinc + sudo apt-get install gcc-mingw32 mingw64 git-core wget + sudo apt-get build-dep tinc Other Linux distributions may also have 64-bit MinGW packages, use their respective package management tools to install them. Debian installs the cross-compiler @@ -36,7 +36,7 @@ well, in the future this might be put into its own package. Also, a header file is missing in the amd64-mingw32msvc include directory, a workaround is to create a symlink to the otherwise identical 32-bit version of that header file: -> ln -s ../../i586-mingw32msvc/include/getopt.h /usr/amd64-mingw32msvc/include/getopt.h + ln -s ../../i586-mingw32msvc/include/getopt.h /usr/amd64-mingw32msvc/include/getopt.h ### Setting up the build directory and getting the sources @@ -44,12 +44,12 @@ We will create a directory called `mingw64/` in the home directory. We use apt-get and wget to get the required libraries necessary for tinc, and use `git` to get the latest development version of tinc. -> mkdir $HOME/mingw64 -> cd $HOME/mingw64 -> apt-get source liblzo2-dev zlib1g-dev -> wget http://www.openssl.org/source/openssl-1.0.0.tar.gz -> tar xzf openssl-1.0.0.tar.gz -> git clone git://tinc-vpn.org/tinc + mkdir $HOME/mingw64 + cd $HOME/mingw64 + apt-get source liblzo2-dev zlib1g-dev + wget http://www.openssl.org/source/openssl-1.0.0.tar.gz + tar xzf openssl-1.0.0.tar.gz + git clone git://tinc-vpn.org/tinc ### Making cross-compilation easy @@ -57,20 +57,20 @@ To make cross-compiling easy, we create a script called `mingw64` that will set up the necessary environment variables so configure scripts and Makefiles will use the 64-bit MinGW version of GCC and binutils: -> mkdir $HOME/bin -> cat >$HOME/bin/mingw64 << EOF -> #!/bin/sh -> export CC=amd64-mingw32msvc-gcc -> export CXX=amd64-mingw32msvc-g++ -> export CPP=amd64-mingw32msvc-cpp -> export RANLIB=amd64-mingw32msvc-ranlib -> export PATH="/usr/amd64-mingw32msvc/bin:$PATH" -> exec "$@" -> EOF + mkdir $HOME/bin + cat >$HOME/bin/mingw64 << EOF + #!/bin/sh + export CC=amd64-mingw32msvc-gcc + export CXX=amd64-mingw32msvc-g++ + export CPP=amd64-mingw32msvc-cpp + export RANLIB=amd64-mingw32msvc-ranlib + export PATH="/usr/amd64-mingw32msvc/bin:$PATH" + exec "$@" + EOF If `$HOME/bin` is not already part of your `$PATH`, you need to add it: -> export PATH="$HOME/bin:$PATH" + export PATH="$HOME/bin:$PATH" We use this script to call `./configure` and `make` with the right environment variables, but only when the `./configure` script doesn't support cross-compilation itself. @@ -84,10 +84,10 @@ time it is needed. Cross-compiling LZO is easy: -> cd $HOME/mingw64/lzo2-2.03 -> ./configure --host=amd64-mingw32msvc -> make -> DESTDIR=$HOME/mingw64 make install + cd $HOME/mingw64/lzo2-2.03 + ./configure --host=amd64-mingw32msvc + make + DESTDIR=$HOME/mingw64 make install If it fails with a message about not passing the "ACC" test, create a symlink for the missing getopt.h file as mentioned above. @@ -97,20 +97,20 @@ create a symlink for the missing getopt.h file as mentioned above. Cross-compiling Zlib is also easy, but a plain `make` failed to compile the tests, so we only build the static library here: -> cd $HOME/mingw64/zlib-1.2.3.3.dfsg -> mingw64 ./configure -> mingw64 make libz.a -> DESTDIR=$HOME/mingw64 mingw64 make install + cd $HOME/mingw64/zlib-1.2.3.3.dfsg + mingw64 ./configure + mingw64 make libz.a + DESTDIR=$HOME/mingw64 mingw64 make install ### Compiling OpenSSL Although older versions will not compile, OpenSSL 1.0.0 is easy. Do not use the `-j` option when compiling OpenSSL, it will break. -> cd $HOME/mingw64/openssl-1.0.0 -> mingw64 ./Configure --openssldir=$HOME/mingw64/usr/local mingw64 -> mingw64 make -> mingw64 make install + cd $HOME/mingw64/openssl-1.0.0 + mingw64 ./Configure --openssldir=$HOME/mingw64/usr/local mingw64 + mingw64 make + mingw64 make install ### Compiling tinc @@ -119,7 +119,7 @@ tinc. Since we use a clone of the git repository here, we need to run `autoreconf` first. If you want to cross-compile tinc from a released tarball, this is not necessary. -> cd $HOME/mingw64/tinc -> autoreconf -fsi -> ./configure --host=amd64-mingw32msvc --with-openssl=$HOME/mingw64/usr/local -> make + cd $HOME/mingw64/tinc + autoreconf -fsi + ./configure --host=amd64-mingw32msvc --with-openssl=$HOME/mingw64/usr/local + make diff --git a/examples/cross-compiling-windows-binary.mdwn b/examples/cross-compiling-windows-binary.mdwn index 27ea13b..fbfba1e 100644 --- a/examples/cross-compiling-windows-binary.mdwn +++ b/examples/cross-compiling-windows-binary.mdwn @@ -24,8 +24,8 @@ The idea is simple: There are only a few packages that need to be installed as root to get started: -> sudo apt-get install mingw32 wine git-core -> sudo apt-get build-dep tinc + sudo apt-get install mingw32 wine git-core + sudo apt-get build-dep tinc Other Linux distributions may also have MinGW packages, use their respective package management tools to install them. Debian installs the cross-compiler @@ -40,10 +40,10 @@ We will create a directory called `mingw/` in the home directory. We use apt-get to get the required libraries necessary for tinc, and use `git` to get the latest development version of tinc. -> mkdir $HOME/mingw -> cd $HOME/mingw -> apt-get source openssl liblzo2-dev zlib1g-dev -> git clone git://tinc-vpn.org/tinc + mkdir $HOME/mingw + cd $HOME/mingw + apt-get source openssl liblzo2-dev zlib1g-dev + git clone git://tinc-vpn.org/tinc ### Making cross-compilation easy @@ -51,20 +51,20 @@ To make cross-compiling easy, we create a script called `mingw` that will set up the necessary environment variables so configure scripts and Makefiles will use the MinGW version of GCC and binutils: -> mkdir $HOME/bin -> cat >$HOME/bin/mingw << EOF -> #!/bin/sh -> export CC=i586-mingw32msvc-gcc -> export CXX=i586-mingw32msvc-g++ -> export CPP=i586-mingw32msvc-cpp -> export RANLIB=i586-mingw32msvc-ranlib -> export PATH="/usr/i586-mingw32msvc/bin:$PATH" -> exec "$@" -> EOF + mkdir $HOME/bin + cat >$HOME/bin/mingw << EOF + #!/bin/sh + export CC=i586-mingw32msvc-gcc + export CXX=i586-mingw32msvc-g++ + export CPP=i586-mingw32msvc-cpp + export RANLIB=i586-mingw32msvc-ranlib + export PATH="/usr/i586-mingw32msvc/bin:$PATH" + exec "$@" + EOF If `$HOME/bin` is not already part of your `$PATH`, you need to add it: -> export PATH="$HOME/bin:$PATH" + export PATH="$HOME/bin:$PATH" We use this script to call `./configure` and `make` with the right environment variables, but only when the `./configure` script doesn't support cross-compilation itself. @@ -78,20 +78,20 @@ time it is needed. Cross-compiling LZO is easy: -> cd $HOME/mingw/lzo2-2.03 -> ./configure --host=i586-mingw32msvc -> make -> DESTDIR=$HOME/mingw make install + cd $HOME/mingw/lzo2-2.03 + ./configure --host=i586-mingw32msvc + make + DESTDIR=$HOME/mingw make install ### Compiling Zlib Cross-compiling Zlib is also easy, but a plain `make` failed to compile the tests, so we only build the static library here: -> cd $HOME/mingw/zlib-1.2.3.3.dfsg -> mingw ./configure -> mingw make libz.a -> DESTDIR=$HOME/mingw mingw make install + cd $HOME/mingw/zlib-1.2.3.3.dfsg + mingw ./configure + mingw make libz.a + DESTDIR=$HOME/mingw mingw make install ### Compiling OpenSSL @@ -102,11 +102,11 @@ this [[openssl-cross-compilation.diff]] to your home directory, then patch OpenSSL, and then compile as usual. Do not use the `-j` option when compiling OpenSSL, it will break. -> cd $HOME/mingw/openssl-0.9.8k -> patch < $HOME/openssl-cross-compilation.diff -> mingw ./Configure --openssldir=$HOME/mingw/usr/local mingw -> mingw make -> mingw make install + cd $HOME/mingw/openssl-0.9.8k + patch < $HOME/openssl-cross-compilation.diff + mingw ./Configure --openssldir=$HOME/mingw/usr/local mingw + mingw make + mingw make install ### Compiling tinc @@ -115,10 +115,10 @@ tinc. Since we use a clone of the git repository here, we need to run `autoreconf` first. If you want to cross-compile tinc from a released tarball, this is not necessary. -> cd $HOME/mingw/tinc -> autoreconf -fsi -> ./configure --host=i586-mingw32msvc --with-openssl=$HOME/mingw/usr/local -> make + cd $HOME/mingw/tinc + autoreconf -fsi + ./configure --host=i586-mingw32msvc --with-openssl=$HOME/mingw/usr/local + make ### Testing tinc @@ -126,5 +126,5 @@ Since Wine was installed, you can execute the resulting binary even on Linux. You cannot do much however, since tinc requires a TAP-Win32 device, which is not available in Wine. Still, the following command should work: -> $HOME/mingw/tinc/src/tincd.exe --help + $HOME/mingw/tinc/src/tincd.exe --help diff --git a/examples/firewall.mdwn b/examples/firewall.mdwn index 2a97952..dcc1ae8 100644 --- a/examples/firewall.mdwn +++ b/examples/firewall.mdwn @@ -29,133 +29,133 @@ masquerading firewall example. ### Configuration of the host running tinc -> host# ifconfig -> eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60 -> inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0 -> UP BROADCAST RUNNING MTU:1500 Metric:1 -> ... -> -> lo Link encap:Local Loopback -> inet addr:127.0.0.1 Mask:255.0.0.0 -> UP LOOPBACK RUNNING MTU:3856 Metric:1 -> ... -> -> vpn Link encap:Point-to-Point Protocol -> inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0 -> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 -> ... -> -> host# route -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0 -> 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn -> default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0 -> -> host# iptables -L -v -> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> -> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) -> pkts bytes target prot opt in out source destination -> -> host# iptables -L -v -t nat -> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination + host# ifconfig + eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60 + inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0 + UP BROADCAST RUNNING MTU:1500 Metric:1 + ... + + lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + UP LOOPBACK RUNNING MTU:3856 Metric:1 + ... + + vpn Link encap:Point-to-Point Protocol + inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0 + UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 + ... + + host# route + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0 + 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn + default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0 + + host# iptables -L -v + Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + + Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) + pkts bytes target prot opt in out source destination + + host# iptables -L -v -t nat + Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination ### Configuration of tinc -> host# cat /etc/tinc/vpn/tinc.conf -> Name = atwork -> ConnectTo = home -> -> host# cat /etc/tinc/vpn/tinc-up -> #!/bin/sh -> -> ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0 -> -> host# ls /etc/tinc/vpn/hosts -> atwork home -> -> host# cat /etc/tinc/vpn/hosts/atwork -> Address = 123.234.123.42 -> Subnet = 192.168.10.20/32 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- -> -> host# cat /etc/tinc/vpn/hosts/home -> Address = 200.201.202.203 -> Subnet = 192.168.1.0/24 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- + host# cat /etc/tinc/vpn/tinc.conf + Name = atwork + ConnectTo = home + + host# cat /etc/tinc/vpn/tinc-up + #!/bin/sh + + ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0 + + host# ls /etc/tinc/vpn/hosts + atwork home + + host# cat /etc/tinc/vpn/hosts/atwork + Address = 123.234.123.42 + Subnet = 192.168.10.20/32 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- + + host# cat /etc/tinc/vpn/hosts/home + Address = 200.201.202.203 + Subnet = 192.168.1.0/24 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- ### Configuration of the firewall -> firewall# ifconfig -> ppp0 Link encap:Point-to-Point Protocol -> inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255 -> UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 -> ... -> -> eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 -> inet addr:123.234.123.1 Bcast:123.234.123.255 Mask:255.255.255.0 -> UP BROADCAST RUNNING MTU:1500 Metric:1 -> ... -> -> lo Link encap:Local Loopback -> inet addr:127.0.0.1 Mask:255.0.0.0 -> UP LOOPBACK RUNNING MTU:3856 Metric:1 -> ... -> -> firewall# route -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0 -> default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0 -> -> firewall# iptables -L -v -> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> -> Chain FORWARD (policy DROP 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 10.20.30.0/24 tcp flags:!SYN,RST,ACK/SYN -> 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere -> 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 123.234.123.42 tcp dpt:655 -> 1234 123K ACCEPT udp -- ppp0 eth0 anywhere 123.234.123.42 udp dpt:655 -> -> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) -> pkts bytes target prot opt in out source destination -> -> firewall# iptables -L -v -t nat -> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> firewall # cat /etc/init.d/firewall -> #!/bin/sh -> -> echo 1 >/proc/sys/net/ipv4/ip_forward -> -> iptables -P FORWARD DROP -> iptables -F FORWARD -> iptables -A FORWARD -j ACCEPT -i ppp0 -d 10.20.30.0/24 -p tcp ! --syn -> iptables -A FORWARD -j ACCEPT -i eth0 -s 10.20.30.0/24 -> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p tcp --dport 655 -> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p udp --dport 655 + firewall# ifconfig + ppp0 Link encap:Point-to-Point Protocol + inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255 + UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 + ... + + eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 + inet addr:123.234.123.1 Bcast:123.234.123.255 Mask:255.255.255.0 + UP BROADCAST RUNNING MTU:1500 Metric:1 + ... + + lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + UP LOOPBACK RUNNING MTU:3856 Metric:1 + ... + + firewall# route + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0 + default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0 + + firewall# iptables -L -v + Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + + Chain FORWARD (policy DROP 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 10.20.30.0/24 tcp flags:!SYN,RST,ACK/SYN + 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere + 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 123.234.123.42 tcp dpt:655 + 1234 123K ACCEPT udp -- ppp0 eth0 anywhere 123.234.123.42 udp dpt:655 + + Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) + pkts bytes target prot opt in out source destination + + firewall# iptables -L -v -t nat + Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + firewall # cat /etc/init.d/firewall + #!/bin/sh + + echo 1 >/proc/sys/net/ipv4/ip_forward + + iptables -P FORWARD DROP + iptables -F FORWARD + iptables -A FORWARD -j ACCEPT -i ppp0 -d 10.20.30.0/24 -p tcp ! --syn + iptables -A FORWARD -j ACCEPT -i eth0 -s 10.20.30.0/24 + iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p tcp --dport 655 + iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p udp --dport 655 diff --git a/examples/ipv6-network.mdwn b/examples/ipv6-network.mdwn index 653dc11..707bd5b 100644 --- a/examples/ipv6-network.mdwn +++ b/examples/ipv6-network.mdwn @@ -26,10 +26,10 @@ This document is to highlight an example setup for using tinc to create an IPv6 ### Configuration Files 1. On Debian/Ubuntu systems, an entry in "/etc/network/interfaces" can be used to statically assign the ::1 address for the local LAN. Example: -> iface eth1 inet6 static -> address 2001:db8:beef::1::1 -> netmask 64 -> mtu 1280 + iface eth1 inet6 static + address 2001:db8:beef::1::1 + netmask 64 + mtu 1280 On non Debian/Ubuntu systems, a line can be put in a boot script, such as "ip -6 addr add 2001:db8:beef:1::1/64 dev eth1". 2. IPv6 forwarding needs to be enabled: put "echo "1" >/proc/sys/net/ipv6/conf/all/forwarding" in a boot script, or "net.ipv6.conf.all.forwarding = 1" in "/etc/sysctl.conf". @@ -38,62 +38,62 @@ This document is to highlight an example setup for using tinc to create an IPv6 4. It is assumed that the config files go into something like "/etc/tinc/link" and "/etc/tinc/nets.boot" has an entry for "link". The following table can be used to guide configuration of routers: * "routera" configuration for tinc (the master router): -> >cat tinc.conf -> Name = routera -> Mode = switch -> Interface = vpn6 -> -> >cat tinc-up -> #!/bin/sh -> #Enable tinc -> ip -6 link set $INTERFACE up mtu 1280 txqueuelen 1000 -> ip -6 addr add 2001:db8:beef::1/64 dev $INTERFACE -> ip -6 route add 2001:db8:beef::/48 dev $INTERFACE -> #Static routing table -> ip -6 route add 2001:db8:beef:2::/64 via 2001:db8:beef::2 -> ip -6 route add 2001:db8:beef:3::/64 via 2001:db8:beef::3 -> ip -6 route add 2001:db8:beef:4::/64 via 2001:db8:beef::4 -> -> >cat tinc-down -> #!/bin/sh -> #Static routing table -> ip -6 route del 2001:db8:beef:2::/64 via 2001:db8:beef:::2 -> ip -6 route del 2001:db8:beef:3::/64 via 2001:db8:beef:::3 -> ip -6 route del 2001:db8:beef:4::/64 via 2001:db8:beef:::4 -> #Disable tinc -> ip -6 route del 2001:db8:beef::/48 dev $INTERFACE -> ip -6 addr del 2001:db8:beef::1/64 dev $INTERFACE -> ip -6 link set $INTERFACE down -> + >cat tinc.conf + Name = routera + Mode = switch + Interface = vpn6 + + >cat tinc-up + #!/bin/sh + #Enable tinc + ip -6 link set $INTERFACE up mtu 1280 txqueuelen 1000 + ip -6 addr add 2001:db8:beef::1/64 dev $INTERFACE + ip -6 route add 2001:db8:beef::/48 dev $INTERFACE + #Static routing table + ip -6 route add 2001:db8:beef:2::/64 via 2001:db8:beef::2 + ip -6 route add 2001:db8:beef:3::/64 via 2001:db8:beef::3 + ip -6 route add 2001:db8:beef:4::/64 via 2001:db8:beef::4 + + >cat tinc-down + #!/bin/sh + #Static routing table + ip -6 route del 2001:db8:beef:2::/64 via 2001:db8:beef:::2 + ip -6 route del 2001:db8:beef:3::/64 via 2001:db8:beef:::3 + ip -6 route del 2001:db8:beef:4::/64 via 2001:db8:beef:::4 + #Disable tinc + ip -6 route del 2001:db8:beef::/48 dev $INTERFACE + ip -6 addr del 2001:db8:beef::1/64 dev $INTERFACE + ip -6 link set $INTERFACE down + * "routerb" configuration for tinc (the other non-master routers will be like this one): -> >cat tinc.conf -> Name=routerb -> Mode = switch -> ConnectTo = routera -> Interface = vpn6 -> -> >cat tinc-up -> #!/bin/sh -> ip -6 link set $INTERFACE up mtu 1280 -> ip -6 addr add 2001:db8:beef::2/64 dev $INTERFACE -> ip -6 route add default via 2001:db8:beef::1 -> -> >cat tinc-down -> #!/bin/sh -> ip -6 route del default via 2001:db8:beef::1 -> ip -6 addr del 2001:db8:beef::2/64 dev $INTERFACE -> ip -6 link set $INTERFACE down + >cat tinc.conf + Name=routerb + Mode = switch + ConnectTo = routera + Interface = vpn6 + + >cat tinc-up + #!/bin/sh + ip -6 link set $INTERFACE up mtu 1280 + ip -6 addr add 2001:db8:beef::2/64 dev $INTERFACE + ip -6 route add default via 2001:db8:beef::1 + + >cat tinc-down + #!/bin/sh + ip -6 route del default via 2001:db8:beef::1 + ip -6 addr del 2001:db8:beef::2/64 dev $INTERFACE + ip -6 link set $INTERFACE down 5. You can use [radvd](http://www.litech.org/radvd/) or [Quagga](http://www.quagga.net/) to perform [stateless address autoconfiguration](http://www.ietf.org/rfc/rfc2462.txt) on your LAN. This is an example zebra.conf for LAN autoconfiguration (don't forget to enable the zebra daemon): -> ipv6 forwarding -> ! -> interface eth1 -> no ipv6 nd suppress-ra -> ipv6 address 2001:db8:beef:1::1/64 -> ipv6 nd prefix 2001:db8:beef:1::/64 -> ipv6 nd ra-interval 10 -> ! -> interface vpn6 -> ! -> interface lo + ipv6 forwarding + ! + interface eth1 + no ipv6 nd suppress-ra + ipv6 address 2001:db8:beef:1::1/64 + ipv6 nd prefix 2001:db8:beef:1::/64 + ipv6 nd ra-interval 10 + ! + interface vpn6 + ! + interface lo diff --git a/examples/masquerading-firewall.mdwn b/examples/masquerading-firewall.mdwn index 6305950..e9e47dd 100644 --- a/examples/masquerading-firewall.mdwn +++ b/examples/masquerading-firewall.mdwn @@ -25,142 +25,142 @@ The network setup is as follows: ### Configuration of the host running tinc -> host# ifconfig -> eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60 -> inet addr:10.20.30.42 Bcast:10.20.30.255 Mask:255.255.255.0 -> UP BROADCAST RUNNING MTU:1500 Metric:1 -> ... -> -> lo Link encap:Local Loopback -> inet addr:127.0.0.1 Mask:255.0.0.0 -> UP LOOPBACK RUNNING MTU:3856 Metric:1 -> ... -> -> vpn Link encap:Point-to-Point Protocol -> inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0 -> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 -> ... -> -> host# route -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 -> 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn -> default 10.20.30.1 0.0.0.0 UG 0 0 0 eth0 -> -> host# iptables -L -v -> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> -> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) -> pkts bytes target prot opt in out source destination -> -> host# iptables -L -v -t nat -> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination + host# ifconfig + eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60 + inet addr:10.20.30.42 Bcast:10.20.30.255 Mask:255.255.255.0 + UP BROADCAST RUNNING MTU:1500 Metric:1 + ... + + lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + UP LOOPBACK RUNNING MTU:3856 Metric:1 + ... + + vpn Link encap:Point-to-Point Protocol + inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0 + UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 + ... + + host# route + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 + 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn + default 10.20.30.1 0.0.0.0 UG 0 0 0 eth0 + + host# iptables -L -v + Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + + Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) + pkts bytes target prot opt in out source destination + + host# iptables -L -v -t nat + Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination ### Configuration of tinc -> host# cat /etc/tinc/vpn/tinc.conf -> Name = atwork -> ConnectTo = home -> -> host# cat /etc/tinc/vpn/tinc-up -> #!/bin/sh -> -> ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0 -> -> host# ls /etc/tinc/vpn/hosts -> atwork home -> -> host# cat /etc/tinc/vpn/hosts/atwork -> Address = 123.234.123.1 -> Subnet = 192.168.10.20/32 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- -> -> host# cat /etc/tinc/vpn/hosts/home -> Address = 200.201.202.203 -> Subnet = 192.168.1.0/24 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- + host# cat /etc/tinc/vpn/tinc.conf + Name = atwork + ConnectTo = home + + host# cat /etc/tinc/vpn/tinc-up + #!/bin/sh + + ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0 + + host# ls /etc/tinc/vpn/hosts + atwork home + + host# cat /etc/tinc/vpn/hosts/atwork + Address = 123.234.123.1 + Subnet = 192.168.10.20/32 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- + + host# cat /etc/tinc/vpn/hosts/home + Address = 200.201.202.203 + Subnet = 192.168.1.0/24 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- ### Configuration of the firewall -> firewall# ifconfig -> ppp0 Link encap:Point-to-Point Protocol -> inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255 -> UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 -> ... -> -> eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 -> inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0 -> UP BROADCAST RUNNING MTU:1500 Metric:1 -> ... -> -> lo Link encap:Local Loopback -> inet addr:127.0.0.1 Mask:255.0.0.0 -> UP LOOPBACK RUNNING MTU:3856 Metric:1 -> ... -> -> firewall# route -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 -> default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0 -> -> firewall# iptables -L -v -> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> -> Chain FORWARD (policy DROP 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24 -> 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere -> -> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) -> pkts bytes target prot opt in out source destination -> -> firewall# iptables -L -v -t nat -> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> 1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to:10.20.30.42:655 -> 1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to:10.20.30.42:655 -> -> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere -> -> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> firewall# cat /etc/init.d/firewall -> #!/bin/sh -> -> echo 1 >/proc/sys/net/ipv4/ip_forward -> -> iptables -P FORWARD DROP -> iptables -F FORWARD -> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24 -> iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24 -> -> iptables -t nat -F POSTROUTING -> # Next rule prevents masquerading from altering source port of outbound tinc packets -> iptables -t nat -A POSTROUTING -p udp -m udp --sport 655 -j MASQUERADE -o ppp0 --to-ports 655 -> iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 -> -> iptables -t nat -F PREROUTING -> # Next two rules forward incoming tinc packets to the host behind the firewall running tinc -> iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655 -> iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655 + firewall# ifconfig + ppp0 Link encap:Point-to-Point Protocol + inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255 + UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 + ... + + eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 + inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0 + UP BROADCAST RUNNING MTU:1500 Metric:1 + ... + + lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + UP LOOPBACK RUNNING MTU:3856 Metric:1 + ... + + firewall# route + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 + default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0 + + firewall# iptables -L -v + Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + + Chain FORWARD (policy DROP 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24 + 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere + + Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) + pkts bytes target prot opt in out source destination + + firewall# iptables -L -v -t nat + Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to:10.20.30.42:655 + 1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to:10.20.30.42:655 + + Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere + + Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + firewall# cat /etc/init.d/firewall + #!/bin/sh + + echo 1 >/proc/sys/net/ipv4/ip_forward + + iptables -P FORWARD DROP + iptables -F FORWARD + iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24 + iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24 + + iptables -t nat -F POSTROUTING + # Next rule prevents masquerading from altering source port of outbound tinc packets + iptables -t nat -A POSTROUTING -p udp -m udp --sport 655 -j MASQUERADE -o ppp0 --to-ports 655 + iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 + + iptables -t nat -F PREROUTING + # Next two rules forward incoming tinc packets to the host behind the firewall running tinc + iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655 + iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655 diff --git a/examples/on-firewall.mdwn b/examples/on-firewall.mdwn index e645168..c47ad41 100644 --- a/examples/on-firewall.mdwn +++ b/examples/on-firewall.mdwn @@ -22,106 +22,106 @@ The network setup is as follows: ### Configuration of the firewall running tinc -> firewall# ifconfig -> ppp0 Link encap:Point-to-Point Protocol -> inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255 -> UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 -> ... -> -> eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 -> inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0 -> UP BROADCAST RUNNING MTU:1500 Metric:1 -> ... -> -> lo Link encap:Local Loopback -> inet addr:127.0.0.1 Mask:255.0.0.0 -> UP LOOPBACK RUNNING MTU:3856 Metric:1 -> ... -> -> vpn Link encap:Point-to-Point Protocol -> inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.0.0 -> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 -> ... -> -> firewall# route -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 -> 10.20.0.0 * 255.255.0.0 U 0 0 0 vpn -> default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0 -> -> firewall# iptables -L -v -> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> -> Chain FORWARD (policy DROP 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24 -> 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere -> 1234 123K ACCEPT any -- vpn eth0 10.20.0.0/16 10.20.30.0/24 -> 1234 123K ACCEPT any -- eth0 vpn 10.20.30.0/24 10.20.0.0/16 -> -> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) -> pkts bytes target prot opt in out source destination -> -> firewall# iptables -L -v -t nat -> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere -> -> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> firewall# cat /etc/init.d/firewall -> #!/bin/sh -> -> echo 1 >/proc/sys/net/ipv4/ip_forward -> -> iptables -P FORWARD DROP -> iptables -F FORWARD -> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24 -> iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24 -> iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24 -> iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16 -> -> iptables -t nat -F POSTROUTING -> iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0 + firewall# ifconfig + ppp0 Link encap:Point-to-Point Protocol + inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255 + UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 + ... + + eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 + inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0 + UP BROADCAST RUNNING MTU:1500 Metric:1 + ... + + lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + UP LOOPBACK RUNNING MTU:3856 Metric:1 + ... + + vpn Link encap:Point-to-Point Protocol + inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.0.0 + UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 + ... + + firewall# route + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 + 10.20.0.0 * 255.255.0.0 U 0 0 0 vpn + default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0 + + firewall# iptables -L -v + Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + + Chain FORWARD (policy DROP 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24 + 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere + 1234 123K ACCEPT any -- vpn eth0 10.20.0.0/16 10.20.30.0/24 + 1234 123K ACCEPT any -- eth0 vpn 10.20.30.0/24 10.20.0.0/16 + + Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) + pkts bytes target prot opt in out source destination + + firewall# iptables -L -v -t nat + Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere + + Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + firewall# cat /etc/init.d/firewall + #!/bin/sh + + echo 1 >/proc/sys/net/ipv4/ip_forward + + iptables -P FORWARD DROP + iptables -F FORWARD + iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24 + iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24 + iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24 + iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16 + + iptables -t nat -F POSTROUTING + iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0 ### Configuration of tinc -> firewall# cat /etc/tinc/vpn/tinc.conf -> Name = office -> ConnectTo = branch -> Interface = vpn -> -> firewall# cat /etc/tinc/vpn/tinc-up -> #!/bin/sh -> -> ifconfig $INTERFACE 10.20.30.1 netmask 255.255.0.0 -> -> firewall# ls /etc/tinc/vpn/hosts -> office branch employee_smith employee_jones ... -> -> firewall# cat /etc/tinc/vpn/hosts/office -> Address = 123.234.123.1 -> Subnet = 10.20.30.0/24 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- -> -> firewall# cat /etc/tinc/vpn/hosts/branch -> Address = 123.234.213.129 -> Subnet = 10.20.40.0/24 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- -> -> firewall# cat /etc/tinc/vpn/hosts/employee_smith -> Address = 200.201.202.203 -> Subnet = 10.20.50.1/32 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- + firewall# cat /etc/tinc/vpn/tinc.conf + Name = office + ConnectTo = branch + Interface = vpn + + firewall# cat /etc/tinc/vpn/tinc-up + #!/bin/sh + + ifconfig $INTERFACE 10.20.30.1 netmask 255.255.0.0 + + firewall# ls /etc/tinc/vpn/hosts + office branch employee_smith employee_jones ... + + firewall# cat /etc/tinc/vpn/hosts/office + Address = 123.234.123.1 + Subnet = 10.20.30.0/24 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- + + firewall# cat /etc/tinc/vpn/hosts/branch + Address = 123.234.213.129 + Subnet = 10.20.40.0/24 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- + + firewall# cat /etc/tinc/vpn/hosts/employee_smith + Address = 200.201.202.203 + Subnet = 10.20.50.1/32 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- diff --git a/examples/proxy-arp.mdwn b/examples/proxy-arp.mdwn index 70cb092..834e84c 100644 --- a/examples/proxy-arp.mdwn +++ b/examples/proxy-arp.mdwn @@ -22,46 +22,46 @@ The network setup is as follows: ### Configuration of tinc at the office -> host# cat /etc/tinc/vpn/tinc.conf -> Name = office -> #Optional: -> #Mode = switch -> -> host# cat /etc/tinc/vpn/tinc-up -> #!/bin/sh -> -> ifconfig $INTERFACE 192.168.1.2 netmask 255.255.255.255 -> route add 192.168.1.123 dev $INTERFACE -> echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp -> echo 1 >/proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp -> -> host# ls /etc/tinc/vpn/hosts -> office roadwarrior ... -> -> host# cat /etc/tinc/vpn/hosts/office -> Address = 123.234.123.42 -> Subnet = 192.168.1.0/24 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- -> -> host# cat /etc/tinc/vpn/hosts/roadwarrior -> Subnet = 192.168.1.123 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- + host# cat /etc/tinc/vpn/tinc.conf + Name = office + #Optional: + #Mode = switch + + host# cat /etc/tinc/vpn/tinc-up + #!/bin/sh + + ifconfig $INTERFACE 192.168.1.2 netmask 255.255.255.255 + route add 192.168.1.123 dev $INTERFACE + echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp + echo 1 >/proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp + + host# ls /etc/tinc/vpn/hosts + office roadwarrior ... + + host# cat /etc/tinc/vpn/hosts/office + Address = 123.234.123.42 + Subnet = 192.168.1.0/24 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- + + host# cat /etc/tinc/vpn/hosts/roadwarrior + Subnet = 192.168.1.123 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- ### Configuration of tinc at the road warrior -> host# cat /etc/tinc/vpn/tinc.conf -> Name = roadwarrior -> #Optional: -> #Mode = switch -> -> host# cat /etc/tinc/vpn/tinc-up -> #!/bin/sh -> -> ifconfig $INTERFACE 192.168.1.123 netmask 255.255.255.0 + host# cat /etc/tinc/vpn/tinc.conf + Name = roadwarrior + #Optional: + #Mode = switch + + host# cat /etc/tinc/vpn/tinc-up + #!/bin/sh + + ifconfig $INTERFACE 192.168.1.123 netmask 255.255.255.0 The host config files are, of course, identical to those on the office node. @@ -72,7 +72,7 @@ to the roadwarrior's address hardcoded. To have tinc automatically add the necessary routes, remove the `route add` command from the `tinc-up` script, and instead add this `subnet-up` script: -> host# cat /etc/tinc/vpn/subnet-up -> #!/bin/sh -> [ "$NAME" = "$NODE" ] && exit 0 -> ip route replace $SUBNET dev $INTERFACE + host# cat /etc/tinc/vpn/subnet-up + #!/bin/sh + [ "$NAME" = "$NODE" ] && exit 0 + ip route replace $SUBNET dev $INTERFACE diff --git a/examples/simple-bridging-with-dhcp-client-side.mdwn b/examples/simple-bridging-with-dhcp-client-side.mdwn index 0f6c027..ddd0c53 100644 --- a/examples/simple-bridging-with-dhcp-client-side.mdwn +++ b/examples/simple-bridging-with-dhcp-client-side.mdwn @@ -1,326 +1,326 @@ -> [[!meta title="simple-bridging-with-dhcp-client-side"]] -> -> # Company: PowerCraft Technology -> # Author: Copyright Jelle de Jong -> # Note: Please send me an email if you enhanced the document -> # Date: 2010-05-24 / 2010-07-04 -> # License: CC-BY-SA -> -> # This document is free documentation; you can redistribute it and/or -> # modify it under the terms of the Creative Commons Attribution Share -> # Alike as published by the Creative Commons Foundation; either version -> # 3.0 of the License, or (at your option) any later version. -> # -> # This document is distributed in the hope that it will be useful, -> # but WITHOUT ANY WARRANTY; without even the implied warranty of -> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -> # Creative Commons BY-SA License for more details. -> # -> # http://creativecommons.org/licenses/by-sa/ -> -> #----------------------------------------------------------------------- -> -> # for commercial support contact me, part of the revenue go back to tinc -> -> #----------------------------------------------------------------------- -> -> # http://www.tinc-vpn.org/ -> # http://www.tinc-vpn.org/documentation/tinc_toc -> -> #----------------------------------------------------------------------- -> -> # this is the configuration of the roxy system -> -> #----------------------------------------------------------------------- -> -> unset LANG LANGUAGE LC_ALL -> apt-get update; apt-get dist-upgrade -> -> apt-cache show tinc -> apt-get install tinc/testing -> -> #----------------------------------------------------------------------- -> -> /etc/init.d/tinc stop -> -> #----------------------------------------------------------------------- -> -> # ls -hal /dev/net/tun -> crw------- 1 root root 10, 200 May 24 15:53 /dev/net/tun -> -> # grep tinc /etc/services -> tinc 655/tcp # tinc control port -> tinc 655/udp -> -> # getent services tinc/udp -> tinc 655/udp -> # getent services tinc/tcp -> tinc 655/tcp -> -> cat /usr/share/doc/tinc/README.Debian -> zcat /usr/share/doc/tinc/README.gz | less -> zcat /usr/share/doc/tinc/NEWS.gz | less -> cat /usr/share/doc/tinc/examples/tinc-up -> w3m /usr/share/doc/tinc/tinc_0.html -> -> #----------------------------------------------------------------------- -> -> vim /etc/default/tinc -> EXTRA="-d" -> cat /etc/default/tinc -> -> # less /etc/init.d/tinc -> -> #----------------------------------------------------------------------- -> -> ifconfig -a -> route -n -> -> #----------------------------------------------------------------------- -> -> # ifconfig -a -> eth0 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6c -> inet addr:84.245.9.246 Bcast:84.245.9.255 Mask:255.255.255.0 -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> RX packets:4863 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:2958 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:1000 -> RX bytes:4302418 (4.1 MiB) TX bytes:303100 (295.9 KiB) -> Interrupt:10 Base address:0x1000 -> -> eth1 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6d -> UP BROADCAST MULTICAST MTU:1500 Metric:1 -> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:1000 -> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) -> Interrupt:11 Base address:0x1400 -> -> eth2 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6e -> UP BROADCAST MULTICAST MTU:1500 Metric:1 -> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:1000 -> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) -> Interrupt:15 Base address:0x1800 -> -> lo Link encap:Local Loopback -> inet addr:127.0.0.1 Mask:255.0.0.0 -> UP LOOPBACK RUNNING MTU:16436 Metric:1 -> RX packets:1200 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:1200 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:0 -> RX bytes:96572 (94.3 KiB) TX bytes:96572 (94.3 KiB) -> -> # route -n -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 -> 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0 -> -> #----------------------------------------------------------------------- -> -> # client01 configuration -> -> cat /etc/tinc/nets.boot -> echo 'powercraft01' | sudo tee --append /etc/tinc/nets.boot -> cat /etc/tinc/nets.boot -> -> #----------------------------------------------------------------------- -> -> sudo mkdir --verbose /etc/tinc/powercraft01/ -> sudo mkdir --verbose /etc/tinc/powercraft01/hosts/ -> sudo touch /etc/tinc/powercraft01/tinc.conf -> -> #----------------------------------------------------------------------- -> -> # on server -> cat /etc/tinc/powercraft01/hosts/server01 -> -> # on client, copy cert data of server to client -> sudo vim /etc/tinc/powercraft01/hosts/server01 -> -> # on client, add on head of file -> Address = powercraft.nl 656 -> Address = 84.245.3.195 656 -> Address = tinc-vpn.powercraft.nl 656 -> Address = powercraft.nl 655 -> Address = 84.245.3.195 655 -> Address = tinc-vpn.powercraft.nl 655 -> -> #----------------------------------------------------------------------- -> -> echo 'ConnectTo = server01 -> Device = /dev/net/tun -> Interface = tun1 -> Mode = switch -> Name = client01' | sudo tee /etc/tinc/powercraft01/tinc.conf -> -> sudo cat /etc/tinc/powercraft01/tinc.conf -> sudo chmod 644 /etc/tinc/powercraft01/tinc.conf -> ls -hal /etc/tinc/powercraft01/tinc.conf -> -> echo '#!/bin/sh -> ifconfig $INTERFACE 0.0.0.0' | tee /etc/tinc/powercraft01/tinc-up -> -> sudo cat /etc/tinc/powercraft01/tinc-up -> sudo chmod 755 /etc/tinc/powercraft01/tinc-up -> ls -hal /etc/tinc/powercraft01/tinc-up -> -> echo '#!/bin/sh -> # ifconfig tun1 hw ether 00:ff:5d:ea:b4:ec -> ifup $INTERFACE &' | sudo tee /etc/tinc/powercraft01/hosts/server01-up -> -> sudo cat /etc/tinc/powercraft01/hosts/server01-up -> sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-up -> ls -hal /etc/tinc/powercraft01/hosts/server01-up -> -> echo '#!/bin/sh -> ifconfig $INTERFACE down' | sudo tee /etc/tinc/powercraft01/tinc-down -> -> sudo cat /etc/tinc/powercraft01/tinc-down -> sudo chmod 755 /etc/tinc/powercraft01/tinc-down -> ls -hal /etc/tinc/powercraft01/tinc-down -> -> echo '#!/bin/sh -> ifdown $INTERFACE' | sudo tee /etc/tinc/powercraft01/hosts/server01-down -> -> sudo cat /etc/tinc/powercraft01/hosts/server01-down -> sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-down -> ls -hal /etc/tinc/powercraft01/hosts/server01-down -> -> #----------------------------------------------------------------------- -> -> sudo rm /etc/tinc/powercraft01/rsa_key.priv -> sudo rm /etc/tinc/powercraft01/hosts/client10 -> sudo tincd -n powercraft01 -K -> -> #----------------------------------------------------------------------- -> -> # on client add on head of file -> sudo vim /etc/tinc/powercraft01/hosts/client01 -> Compression = 9 -> PMTU = 1492 -> PMTUDiscovery = yes -> Port = 656 -> # Cipher = aes-128-cbc -> -> # on client -> sudo cat /etc/tinc/powercraft01/hosts/client01 -> -> # on server, copy cert data of client to server -> vim /etc/tinc/powercraft01/hosts/client01 -> -> #----------------------------------------------------------------------- -> -> # watch out when using multiple dhcp clients there can be conflicts -> -> echo 'interface "tun1" { -> request subnet-mask, broadcast-address, time-offset, -> host-name, netbios-scope, interface-mtu, ntp-servers; -> }' | tee --append /etc/dhcp3/dhclient.conf -> -> cat /etc/dhcp3/dhclient.conf -> -> #----------------------------------------------------------------------- -> -> vim /etc/network/interfaces -> -> iface tun1 inet dhcp -> pre-up ifconfig tun1 down || true -> pre-up ifconfig tun1 hw ether 9a:f6:50:3b:c0:48 || true -> post-up route del default dev tun1 || true -> # pre-down /etc/init.d/munin-node stop || true -> # post-up /etc/init.d/munin-node restart || true -> # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/tun1/proxy_arp || true -> # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/vlan4/proxy_arp || true -> # optional # post-up route add -net 192.168.2.0 netmask 255.255.255.0 tun1 || true -> # optional # pre-down route del -net 192.168.2.0 netmask 255.255.255.0 tun1 || true -> -> #----------------------------------------------------------------------- -> -> ifdown tun1; ifdown tun1 -> -> #----------------------------------------------------------------------- -> -> sudo /etc/init.d/tinc stop -> fg -> sudo /usr/sbin/tincd --net powercraft01 --no-detach --debug=5 -> -> #----------------------------------------------------------------------- -> -> sudo /etc/init.d/tinc start -> -> #----------------------------------------------------------------------- -> -> # tincd --version -> tinc version 1.0.13 (built Apr 13 2010 10:27:56, protocol 17) -> -> #----------------------------------------------------------------------- -> -> tincd -n powercraft01 -kUSR2 -> tail -n 100 /var/log/syslog -> -> #----------------------------------------------------------------------- -> -> May 24 19:43:59 roxy tinc.powercraft01[5104]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun: -> May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes in: 830 -> May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes out: 914 -> May 24 19:43:59 roxy tinc.powercraft01[5104]: Nodes: -> May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop client01 via client01 pmtu 1518 (min 0 max 1518) -> May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 at 84.245.3.195 port 656 cipher 91 digest 64 maclength 4 compression 9 options c status 001a nexthop server01 via server01 pmtu 1416 (min 1416 max 1416) -> May 24 19:43:59 roxy tinc.powercraft01[5104]: End of nodes. -> May 24 19:43:59 roxy tinc.powercraft01[5104]: Edges: -> May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 to server01 at 84.245.3.195 port 656 options c weight 413 -> May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 to client01 at 84.245.9.246 port 655 options c weight 413 -> May 24 19:43:59 roxy tinc.powercraft01[5104]: End of edges. -> May 24 19:43:59 roxy tinc.powercraft01[5104]: Subnet list: -> May 24 19:43:59 roxy tinc.powercraft01[5104]: 0:1b:21:61:af:d7#10 owner server01 -> May 24 19:43:59 roxy tinc.powercraft01[5104]: 56:fc:c2:fd:69:10#10 owner server01 -> May 24 19:43:59 roxy tinc.powercraft01[5104]: ea:3:e7:3d:46:20#10 owner client01 -> May 24 19:43:59 roxy tinc.powercraft01[5104]: End of subnet list. -> -> #----------------------------------------------------------------------- -> -> # ifconfig -a -> ifconfig tun1 -> route -n -> -> #----------------------------------------------------------------------- -> -> # ifconfig tun1 -> tun1 Link encap:Ethernet HWaddr ea:03:e7:3d:46:20 -> inet addr:192.168.3.201 Bcast:192.168.3.255 Mask:255.255.255.0 -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> RX packets:27 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:500 -> RX bytes:9342 (9.1 KiB) TX bytes:9088 (8.8 KiB) -> -> # route -n -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 -> 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1 -> 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0 -> -> #----------------------------------------------------------------------- -> -> ping -c 2 192.168.3.1 -> ping -c 2 -M dont -s 1500 192.168.3.1 -> -> #----------------------------------------------------------------------- -> -> lsof -i :655 -> lsof -i :656 -> -> #----------------------------------------------------------------------- -> -> # Accept new connections for fordwarding designated from our virtual private netwerk to the local network -> /sbin/iptables --append FORWARD --in-interface ${VPN01} --out-interface ${LAN01} --jump ACCEPT -> /sbin/iptables --append FORWARD --in-interface ${LAN01} --out-interface ${VPN01} --jump ACCEPT -> -> # Use masquerade so the outside world sees only one ip source for all outgoing trafic -> /sbin/iptables --table nat --append POSTROUTING --out-interface ${VPN01} --jump MASQUERADE -> -> #----------------------------------------------------------------------- + [[!meta title="simple-bridging-with-dhcp-client-side"]] + + # Company: PowerCraft Technology + # Author: Copyright Jelle de Jong + # Note: Please send me an email if you enhanced the document + # Date: 2010-05-24 / 2010-07-04 + # License: CC-BY-SA + + # This document is free documentation; you can redistribute it and/or + # modify it under the terms of the Creative Commons Attribution Share + # Alike as published by the Creative Commons Foundation; either version + # 3.0 of the License, or (at your option) any later version. + # + # This document is distributed in the hope that it will be useful, + # but WITHOUT ANY WARRANTY; without even the implied warranty of + # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + # Creative Commons BY-SA License for more details. + # + # http://creativecommons.org/licenses/by-sa/ + + #----------------------------------------------------------------------- + + # for commercial support contact me, part of the revenue go back to tinc + + #----------------------------------------------------------------------- + + # http://www.tinc-vpn.org/ + # http://www.tinc-vpn.org/documentation/tinc_toc + + #----------------------------------------------------------------------- + + # this is the configuration of the roxy system + + #----------------------------------------------------------------------- + + unset LANG LANGUAGE LC_ALL + apt-get update; apt-get dist-upgrade + + apt-cache show tinc + apt-get install tinc/testing + + #----------------------------------------------------------------------- + + /etc/init.d/tinc stop + + #----------------------------------------------------------------------- + + # ls -hal /dev/net/tun + crw------- 1 root root 10, 200 May 24 15:53 /dev/net/tun + + # grep tinc /etc/services + tinc 655/tcp # tinc control port + tinc 655/udp + + # getent services tinc/udp + tinc 655/udp + # getent services tinc/tcp + tinc 655/tcp + + cat /usr/share/doc/tinc/README.Debian + zcat /usr/share/doc/tinc/README.gz | less + zcat /usr/share/doc/tinc/NEWS.gz | less + cat /usr/share/doc/tinc/examples/tinc-up + w3m /usr/share/doc/tinc/tinc_0.html + + #----------------------------------------------------------------------- + + vim /etc/default/tinc + EXTRA="-d" + cat /etc/default/tinc + + # less /etc/init.d/tinc + + #----------------------------------------------------------------------- + + ifconfig -a + route -n + + #----------------------------------------------------------------------- + + # ifconfig -a + eth0 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6c + inet addr:84.245.9.246 Bcast:84.245.9.255 Mask:255.255.255.0 + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:4863 errors:0 dropped:0 overruns:0 frame:0 + TX packets:2958 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:1000 + RX bytes:4302418 (4.1 MiB) TX bytes:303100 (295.9 KiB) + Interrupt:10 Base address:0x1000 + + eth1 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6d + UP BROADCAST MULTICAST MTU:1500 Metric:1 + RX packets:0 errors:0 dropped:0 overruns:0 frame:0 + TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:1000 + RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) + Interrupt:11 Base address:0x1400 + + eth2 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6e + UP BROADCAST MULTICAST MTU:1500 Metric:1 + RX packets:0 errors:0 dropped:0 overruns:0 frame:0 + TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:1000 + RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) + Interrupt:15 Base address:0x1800 + + lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + UP LOOPBACK RUNNING MTU:16436 Metric:1 + RX packets:1200 errors:0 dropped:0 overruns:0 frame:0 + TX packets:1200 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:0 + RX bytes:96572 (94.3 KiB) TX bytes:96572 (94.3 KiB) + + # route -n + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 + 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0 + + #----------------------------------------------------------------------- + + # client01 configuration + + cat /etc/tinc/nets.boot + echo 'powercraft01' | sudo tee --append /etc/tinc/nets.boot + cat /etc/tinc/nets.boot + + #----------------------------------------------------------------------- + + sudo mkdir --verbose /etc/tinc/powercraft01/ + sudo mkdir --verbose /etc/tinc/powercraft01/hosts/ + sudo touch /etc/tinc/powercraft01/tinc.conf + + #----------------------------------------------------------------------- + + # on server + cat /etc/tinc/powercraft01/hosts/server01 + + # on client, copy cert data of server to client + sudo vim /etc/tinc/powercraft01/hosts/server01 + + # on client, add on head of file + Address = powercraft.nl 656 + Address = 84.245.3.195 656 + Address = tinc-vpn.powercraft.nl 656 + Address = powercraft.nl 655 + Address = 84.245.3.195 655 + Address = tinc-vpn.powercraft.nl 655 + + #----------------------------------------------------------------------- + + echo 'ConnectTo = server01 + Device = /dev/net/tun + Interface = tun1 + Mode = switch + Name = client01' | sudo tee /etc/tinc/powercraft01/tinc.conf + + sudo cat /etc/tinc/powercraft01/tinc.conf + sudo chmod 644 /etc/tinc/powercraft01/tinc.conf + ls -hal /etc/tinc/powercraft01/tinc.conf + + echo '#!/bin/sh + ifconfig $INTERFACE 0.0.0.0' | tee /etc/tinc/powercraft01/tinc-up + + sudo cat /etc/tinc/powercraft01/tinc-up + sudo chmod 755 /etc/tinc/powercraft01/tinc-up + ls -hal /etc/tinc/powercraft01/tinc-up + + echo '#!/bin/sh + # ifconfig tun1 hw ether 00:ff:5d:ea:b4:ec + ifup $INTERFACE &' | sudo tee /etc/tinc/powercraft01/hosts/server01-up + + sudo cat /etc/tinc/powercraft01/hosts/server01-up + sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-up + ls -hal /etc/tinc/powercraft01/hosts/server01-up + + echo '#!/bin/sh + ifconfig $INTERFACE down' | sudo tee /etc/tinc/powercraft01/tinc-down + + sudo cat /etc/tinc/powercraft01/tinc-down + sudo chmod 755 /etc/tinc/powercraft01/tinc-down + ls -hal /etc/tinc/powercraft01/tinc-down + + echo '#!/bin/sh + ifdown $INTERFACE' | sudo tee /etc/tinc/powercraft01/hosts/server01-down + + sudo cat /etc/tinc/powercraft01/hosts/server01-down + sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-down + ls -hal /etc/tinc/powercraft01/hosts/server01-down + + #----------------------------------------------------------------------- + + sudo rm /etc/tinc/powercraft01/rsa_key.priv + sudo rm /etc/tinc/powercraft01/hosts/client10 + sudo tincd -n powercraft01 -K + + #----------------------------------------------------------------------- + + # on client add on head of file + sudo vim /etc/tinc/powercraft01/hosts/client01 + Compression = 9 + PMTU = 1492 + PMTUDiscovery = yes + Port = 656 + # Cipher = aes-128-cbc + + # on client + sudo cat /etc/tinc/powercraft01/hosts/client01 + + # on server, copy cert data of client to server + vim /etc/tinc/powercraft01/hosts/client01 + + #----------------------------------------------------------------------- + + # watch out when using multiple dhcp clients there can be conflicts + + echo 'interface "tun1" { + request subnet-mask, broadcast-address, time-offset, + host-name, netbios-scope, interface-mtu, ntp-servers; + }' | tee --append /etc/dhcp3/dhclient.conf + + cat /etc/dhcp3/dhclient.conf + + #----------------------------------------------------------------------- + + vim /etc/network/interfaces + + iface tun1 inet dhcp + pre-up ifconfig tun1 down || true + pre-up ifconfig tun1 hw ether 9a:f6:50:3b:c0:48 || true + post-up route del default dev tun1 || true + # pre-down /etc/init.d/munin-node stop || true + # post-up /etc/init.d/munin-node restart || true + # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/tun1/proxy_arp || true + # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/vlan4/proxy_arp || true + # optional # post-up route add -net 192.168.2.0 netmask 255.255.255.0 tun1 || true + # optional # pre-down route del -net 192.168.2.0 netmask 255.255.255.0 tun1 || true + + #----------------------------------------------------------------------- + + ifdown tun1; ifdown tun1 + + #----------------------------------------------------------------------- + + sudo /etc/init.d/tinc stop + fg + sudo /usr/sbin/tincd --net powercraft01 --no-detach --debug=5 + + #----------------------------------------------------------------------- + + sudo /etc/init.d/tinc start + + #----------------------------------------------------------------------- + + # tincd --version + tinc version 1.0.13 (built Apr 13 2010 10:27:56, protocol 17) + + #----------------------------------------------------------------------- + + tincd -n powercraft01 -kUSR2 + tail -n 100 /var/log/syslog + + #----------------------------------------------------------------------- + + May 24 19:43:59 roxy tinc.powercraft01[5104]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun: + May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes in: 830 + May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes out: 914 + May 24 19:43:59 roxy tinc.powercraft01[5104]: Nodes: + May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop client01 via client01 pmtu 1518 (min 0 max 1518) + May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 at 84.245.3.195 port 656 cipher 91 digest 64 maclength 4 compression 9 options c status 001a nexthop server01 via server01 pmtu 1416 (min 1416 max 1416) + May 24 19:43:59 roxy tinc.powercraft01[5104]: End of nodes. + May 24 19:43:59 roxy tinc.powercraft01[5104]: Edges: + May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 to server01 at 84.245.3.195 port 656 options c weight 413 + May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 to client01 at 84.245.9.246 port 655 options c weight 413 + May 24 19:43:59 roxy tinc.powercraft01[5104]: End of edges. + May 24 19:43:59 roxy tinc.powercraft01[5104]: Subnet list: + May 24 19:43:59 roxy tinc.powercraft01[5104]: 0:1b:21:61:af:d7#10 owner server01 + May 24 19:43:59 roxy tinc.powercraft01[5104]: 56:fc:c2:fd:69:10#10 owner server01 + May 24 19:43:59 roxy tinc.powercraft01[5104]: ea:3:e7:3d:46:20#10 owner client01 + May 24 19:43:59 roxy tinc.powercraft01[5104]: End of subnet list. + + #----------------------------------------------------------------------- + + # ifconfig -a + ifconfig tun1 + route -n + + #----------------------------------------------------------------------- + + # ifconfig tun1 + tun1 Link encap:Ethernet HWaddr ea:03:e7:3d:46:20 + inet addr:192.168.3.201 Bcast:192.168.3.255 Mask:255.255.255.0 + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:27 errors:0 dropped:0 overruns:0 frame:0 + TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:500 + RX bytes:9342 (9.1 KiB) TX bytes:9088 (8.8 KiB) + + # route -n + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 + 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1 + 0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0 + + #----------------------------------------------------------------------- + + ping -c 2 192.168.3.1 + ping -c 2 -M dont -s 1500 192.168.3.1 + + #----------------------------------------------------------------------- + + lsof -i :655 + lsof -i :656 + + #----------------------------------------------------------------------- + + # Accept new connections for fordwarding designated from our virtual private netwerk to the local network + /sbin/iptables --append FORWARD --in-interface ${VPN01} --out-interface ${LAN01} --jump ACCEPT + /sbin/iptables --append FORWARD --in-interface ${LAN01} --out-interface ${VPN01} --jump ACCEPT + + # Use masquerade so the outside world sees only one ip source for all outgoing trafic + /sbin/iptables --table nat --append POSTROUTING --out-interface ${VPN01} --jump MASQUERADE + + #----------------------------------------------------------------------- diff --git a/examples/simple-bridging-with-dhcp-server-side.mdwn b/examples/simple-bridging-with-dhcp-server-side.mdwn index f1bd3f2..20266d1 100644 --- a/examples/simple-bridging-with-dhcp-server-side.mdwn +++ b/examples/simple-bridging-with-dhcp-server-side.mdwn @@ -1,325 +1,325 @@ -> [[!meta title="simple-bridging-with-dhcp-server-side"]] -> -> # Company: PowerCraft Technology -> # Author: Copyright Jelle de Jong -> # Note: Please send me an email if you enhanced the document -> # Date: 2010-05-24 / 2010-07-04 -> # License: CC-BY-SA -> -> # This document is free documentation; you can redistribute it and/or -> # modify it under the terms of the Creative Commons Attribution Share -> # Alike as published by the Creative Commons Foundation; either version -> # 3.0 of the License, or (at your option) any later version. -> # -> # This document is distributed in the hope that it will be useful, -> # but WITHOUT ANY WARRANTY; without even the implied warranty of -> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -> # Creative Commons BY-SA License for more details. -> # -> # http://creativecommons.org/licenses/by-sa/ -> -> #----------------------------------------------------------------------- -> -> # for commercial support contact me, part of the revenue go back to tinc -> -> #----------------------------------------------------------------------- -> -> # http://www.tinc-vpn.org/ -> # http://www.tinc-vpn.org/examples/bridging -> # http://www.tinc-vpn.org/documentation/tinc_toc -> -> #----------------------------------------------------------------------- -> -> # <@guus> Well all the tinc daemons together act like a single switcch -> # <@guus> And each node in the VPN is connected to a port of that switch -> # <@guus> And if you bridge the VPN interface with eth0, then it's like you plug a cable in a port of your eth0 LAN and the other end of that cable into the tinc switch -> -> #----------------------------------------------------------------------- -> -> unset LANG LANGUAGE LC_ALL -> apt-get update; apt-get dist-upgrade -> -> apt-cache show tinc -> apt-get install tinc -> apt-get install bridge-utils -> -> #----------------------------------------------------------------------- -> -> /etc/init.d/tinc stop -> -> #----------------------------------------------------------------------- -> -> # ls -hal /dev/net/tun -> crw-rw-rw- 1 root root 10, 200 May 20 20:07 /dev/net/tun -> -> # grep tinc /etc/services -> tinc 655/tcp # tinc control port -> tinc 655/udp -> -> cat /usr/share/doc/tinc/README.Debian -> zcat /usr/share/doc/tinc/README.gz | less -> zcat /usr/share/doc/tinc/NEWS.gz | less -> cat /usr/share/doc/tinc/examples/tinc-up -> w3m /usr/share/doc/tinc/tinc_0.html -> -> cat /etc/default/tinc -> less /etc/init.d/tinc -> -> #----------------------------------------------------------------------- -> -> vim /etc/default/tinc -> EXTRA="-d" -> cat /etc/default/tinc -> -> #----------------------------------------------------------------------- -> -> cat /etc/tinc/nets.boot -> echo 'powercraft01' | tee --append /etc/tinc/nets.boot -> cat /etc/tinc/nets.boot -> -> #----------------------------------------------------------------------- -> -> ls -hal /etc/tinc/scallab01/ -> mkdir --verbose /etc/tinc/powercraft01/ -> mkdir --verbose /etc/tinc/powercraft01/hosts/ -> touch /etc/tinc/powercraft01/tinc.conf -> -> #----------------------------------------------------------------------- -> -> vim /etc/network/interfaces -> -> # tinc-vpn: dhcp bridge -> auto br0 -> iface br0 inet static -> address 192.168.3.1 -> netmask 255.255.255.0 -> # pre-up /sbin/ifconfig eth2 hw ether 00:1b:21:61:af:d7 -> # pre-up /sbin/ifconfig eth2 0.0.0.0 -> # bridge_ports eth2 -> bridge_ports tun1 -> bridge_maxwait 1 -> bridge_fd 2.5 -> post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp # optional -> -> cat /etc/network/interfaces -> -> #----------------------------------------------------------------------- -> -> echo 'interface "br0" { -> request subnet-mask, broadcast-address, time-offset, -> host-name, netbios-scope, interface-mtu, ntp-servers; -> }' | tee --append /etc/dhcp3/dhclient.conf -> -> cat /etc/dhcp3/dhclient.conf -> -> #----------------------------------------------------------------------- -> -> vim /etc/dhcp3/dhcpd.conf -> -> subnet 192.168.3.0 netmask 255.255.255.0 { -> range 192.168.3.200 192.168.3.240; -> option routers 192.168.3.1; -> option domain-name-servers 192.168.3.1; -> } -> -> #----------------------------------------------------------------------- -> -> ifdown br0 -> ifup br0 -> -> #----------------------------------------------------------------------- -> -> vim /etc/default/dhcp3-server -> INTERFACES="vlan2 eth0 br0" # add the br0 to the correct location -> -> /etc/init.d/dhcp3-server restart -> ps aux | grep dhcp -> tail -n 400 -f /var/log/syslog -> -> #----------------------------------------------------------------------- -> -> ifconfig br0 -> route -n -> brctl show -> -> #----------------------------------------------------------------------- -> -> # ifconfig br0 -> br0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 -> inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 -> inet6 addr: fe80::dc56:d3ff:fe1a:31df/64 Scope:Link -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> RX packets:12 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:0 -> RX bytes:2568 (2.5 KB) TX bytes:1536 (1.5 KB) -> -> # route -n -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 -> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2 -> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 -> 84.245.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 -> 0.0.0.0 84.245.3.1 0.0.0.0 UG 100 0 0 eth1 -> -> # brctl show -> bridge name bridge id STP enabled interfaces -> br0 8000.000000000000 no -> -> #----------------------------------------------------------------------- -> -> echo 'AddressFamily = ipv4 -> Device = /dev/net/tun -> Interface = tun1 -> Mode = switch -> Name = server01' | tee /etc/tinc/powercraft01/tinc.conf -> -> cat /etc/tinc/powercraft01/tinc.conf -> chmod 640 /etc/tinc/powercraft01/tinc.conf -> ls -hal /etc/tinc/powercraft01/tinc.conf -> -> echo '#!/bin/sh -> ifconfig $INTERFACE 0.0.0.0 -> route add -net 192.168.30.0 netmask 255.255.255.0 br0 # optional subnet -> brctl addif br0 $INTERFACE' | tee /etc/tinc/powercraft01/tinc-up -> -> cat /etc/tinc/powercraft01/tinc-up -> chmod 750 /etc/tinc/powercraft01/tinc-up -> ls -hal /etc/tinc/powercraft01/tinc-up -> -> echo '#!/bin/sh -> brctl delif br0 $INTERFACE -> route del -net 192.168.30.0 netmask 255.255.255.0 br0 # optional subnet -> ifconfig $INTERFACE down' | tee /etc/tinc/powercraft01/tinc-down -> -> cat /etc/tinc/powercraft01/tinc-down -> chmod 750 /etc/tinc/powercraft01/tinc-down -> ls -hal /etc/tinc/powercraft01/tinc-down -> -> #----------------------------------------------------------------------- -> -> rm /etc/tinc/powercraft01/rsa_key.priv -> rm /etc/tinc/powercraft01/hosts/server01 -> tincd -n powercraft01 -K -> -> #----------------------------------------------------------------------- -> -> getent services | grep 656 -> -> #----------------------------------------------------------------------- -> -> vim /etc/tinc/powercraft01/hosts/server01 -> -> # add on head of file -> Compression = 9 -> PMTU = 1492 -> PMTUDiscovery = yes -> Port = 656 -> -> cat /etc/tinc/powercraft01/hosts/server01 -> -> #----------------------------------------------------------------------- -> -> /etc/init.d/tinc stop -> fg -> /usr/sbin/tincd --net powercraft01 --no-detach --debug=5 -> -> #----------------------------------------------------------------------- -> -> /etc/init.d/tinc restart -> tail --line=500 --follow /var/log/syslog -> -> #----------------------------------------------------------------------- -> -> ifconfig br0 -> ifconfig tun1 -> route -n -> brctl show br0 -> brctl showmacs br0 -> -> #----------------------------------------------------------------------- -> -> # ifconfig br0 -> br0 Link encap:Ethernet HWaddr 1e:eb:95:c3:04:d8 -> inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 -> inet6 addr: fe80::dc56:d3ff:fe1a:31df/64 Scope:Link -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> RX packets:17 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:0 -> RX bytes:3328 (3.3 KB) TX bytes:2408 (2.4 KB) -> -> # ifconfig tun1 -> tun1 Link encap:Ethernet HWaddr 1e:eb:95:c3:04:d8 -> inet6 addr: fe80::1ceb:95ff:fec3:4d8/64 Scope:Link -> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 -> RX packets:8 errors:0 dropped:0 overruns:0 frame:0 -> TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 -> collisions:0 txqueuelen:500 -> RX bytes:2627 (2.6 KB) TX bytes:1340 (1.3 KB) -> -> # route -n -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 -> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2 -> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 -> 84.245.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 -> 0.0.0.0 84.245.3.1 0.0.0.0 UG 100 0 0 eth1 -> -> # brctl show br0 -> bridge name bridge id STP enabled interfaces -> br0 8000.1eeb95c304d8 no tun1 -> -> # brctl showmacs br0 -> port no mac addr is local? ageing timer -> 1 1e:eb:95:c3:04:d8 yes 0.00 -> 1 86:03:27:21:2e:60 no 44.19 -> -> #----------------------------------------------------------------------- -> -> ps aux | grep tincd -> tincd -n powercraft01 -kUSR2 -> tail -n 100 /var/log/syslog -> -> #----------------------------------------------------------------------- -> -> May 24 17:29:31 ashley tinc.powercraft01[11557]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun: -> May 24 17:29:31 ashley tinc.powercraft01[11557]: total bytes in: 468 -> May 24 17:29:31 ashley tinc.powercraft01[11557]: total bytes out: 0 -> May 24 17:29:31 ashley tinc.powercraft01[11557]: Nodes: -> May 24 17:29:31 ashley tinc.powercraft01[11557]: server01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options 4 status 0018 nexthop server01 via server01 pmtu 1518 (min 0 max 1518) -> May 24 17:29:31 ashley tinc.powercraft01[11557]: End of nodes. -> May 24 17:29:31 ashley tinc.powercraft01[11557]: Edges: -> May 24 17:29:31 ashley tinc.powercraft01[11557]: End of edges. -> May 24 17:29:31 ashley tinc.powercraft01[11557]: Subnet list: -> May 24 17:29:31 ashley tinc.powercraft01[11557]: a2:63:0:96:a:c8#10 owner server01 -> May 24 17:29:31 ashley tinc.powercraft01[11557]: End of subnet list. -> -> #----------------------------------------------------------------------- -> -> tcpdump -n -i br0 broadcast -> tcpdump -n -i tun0 broadcast -> -> #----------------------------------------------------------------------- -> -> tcpdump -n -e -i br0 icmp -> tcpdump -A -p -n -i br0 port 80 -> tcpdump -A -p -n -i br0 -> -> tcpdump -i br0 host 84.245.3.195 -l -> -> #----------------------------------------------------------------------- -> -> cat /var/lib/dhcp3/dhcpd.leases -> -> #----------------------------------------------------------------------- -> -> # optional -> export LAN01=vlan2 -> export VPN02=br0 -> # /sbin/iptables --append FORWARD --in-interface br0 --out-interface vlan2 --jump ACCEPT -> /sbin/iptables --append FORWARD --in-interface ${VPN02} --source 192.168.3.150 --destination 192.168.2.206 --out-interface ${LAN01} --jump ACCEPT -> -> #----------------------------------------------------------------------- + [[!meta title="simple-bridging-with-dhcp-server-side"]] + + # Company: PowerCraft Technology + # Author: Copyright Jelle de Jong + # Note: Please send me an email if you enhanced the document + # Date: 2010-05-24 / 2010-07-04 + # License: CC-BY-SA + + # This document is free documentation; you can redistribute it and/or + # modify it under the terms of the Creative Commons Attribution Share + # Alike as published by the Creative Commons Foundation; either version + # 3.0 of the License, or (at your option) any later version. + # + # This document is distributed in the hope that it will be useful, + # but WITHOUT ANY WARRANTY; without even the implied warranty of + # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + # Creative Commons BY-SA License for more details. + # + # http://creativecommons.org/licenses/by-sa/ + + #----------------------------------------------------------------------- + + # for commercial support contact me, part of the revenue go back to tinc + + #----------------------------------------------------------------------- + + # http://www.tinc-vpn.org/ + # http://www.tinc-vpn.org/examples/bridging + # http://www.tinc-vpn.org/documentation/tinc_toc + + #----------------------------------------------------------------------- + + # <@guus> Well all the tinc daemons together act like a single switcch + # <@guus> And each node in the VPN is connected to a port of that switch + # <@guus> And if you bridge the VPN interface with eth0, then it's like you plug a cable in a port of your eth0 LAN and the other end of that cable into the tinc switch + + #----------------------------------------------------------------------- + + unset LANG LANGUAGE LC_ALL + apt-get update; apt-get dist-upgrade + + apt-cache show tinc + apt-get install tinc + apt-get install bridge-utils + + #----------------------------------------------------------------------- + + /etc/init.d/tinc stop + + #----------------------------------------------------------------------- + + # ls -hal /dev/net/tun + crw-rw-rw- 1 root root 10, 200 May 20 20:07 /dev/net/tun + + # grep tinc /etc/services + tinc 655/tcp # tinc control port + tinc 655/udp + + cat /usr/share/doc/tinc/README.Debian + zcat /usr/share/doc/tinc/README.gz | less + zcat /usr/share/doc/tinc/NEWS.gz | less + cat /usr/share/doc/tinc/examples/tinc-up + w3m /usr/share/doc/tinc/tinc_0.html + + cat /etc/default/tinc + less /etc/init.d/tinc + + #----------------------------------------------------------------------- + + vim /etc/default/tinc + EXTRA="-d" + cat /etc/default/tinc + + #----------------------------------------------------------------------- + + cat /etc/tinc/nets.boot + echo 'powercraft01' | tee --append /etc/tinc/nets.boot + cat /etc/tinc/nets.boot + + #----------------------------------------------------------------------- + + ls -hal /etc/tinc/scallab01/ + mkdir --verbose /etc/tinc/powercraft01/ + mkdir --verbose /etc/tinc/powercraft01/hosts/ + touch /etc/tinc/powercraft01/tinc.conf + + #----------------------------------------------------------------------- + + vim /etc/network/interfaces + + # tinc-vpn: dhcp bridge + auto br0 + iface br0 inet static + address 192.168.3.1 + netmask 255.255.255.0 + # pre-up /sbin/ifconfig eth2 hw ether 00:1b:21:61:af:d7 + # pre-up /sbin/ifconfig eth2 0.0.0.0 + # bridge_ports eth2 + bridge_ports tun1 + bridge_maxwait 1 + bridge_fd 2.5 + post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp # optional + + cat /etc/network/interfaces + + #----------------------------------------------------------------------- + + echo 'interface "br0" { + request subnet-mask, broadcast-address, time-offset, + host-name, netbios-scope, interface-mtu, ntp-servers; + }' | tee --append /etc/dhcp3/dhclient.conf + + cat /etc/dhcp3/dhclient.conf + + #----------------------------------------------------------------------- + + vim /etc/dhcp3/dhcpd.conf + + subnet 192.168.3.0 netmask 255.255.255.0 { + range 192.168.3.200 192.168.3.240; + option routers 192.168.3.1; + option domain-name-servers 192.168.3.1; + } + + #----------------------------------------------------------------------- + + ifdown br0 + ifup br0 + + #----------------------------------------------------------------------- + + vim /etc/default/dhcp3-server + INTERFACES="vlan2 eth0 br0" # add the br0 to the correct location + + /etc/init.d/dhcp3-server restart + ps aux | grep dhcp + tail -n 400 -f /var/log/syslog + + #----------------------------------------------------------------------- + + ifconfig br0 + route -n + brctl show + + #----------------------------------------------------------------------- + + # ifconfig br0 + br0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 + inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 + inet6 addr: fe80::dc56:d3ff:fe1a:31df/64 Scope:Link + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:12 errors:0 dropped:0 overruns:0 frame:0 + TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:0 + RX bytes:2568 (2.5 KB) TX bytes:1536 (1.5 KB) + + # route -n + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 + 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2 + 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 + 84.245.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 + 0.0.0.0 84.245.3.1 0.0.0.0 UG 100 0 0 eth1 + + # brctl show + bridge name bridge id STP enabled interfaces + br0 8000.000000000000 no + + #----------------------------------------------------------------------- + + echo 'AddressFamily = ipv4 + Device = /dev/net/tun + Interface = tun1 + Mode = switch + Name = server01' | tee /etc/tinc/powercraft01/tinc.conf + + cat /etc/tinc/powercraft01/tinc.conf + chmod 640 /etc/tinc/powercraft01/tinc.conf + ls -hal /etc/tinc/powercraft01/tinc.conf + + echo '#!/bin/sh + ifconfig $INTERFACE 0.0.0.0 + route add -net 192.168.30.0 netmask 255.255.255.0 br0 # optional subnet + brctl addif br0 $INTERFACE' | tee /etc/tinc/powercraft01/tinc-up + + cat /etc/tinc/powercraft01/tinc-up + chmod 750 /etc/tinc/powercraft01/tinc-up + ls -hal /etc/tinc/powercraft01/tinc-up + + echo '#!/bin/sh + brctl delif br0 $INTERFACE + route del -net 192.168.30.0 netmask 255.255.255.0 br0 # optional subnet + ifconfig $INTERFACE down' | tee /etc/tinc/powercraft01/tinc-down + + cat /etc/tinc/powercraft01/tinc-down + chmod 750 /etc/tinc/powercraft01/tinc-down + ls -hal /etc/tinc/powercraft01/tinc-down + + #----------------------------------------------------------------------- + + rm /etc/tinc/powercraft01/rsa_key.priv + rm /etc/tinc/powercraft01/hosts/server01 + tincd -n powercraft01 -K + + #----------------------------------------------------------------------- + + getent services | grep 656 + + #----------------------------------------------------------------------- + + vim /etc/tinc/powercraft01/hosts/server01 + + # add on head of file + Compression = 9 + PMTU = 1492 + PMTUDiscovery = yes + Port = 656 + + cat /etc/tinc/powercraft01/hosts/server01 + + #----------------------------------------------------------------------- + + /etc/init.d/tinc stop + fg + /usr/sbin/tincd --net powercraft01 --no-detach --debug=5 + + #----------------------------------------------------------------------- + + /etc/init.d/tinc restart + tail --line=500 --follow /var/log/syslog + + #----------------------------------------------------------------------- + + ifconfig br0 + ifconfig tun1 + route -n + brctl show br0 + brctl showmacs br0 + + #----------------------------------------------------------------------- + + # ifconfig br0 + br0 Link encap:Ethernet HWaddr 1e:eb:95:c3:04:d8 + inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 + inet6 addr: fe80::dc56:d3ff:fe1a:31df/64 Scope:Link + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:17 errors:0 dropped:0 overruns:0 frame:0 + TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:0 + RX bytes:3328 (3.3 KB) TX bytes:2408 (2.4 KB) + + # ifconfig tun1 + tun1 Link encap:Ethernet HWaddr 1e:eb:95:c3:04:d8 + inet6 addr: fe80::1ceb:95ff:fec3:4d8/64 Scope:Link + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:8 errors:0 dropped:0 overruns:0 frame:0 + TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:500 + RX bytes:2627 (2.6 KB) TX bytes:1340 (1.3 KB) + + # route -n + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 + 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2 + 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 + 84.245.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 + 0.0.0.0 84.245.3.1 0.0.0.0 UG 100 0 0 eth1 + + # brctl show br0 + bridge name bridge id STP enabled interfaces + br0 8000.1eeb95c304d8 no tun1 + + # brctl showmacs br0 + port no mac addr is local? ageing timer + 1 1e:eb:95:c3:04:d8 yes 0.00 + 1 86:03:27:21:2e:60 no 44.19 + + #----------------------------------------------------------------------- + + ps aux | grep tincd + tincd -n powercraft01 -kUSR2 + tail -n 100 /var/log/syslog + + #----------------------------------------------------------------------- + + May 24 17:29:31 ashley tinc.powercraft01[11557]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun: + May 24 17:29:31 ashley tinc.powercraft01[11557]: total bytes in: 468 + May 24 17:29:31 ashley tinc.powercraft01[11557]: total bytes out: 0 + May 24 17:29:31 ashley tinc.powercraft01[11557]: Nodes: + May 24 17:29:31 ashley tinc.powercraft01[11557]: server01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options 4 status 0018 nexthop server01 via server01 pmtu 1518 (min 0 max 1518) + May 24 17:29:31 ashley tinc.powercraft01[11557]: End of nodes. + May 24 17:29:31 ashley tinc.powercraft01[11557]: Edges: + May 24 17:29:31 ashley tinc.powercraft01[11557]: End of edges. + May 24 17:29:31 ashley tinc.powercraft01[11557]: Subnet list: + May 24 17:29:31 ashley tinc.powercraft01[11557]: a2:63:0:96:a:c8#10 owner server01 + May 24 17:29:31 ashley tinc.powercraft01[11557]: End of subnet list. + + #----------------------------------------------------------------------- + + tcpdump -n -i br0 broadcast + tcpdump -n -i tun0 broadcast + + #----------------------------------------------------------------------- + + tcpdump -n -e -i br0 icmp + tcpdump -A -p -n -i br0 port 80 + tcpdump -A -p -n -i br0 + + tcpdump -i br0 host 84.245.3.195 -l + + #----------------------------------------------------------------------- + + cat /var/lib/dhcp3/dhcpd.leases + + #----------------------------------------------------------------------- + + # optional + export LAN01=vlan2 + export VPN02=br0 + # /sbin/iptables --append FORWARD --in-interface br0 --out-interface vlan2 --jump ACCEPT + /sbin/iptables --append FORWARD --in-interface ${VPN02} --source 192.168.3.150 --destination 192.168.2.206 --out-interface ${LAN01} --jump ACCEPT + + #-----------------------------------------------------------------------