Example: tinc from behind a masquerading firewall
When running tinc from behind a masquerading firewall (not on the firewall itself), one must be careful to configure the firewall so that it allows the tinc traffic to pass through without altering the source and destination ports. Example firewall rules are included in this example. They are written for iptables (Linux 2.4 firewall code), but commented so that you may apply the same kind of rules to other firewalls.
Overview
The network setup is as follows:
- Internal network is 10.20.30.0/24
- Firewall IP is 123.234.123.1 on the outside, 10.20.30.1/24 on the inside.
- Host running tinc has IP 10.20.30.42
- VPN the host wants to connect to has address range 192.168.0.0/16
- The host has it’s own VPN IP 192.168.10.20
Configuration of the host running tinc
host# ifconfig
eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
inet addr:10.20.30.42 Bcast:10.20.30.255 Mask:255.255.255.0
UP BROADCAST RUNNING MTU:1500 Metric:1
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3856 Metric:1
...
vpn Link encap:Point-to-Point Protocol
inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
...
host# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.0.0 U 0 0 0 vpn
default 10.20.30.1 0.0.0.0 UG 0 0 0 eth0
host# iptables -L -v
Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
pkts bytes target prot opt in out source destination
host# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Configuration of tinc
host# cat /etc/tinc/vpn/tinc.conf
Name = atwork
ConnectTo = home
host# cat /etc/tinc/vpn/tinc-up
#!/bin/sh
ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0
host# ls /etc/tinc/vpn/hosts
atwork home
host# cat /etc/tinc/vpn/hosts/atwork
Address = 123.234.123.1
Subnet = 192.168.10.20/32
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
host# cat /etc/tinc/vpn/hosts/home
Address = 200.201.202.203
Subnet = 192.168.1.0/24
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
Configuration of the firewall
firewall# ifconfig
ppp0 Link encap:Point-to-Point Protocol
inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
...
eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
UP BROADCAST RUNNING MTU:1500 Metric:1
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3856 Metric:1
...
firewall# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
firewall# iptables -L -v
Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 1234 packets, 123K bytes)
pkts bytes target prot opt in out source destination
1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
pkts bytes target prot opt in out source destination
firewall# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to:10.20.30.42:655
1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to:10.20.30.42:655
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
firewall# cat /etc/init.d/firewall
#!/bin/sh
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
iptables -t nat -F POSTROUTING
# Next rule prevents masquerading from altering source port of outbound tinc packets
iptables -t nat -A POSTROUTING -p udp -m udp --sport 655 -j MASQUERADE -o ppp0 --to-ports 655
iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
iptables -t nat -F PREROUTING
# Next two rules forward incoming tinc packets to the host behind the firewall running tinc
iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655
iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655