Example: tinc on a masquerading firewall
This example shows a setup with tinc running on a masquerading firewall, allowing the private subnet behind the firewall to access the VPN. Example firewall rules are included in this example. They are written for iptables (Linux 2.4 firewall code), but commented so that you may apply the same kind of rules to other firewalls.
Overview
fig-on-firewall
The network setup is as follows:
- Internal network is 10.20.30.0/24
- Firewall IP is 123.234.123.1 on the outside, 10.20.30.1/24 on the inside.
- VPN the host wants to connect to has address range 10.20.0.0/16.
Configuration of the firewall running tinc
firewall# ifconfig
ppp0 Link encap:Point-to-Point Protocol
inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
...
eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
UP BROADCAST RUNNING MTU:1500 Metric:1
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3856 Metric:1
...
vpn Link encap:Point-to-Point Protocol
inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.0.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
...
firewall# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
10.20.0.0 * 255.255.0.0 U 0 0 0 vpn
default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
firewall# iptables -L -v
Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 1234 packets, 123K bytes)
pkts bytes target prot opt in out source destination
1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
1234 123K ACCEPT any -- vpn eth0 10.20.0.0/16 10.20.30.0/24
1234 123K ACCEPT any -- eth0 vpn 10.20.30.0/24 10.20.0.0/16
Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
pkts bytes target prot opt in out source destination
firewall# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
firewall# cat /etc/init.d/firewall
#!/bin/sh
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0
Configuration of tinc
firewall# cat /etc/tinc/vpn/tinc.conf
Name = office
ConnectTo = branch
Interface = vpn
firewall# cat /etc/tinc/vpn/tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.20.30.1 netmask 255.255.0.0
firewall# ls /etc/tinc/vpn/hosts
office branch employee_smith employee_jones ...
firewall# cat /etc/tinc/vpn/hosts/office
Address = 123.234.123.1
Subnet = 10.20.30.0/24
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
firewall# cat /etc/tinc/vpn/hosts/branch
Address = 123.234.213.129
Subnet = 10.20.40.0/24
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
firewall# cat /etc/tinc/vpn/hosts/employee_smith
Address = 200.201.202.203
Subnet = 10.20.50.1/32
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----