Tinc Mesh VPN


OK, by changing my setting to TUN, it all seems to work perfectly. (2 networks connected, will try a 3rd later).

But it still isn't 100% what I was after previously, is there any way we can get this working on TAP or possibly somehow allow it to transport broadcasts in someway?
 
Currently looking into how I can enable broadcast forwarding to the "other side". I think I am on the right track here:

http://serverfault.com/questions/276596/forward-broadcast-to-fixed-ip-using-iptables
https://bbs.archlinux.org/viewtopic.php?id=122473
http://www.linksysinfo.org/index.php?threads/broadcast-forwarding.10028/

But have yet to get anything working so far.

PS:

lancethepants, while I remember, thankyou for your help. More so thank you for how your helping. Instead of presuming I have no clue and just blindly telling me to add this and do that, you have clearly described the reason, process and such, in a way where not only am I getting closer to a solution, but I am understanding how it all works. This way I can most likely solve issues later, as I will know what to search for.
 
With TAP, all the routers would actually be on the same subnet. That means they would directly see each other and also each others broadcasts. Essentially it would be as if the router were physically next to each other, and plugged in to each other with ethernet cables. In that scenario though, you would not be able to have overlapping IP addreses. Each router would have to have it's own IP address, otherwise there would be conflicts, and packets wouldn't know where to be routed. Tap as I've written before complicates things however, since we can't have overlapping IP addresses. Also DHCP tries to give the wrong computers the wrong gateway... etc.

The gui is intentional is this way, there is no need to enter subnets when in TAP, because TAP requires that you already be on the same subnet. The subnets are used for routing, and routing is only applicable when you are on different subnets (or lying about our subnets in this case), otherwise there is no routing needed because you are on the same subnet and can already see each other.

In this scenario, we're lying to tinc, and telling it that the different routers are on different subnets. We then have the firewall rules that do the translation in the background. That way, for example, while on network 1, we think that router 2's IP address is 192.168.2.1. That way our local router's IP won't get confused with router 2's. They are two different IP addresses (as far as tinc knows anyway), even though locally at each location they are the same.

edit: ah, you made a couple other posts while I was writing this one. I'll take a look at them.
 
I guess my question is, what exactly is it you want broadcasts for. You've mentioned samba, so I'll guess that for now. Samba is able to work in this scenario, without broadcasts. Now it won't show up in the "Network Places" in Windows automatically. That itself does require broadcasts I think, but you can navigate in file explorer to "\\192.168.2.10" or whatever IP your share is located at, and be able to explore just fine that way. Broadcasts only help with the automatic discovery.

Some applications may simply not work without broadcasts, so it just depends on what you're trying to accomplish. A lot of stuff you can manage without though. Even most video games allow you to manually specify an IP address. True it is much easier with broadcasts, because it will automatically show up as a local game, but a lot of times you can get around it.

In this scenario, when you use TUN, you don't have broadcasts. I haven't explored enough, maybe someway with broadcast forwarding? I'm not sure at this point if that's possible, but I've already learned a lot so far that I didn't think previously possible, so maybe.

Just allowing the broadcasts you want would be ideal. Yet to be seen if it can be done with TUN (for me anyway), though I know it's possible in TAP. TAP just has that caveat that you can't have overlapping IP addresses, which kind of defeats the way I think you were wanting to setup each router to have the same subnet locally, and the same IP address.
 
Thanks for those answers, it may mean I have to make some sort of sacrafice somewhere in regarding to either have network browsing and seperate IP ranges OR doing the IP Substitutes and no Browsing.

Anyway going back a few steps, I did try the substitutes and had it working. But now it isn't. All settings are as they were before, I have the subnet entered into each host setting in tinc and the iptable rules in the firewall script under administration.

I had a look in the logs and I am getting an error with tinc now that I wasn't before, PS: I did trying rebooting both ends too and its still not working. See last 2 lines.





Mar 2 17:49:29 ECS-ROUTER user.info kernel: tun: Universal TUN/TAP device driver, 1.6
Mar 2 17:49:29 ECS-ROUTER user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Mar 2 17:49:29 ECS-ROUTER daemon.info pppd[621]: System time change detected.
Mar 2 17:49:29 ECS-ROUTER daemon.notice tinc[1553]: tincd 1.1pre10 (Dec 24 2014 12:20:46) starting, debug level 0
Mar 2 17:49:30 ECS-ROUTER daemon.info tinc[1553]: /dev/net/tun is a Linux tun/tap device (tun mode)
Mar 2 17:49:30 ECS-ROUTER daemon.notice tinc[1553]: Ready
Mar 2 17:49:37 ECS-ROUTER daemon.err tinc[1553]: Invalid packet seqno: 2 != 1
Mar 2 17:49:37 ECS-ROUTER daemon.err tinc[1553]: Invalid packet seqno: 3 != 1
 
Just for some more info, I do think there is a bug.

I just started to add another host, filled in all the details and making its subnet 192.168.4.0/24
I clicked add
It thru me an error as I forgot to past in the Keys.
Skipped adding it (decided to do it later).

Now I get another line in the logs saying:
Mar 2 18:55:47 ECS-ROUTER daemon.err tinc[3098]: Invalid packet seqno: 2 != 1
Mar 2 18:55:47 ECS-ROUTER daemon.err tinc[3098]: Invalid packet seqno: 3 != 1
Mar 2 18:55:47 ECS-ROUTER daemon.err tinc[3098]: Invalid packet seqno: 4 != 1

Kind of strange that as soon as I tried adding 192.168.4.0/24
 
AFAIK, those aren't network crippling errors. If the error message persists than that might be an issue. Tinc takes a while startup too when rebooting the router. It's about the last thing that gets started, right when OpenVPN gets started as well.

Also, the VPN will not be operational immediately after hitting the start button, or when it start after a router reboot. When you start tinc, it first has to do some authentication using the encryption keys that you've generated. Then after that, between nodes, tinc figures out the largest usable mtu (packet size) that can be sent from one node to another.

If you were adding another node while tinc was running, and then hit the save button, this will automatically stop tinc, re-create the freshly updated config, and start tinc up again. In the mean time tinc may have been in the middle of talking with another node. When tinc restarts, it will start receiving packets from the other node, but because it just came online, it doesn't know what's going on and why it's receiving packets. In that scenario it might throw out some errors. It and the other nodes will realize that it needs to re-authenticate and start the prcoesses of bring the vpn back up.
 
Well, it's now been running overnight and still no connection using the translated IP's. Everything is setup exactly as it was when I did get it working. So I have no clue as to what's going on.

Could it be that the Firewall rules are starting too soon? Would adding a a sleep 30 line at the top or something be a solution?
 
I would try setting it up from scratch again, regenerating new keys. I've had something like that happen once, but then I just created some new keys, not sure what I did, but I haven't had any issues since. The firewall rules should be find as is. You can always run 'service firewall restart', and check that they are present. Rebooting resets everything too as well.
 
I have tried that but will try again. The instruction at the top are a little hard to follow thou as I don't have the
Ed25519 sections in mine or my remote router versions, (Tinc 1.1pre10)
 
I'm trying to set up two routers with TUN. A couple of items are not very clear. When I generate the public and private keys for my first router, do I use both of these same keys for setting up the second router ? I would guess that the public key would be the same in both routers, but does router #2 need to generate and use it's own private key or does it use the private key that was generated on the first router ?

How does the LAN IP address in the basic router configuration relate to the IP address specified as the Host IP address in TINC ? If My LAN IP address is 192.168.1.1 do I also set 192.168.1.1 as the Host IP address or should I put a different address such as 192.168.1.5 ?
 
You will generate a Public and Private key for each router. Then when you want to connect two routers, you will share just the public keys and other information that is used in the 'Hosts' area.

The 'Address' field in the Tinc's 'Hosts' area is asking for the public IP Address or domain name where that router can be reached from the internet. Typically for home users that don't get a static IP address for their ISP, this will require setting up a Dynamic DNS (DDNS) service.

The only place where your lan IP address matters, is in the subnet portion of the 'Hosts' area. If on one of you routers your Lan's IP address is 192.168.1.1, then you are using a subnet of 192.168.1.0/24, and that is what you will place in the 'Subnet' field.
 
lancethepants said:
You will generate a Public and Private key for each router. ... If on one of you routers your Lan's IP address is 192.168.1.1, then you are using a subnet of 192.168.1.0/24, and that is what you will place in the 'Subnet' field.
Click to expand...
Thank you for the clarifications. I apologize for my elementary questions. The big picture of how it worked was not yet clear, but with your help the lights came on and I got it working.

Is there a recommendation for a new generation router for Shibby's new Tinc enabled firmware ? I do not use wireless at all. I'm looking for a good power / price / stability combination considering no wireless needs. Thanks again.
 
Glad you got it working.

Data throughput is going to be cpu bound. ARM based routers are going to perform better than mipsel ones. ARM is still somewhat experimental though, but is catching up to mipsel firmware. I think the R7000 is the fastest stock clocked router at 1ghz dual core. I believe Asus also recently came out with a newer version called the rt-ac68p with the same clock speed.
I'm not sure what your price point or throughput desires are. Somewhere in this thread someone claimed about 30Mb/s throughput on an ARM router. I think tinc1.1 is close to a stable version soon. I don't think they'll be changing crypto between now and then, so whatever throughput I imagine will stay about the same as more releases of tinc come out.
 
Thanks for the guide - to be clear, in the hosts tab under address I will use my public IP? I don't have static IP, I took information from basic->DDNS tab IP address use wan ip address .... (recommended). And as a subnet I will use 192.168.1.0/24 as my router address is 192.168.1.1 right?
Is there any sense of using Tinc VPN with dnscrypt?
 
@Jobahazi
Yes, it's whatever your public IP address you get from your ISP is. If you don't get a static IP address, then I would recommend using a DDNS service so other Nodes can still connect to you, even when you IP address is changing.

Yes, using 192.168.1.0/24 will allow other nodes access to your full subnet/network. If you are following the tutorial and using TUN, then other nodes you setup will need to have different subnets, ie 192.168.2.1 - 192.168.2.0/24

Tinc and DNSCrypt are two different things. Tinc is for encrypting VPN connections between different nodes you set up, while DNSCrypt is for encrypting your DNS traffic. They have different functions, but you can use them both simultaneously.
 
Hi!

Changed recently from OpenVPN to Tinc. Im connecting 2 routers (home / work) via TUN. The router @ work is behind a firewall which i have no access to. But that's no problem for my case - Tinc @ work initiates a outgoing connection to Tinc @ home so the provider-firewall is no problem.
Now if i want to include a laptop and connect it to "work" i have the problem with the firewall. "Connect to" on the router at work to the laptop is not possible. When i "connect to" the laptop to the router @ home - would Tinc at the router learn to connect directly to the laptop?
Normally I would like to avoid to give the laptop access to my private network but if it would work as described before ...

Thx!
 
@Goggy

Yes, I use Tinc for this scenario as well. I have several work computers behind nat, and at another location, a router running tinc that is nat'd behind a 2nd router over which I have no control. These devices connect to other mutual nodes, which then do the UDP hole punching so all the devices can create direct links.

Now the UDP hole punching is done at the time you attempt to make a connection between two nat'd nodes, so it may take a few seconds for it to be set up. Whatever you're doing may timeout the first time, but should be accessible soon. It's usually pretty quick though.

If you're concerned about the laptop accessing your home network, there is a custom firewall area that allows you to define additional rules, or your own complete set of firewall rules (manual). Manual means you have to handle all the rules, including opening the ports on the router. For your scenario, additional rules should work.

Additional rules are appended to the firewall script, so we know if we insert an iptables rule, it will be at the beginning of the chain, and will be evaluated first.
I set up individual computers with a single IP address, ie 192.168.50.1/32.

Something like this I think will work, using the VPN IP address of the laptop.

Additional
Code: 
iptables -I INPUT -s 1.2.3.4 -j DROP
iptables -I FORWARD -s 1.2.3.4 -j DROP

You can give that a shot and see how it fares.
 
I am running into wall here, and I asked this in tinc mailing list but that was a very inactive channel and no one answered

I am trying to connecting to a 1.0 server and using 1.1pre integrated in tomoto shibby firmware in my router.

I got the following errors from server, and searching on google did not give me any clue what is going on

Executing script tinc-up
Listening on 0.0.0.0 port 5389
Ready
Connection from 108.213.41.154 port 52367
Sending ID to <unknown> (108.213.41.154 port 52367)
Got ID from <unknown> (108.213.41.154 port 52367)
Sending METAKEY to e4200 (108.213.41.154 port 52367)
Metadata socket read error for e4200 (108.213.41.154 port 52367): Connection reset by peer
Closing connection with e4200 (108.213.41.154 port 52367)
Purging unreachable nodes


Since the target host a tinc 1.0 server, and I did not have any Ed25519 Public Key, so I just random generated one from the router and filled in the connect to host section to it would allow me to save the configuration. I was hoping they will fallback to RSA, but maybe this is what the problem is?


Any help is greatly appreciated!
 
You must log in or register to reply here.

Back
Top