1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tinc Mesh VPN

Discussion in 'Tomato Firmware' started by lancethepants, Jul 25, 2014.

  1. eangulus

    eangulus Network Guru Member

    OK, by changing my setting to TUN, it all seems to work perfectly. (2 networks connected, will try a 3rd later).

    But it still isn't 100% what I was after previously, is there any way we can get this working on TAP or possibly somehow allow it to transport broadcasts in someway?
     
  2. eangulus

    eangulus Network Guru Member

    Currently looking into how I can enable broadcast forwarding to the "other side". I think I am on the right track here:

    http://serverfault.com/questions/276596/forward-broadcast-to-fixed-ip-using-iptables
    https://bbs.archlinux.org/viewtopic.php?id=122473
    http://www.linksysinfo.org/index.php?threads/broadcast-forwarding.10028/

    But have yet to get anything working so far.

    PS:

    lancethepants, while I remember, thankyou for your help. More so thank you for how your helping. Instead of presuming I have no clue and just blindly telling me to add this and do that, you have clearly described the reason, process and such, in a way where not only am I getting closer to a solution, but I am understanding how it all works. This way I can most likely solve issues later, as I will know what to search for.
     
  3. lancethepants

    lancethepants Network Guru Member

    With TAP, all the routers would actually be on the same subnet. That means they would directly see each other and also each others broadcasts. Essentially it would be as if the router were physically next to each other, and plugged in to each other with ethernet cables. In that scenario though, you would not be able to have overlapping IP addreses. Each router would have to have it's own IP address, otherwise there would be conflicts, and packets wouldn't know where to be routed. Tap as I've written before complicates things however, since we can't have overlapping IP addresses. Also DHCP tries to give the wrong computers the wrong gateway... etc.

    The gui is intentional is this way, there is no need to enter subnets when in TAP, because TAP requires that you already be on the same subnet. The subnets are used for routing, and routing is only applicable when you are on different subnets (or lying about our subnets in this case), otherwise there is no routing needed because you are on the same subnet and can already see each other.

    In this scenario, we're lying to tinc, and telling it that the different routers are on different subnets. We then have the firewall rules that do the translation in the background. That way, for example, while on network 1, we think that router 2's IP address is 192.168.2.1. That way our local router's IP won't get confused with router 2's. They are two different IP addresses (as far as tinc knows anyway), even though locally at each location they are the same.

    edit: ah, you made a couple other posts while I was writing this one. I'll take a look at them.
     
  4. lancethepants

    lancethepants Network Guru Member

    I guess my question is, what exactly is it you want broadcasts for. You've mentioned samba, so I'll guess that for now. Samba is able to work in this scenario, without broadcasts. Now it won't show up in the "Network Places" in Windows automatically. That itself does require broadcasts I think, but you can navigate in file explorer to "\\192.168.2.10" or whatever IP your share is located at, and be able to explore just fine that way. Broadcasts only help with the automatic discovery.

    Some applications may simply not work without broadcasts, so it just depends on what you're trying to accomplish. A lot of stuff you can manage without though. Even most video games allow you to manually specify an IP address. True it is much easier with broadcasts, because it will automatically show up as a local game, but a lot of times you can get around it.

    In this scenario, when you use TUN, you don't have broadcasts. I haven't explored enough, maybe someway with broadcast forwarding? I'm not sure at this point if that's possible, but I've already learned a lot so far that I didn't think previously possible, so maybe.

    Just allowing the broadcasts you want would be ideal. Yet to be seen if it can be done with TUN (for me anyway), though I know it's possible in TAP. TAP just has that caveat that you can't have overlapping IP addresses, which kind of defeats the way I think you were wanting to setup each router to have the same subnet locally, and the same IP address.
     
  5. eangulus

    eangulus Network Guru Member

    Thanks for those answers, it may mean I have to make some sort of sacrafice somewhere in regarding to either have network browsing and seperate IP ranges OR doing the IP Substitutes and no Browsing.

    Anyway going back a few steps, I did try the substitutes and had it working. But now it isn't. All settings are as they were before, I have the subnet entered into each host setting in tinc and the iptable rules in the firewall script under administration.

    I had a look in the logs and I am getting an error with tinc now that I wasn't before, PS: I did trying rebooting both ends too and its still not working. See last 2 lines.





    Mar 2 17:49:29 ECS-ROUTER user.info kernel: tun: Universal TUN/TAP device driver, 1.6
    Mar 2 17:49:29 ECS-ROUTER user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
    Mar 2 17:49:29 ECS-ROUTER daemon.info pppd[621]: System time change detected.
    Mar 2 17:49:29 ECS-ROUTER daemon.notice tinc[1553]: tincd 1.1pre10 (Dec 24 2014 12:20:46) starting, debug level 0
    Mar 2 17:49:30 ECS-ROUTER daemon.info tinc[1553]: /dev/net/tun is a Linux tun/tap device (tun mode)
    Mar 2 17:49:30 ECS-ROUTER daemon.notice tinc[1553]: Ready
    Mar 2 17:49:37 ECS-ROUTER daemon.err tinc[1553]: Invalid packet seqno: 2 != 1
    Mar 2 17:49:37 ECS-ROUTER daemon.err tinc[1553]: Invalid packet seqno: 3 != 1
     
  6. eangulus

    eangulus Network Guru Member

    Just for some more info, I do think there is a bug.

    I just started to add another host, filled in all the details and making its subnet 192.168.4.0/24
    I clicked add
    It thru me an error as I forgot to past in the Keys.
    Skipped adding it (decided to do it later).

    Now I get another line in the logs saying:
    Mar 2 18:55:47 ECS-ROUTER daemon.err tinc[3098]: Invalid packet seqno: 2 != 1
    Mar 2 18:55:47 ECS-ROUTER daemon.err tinc[3098]: Invalid packet seqno: 3 != 1
    Mar 2 18:55:47 ECS-ROUTER daemon.err tinc[3098]: Invalid packet seqno: 4 != 1

    Kind of strange that as soon as I tried adding 192.168.4.0/24
     
  7. lancethepants

    lancethepants Network Guru Member

    AFAIK, those aren't network crippling errors. If the error message persists than that might be an issue. Tinc takes a while startup too when rebooting the router. It's about the last thing that gets started, right when OpenVPN gets started as well.

    Also, the VPN will not be operational immediately after hitting the start button, or when it start after a router reboot. When you start tinc, it first has to do some authentication using the encryption keys that you've generated. Then after that, between nodes, tinc figures out the largest usable mtu (packet size) that can be sent from one node to another.

    If you were adding another node while tinc was running, and then hit the save button, this will automatically stop tinc, re-create the freshly updated config, and start tinc up again. In the mean time tinc may have been in the middle of talking with another node. When tinc restarts, it will start receiving packets from the other node, but because it just came online, it doesn't know what's going on and why it's receiving packets. In that scenario it might throw out some errors. It and the other nodes will realize that it needs to re-authenticate and start the prcoesses of bring the vpn back up.
     
  8. eangulus

    eangulus Network Guru Member

    Well, it's now been running overnight and still no connection using the translated IP's. Everything is setup exactly as it was when I did get it working. So I have no clue as to what's going on.

    Could it be that the Firewall rules are starting too soon? Would adding a a sleep 30 line at the top or something be a solution?
     
  9. lancethepants

    lancethepants Network Guru Member

    I would try setting it up from scratch again, regenerating new keys. I've had something like that happen once, but then I just created some new keys, not sure what I did, but I haven't had any issues since. The firewall rules should be find as is. You can always run 'service firewall restart', and check that they are present. Rebooting resets everything too as well.
     
  10. eangulus

    eangulus Network Guru Member

    I have tried that but will try again. The instruction at the top are a little hard to follow thou as I don't have the
    Ed25519 sections in mine or my remote router versions, (Tinc 1.1pre10)
     
  11. Yim Sonny

    Yim Sonny Network Newbie Member

    I'm trying to set up two routers with TUN. A couple of items are not very clear. When I generate the public and private keys for my first router, do I use both of these same keys for setting up the second router ? I would guess that the public key would be the same in both routers, but does router #2 need to generate and use it's own private key or does it use the private key that was generated on the first router ?

    How does the LAN IP address in the basic router configuration relate to the IP address specified as the Host IP address in TINC ? If My LAN IP address is 192.168.1.1 do I also set 192.168.1.1 as the Host IP address or should I put a different address such as 192.168.1.5 ?
     
  12. lancethepants

    lancethepants Network Guru Member

    You will generate a Public and Private key for each router. Then when you want to connect two routers, you will share just the public keys and other information that is used in the 'Hosts' area.

    The 'Address' field in the Tinc's 'Hosts' area is asking for the public IP Address or domain name where that router can be reached from the internet. Typically for home users that don't get a static IP address for their ISP, this will require setting up a Dynamic DNS (DDNS) service.

    The only place where your lan IP address matters, is in the subnet portion of the 'Hosts' area. If on one of you routers your Lan's IP address is 192.168.1.1, then you are using a subnet of 192.168.1.0/24, and that is what you will place in the 'Subnet' field.
     
  13. Yim Sonny

    Yim Sonny Network Newbie Member

    Thank you for the clarifications. I apologize for my elementary questions. The big picture of how it worked was not yet clear, but with your help the lights came on and I got it working.

    Is there a recommendation for a new generation router for Shibby's new Tinc enabled firmware ? I do not use wireless at all. I'm looking for a good power / price / stability combination considering no wireless needs. Thanks again.
     
  14. lancethepants

    lancethepants Network Guru Member

    Glad you got it working.

    Data throughput is going to be cpu bound. ARM based routers are going to perform better than mipsel ones. ARM is still somewhat experimental though, but is catching up to mipsel firmware. I think the R7000 is the fastest stock clocked router at 1ghz dual core. I believe Asus also recently came out with a newer version called the rt-ac68p with the same clock speed.
    I'm not sure what your price point or throughput desires are. Somewhere in this thread someone claimed about 30Mb/s throughput on an ARM router. I think tinc1.1 is close to a stable version soon. I don't think they'll be changing crypto between now and then, so whatever throughput I imagine will stay about the same as more releases of tinc come out.
     
  15. Jobahazi

    Jobahazi New Member Member

    Thanks for the guide - to be clear, in the hosts tab under address I will use my public IP? I don't have static IP, I took information from basic->DDNS tab IP address use wan ip address .... (recommended). And as a subnet I will use 192.168.1.0/24 as my router address is 192.168.1.1 right?
    Is there any sense of using Tinc VPN with dnscrypt?
     
  16. lancethepants

    lancethepants Network Guru Member

    @Jobahazi
    Yes, it's whatever your public IP address you get from your ISP is. If you don't get a static IP address, then I would recommend using a DDNS service so other Nodes can still connect to you, even when you IP address is changing.

    Yes, using 192.168.1.0/24 will allow other nodes access to your full subnet/network. If you are following the tutorial and using TUN, then other nodes you setup will need to have different subnets, ie 192.168.2.1 - 192.168.2.0/24

    Tinc and DNSCrypt are two different things. Tinc is for encrypting VPN connections between different nodes you set up, while DNSCrypt is for encrypting your DNS traffic. They have different functions, but you can use them both simultaneously.
     
  17. Goggy

    Goggy Network Guru Member

    EDIT: cant post a longer text - server error?
     
    Last edited: Apr 16, 2015
  18. Goggy

    Goggy Network Guru Member

    Hi!

    Changed recently from OpenVPN to Tinc. Im connecting 2 routers (home / work) via TUN. The router @ work is behind a firewall which i have no access to. But that's no problem for my case - Tinc @ work initiates a outgoing connection to Tinc @ home so the provider-firewall is no problem.
    Now if i want to include a laptop and connect it to "work" i have the problem with the firewall. "Connect to" on the router at work to the laptop is not possible. When i "connect to" the laptop to the router @ home - would Tinc at the router learn to connect directly to the laptop?
    Normally I would like to avoid to give the laptop access to my private network but if it would work as described before ...

    Thx!
     
  19. lancethepants

    lancethepants Network Guru Member

    @Goggy

    Yes, I use Tinc for this scenario as well. I have several work computers behind nat, and at another location, a router running tinc that is nat'd behind a 2nd router over which I have no control. These devices connect to other mutual nodes, which then do the UDP hole punching so all the devices can create direct links.

    Now the UDP hole punching is done at the time you attempt to make a connection between two nat'd nodes, so it may take a few seconds for it to be set up. Whatever you're doing may timeout the first time, but should be accessible soon. It's usually pretty quick though.

    If you're concerned about the laptop accessing your home network, there is a custom firewall area that allows you to define additional rules, or your own complete set of firewall rules (manual). Manual means you have to handle all the rules, including opening the ports on the router. For your scenario, additional rules should work.

    Additional rules are appended to the firewall script, so we know if we insert an iptables rule, it will be at the beginning of the chain, and will be evaluated first.
    I set up individual computers with a single IP address, ie 192.168.50.1/32.

    Something like this I think will work, using the VPN IP address of the laptop.

    Additional
    Code:
    iptables -I INPUT -s 1.2.3.4 -j DROP
    iptables -I FORWARD -s 1.2.3.4 -j DROP
    
    You can give that a shot and see how it fares.
     
  20. ericw12

    ericw12 New Member Member

    I am running into wall here, and I asked this in tinc mailing list but that was a very inactive channel and no one answered

    I am trying to connecting to a 1.0 server and using 1.1pre integrated in tomoto shibby firmware in my router.

    I got the following errors from server, and searching on google did not give me any clue what is going on

    Executing script tinc-up
    Listening on 0.0.0.0 port 5389
    Ready
    Connection from 108.213.41.154 port 52367
    Sending ID to <unknown> (108.213.41.154 port 52367)
    Got ID from <unknown> (108.213.41.154 port 52367)
    Sending METAKEY to E4200 (108.213.41.154 port 52367)
    Metadata socket read error for E4200 (108.213.41.154 port 52367): Connection reset by peer
    Closing connection with E4200 (108.213.41.154 port 52367)
    Purging unreachable nodes


    Since the target host a tinc 1.0 server, and I did not have any Ed25519 Public Key, so I just random generated one from the router and filled in the connect to host section to it would allow me to save the configuration. I was hoping they will fallback to RSA, but maybe this is what the problem is?


    Any help is greatly appreciated!
     
  21. lancethepants

    lancethepants Network Guru Member

    Hmm, I see always requiring an ec25519 Public Key for every node is an oversite of mine, but I'm not sure if that's causing your issue.

    Make sure that both the router and the tinc1.0 node both have Public and Private RSA Keys (you may already), and instead on the router, simply put a a space for the in the 'Ed25519 Public Key' spot for tinc1.0 node, and that will allow it to save. Also, sometimes just regenerating a new set of keys for helps proven useful to me, where I may have mysteriously done something unknown and it doesn't work.

    If that doesn't get you anywhere, then we'll need a bit more information about you configs and setup. ie tun/tap, what IP addresses or ranges each side is using.
     
  22. CUlriuch

    CUlriuch New Member Member

    Hi Lance,

    I have just followed your nice guide and it's seems like everything is connected just fine

    Status from Node1 -> Node 2:

    Node: Office
    Node ID: 12f55751a92b
    Address: XX.XX.XX.XX port 655
    Online since: 2015-05-02 17:28:32
    Status: validkey visited reachable sptps
    Options: pmtu_discovery clamp_mss
    Protocol: 17.4
    Reachability: directly with TCP
    Edges: Home
    Subnets: 192.168.210.0/24 ​


    From Node 2 -> Node 1

    Node: Home
    Node ID: 3a78695388b3
    Address: XX.XX.XX.XX port 655
    Online since: 2015-05-02 17:28:38
    Status: validkey visited reachable sptps
    Options: pmtu_discovery clamp_mss
    Protocol: 17.4
    Reachability: directly with TCP
    Edges: Office
    Subnets: 192.168.200.0/24
    But I can not reach/ping the other network from either side. Routing should be maintained by the Tinc service or am I missing something.

    Best regards,
    Christian
     
  23. lancethepants

    lancethepants Network Guru Member

    @CUlriuch
    Hmm, that's peculiar. So long as you leave 'Firewall Rules' and 'tinc-up creation' to 'automatic', it should setup the routing and firewall rules appropriately. Try rebooting both ends to see if that's a quick fix. Sometimes regenerating new keys has alleviated mysterious issues for me. Both ends are running the same version of tinc (ie tinc1.1pre11)? Ideally they should be connecting over UDP, and falls back to TCP. They definitely look like they've made a connection, and it doesn't appear you have anything strange about your setup.

    You could also try debugging by

    1. Start tinc in the gui
    2. Manually kill the process at the command line (killall tincd)
    3. start tinc with debug logging and watch it run in the terminal (tincd -D -d 5)
     
  24. ericw12

    ericw12 New Member Member

    OK. Just a space did not work, but space in front of a Ed25519 Public Key works, and it could be any Ed25519 Public Key... get that! :D
    Well, as long as it works, I am a happy camper! Thank you so much!
     
  25. pjv__

    pjv__ Reformed Router Member

    @CUlriuch

    this may not be relevant to you if you are using firmware with lance's GUI and having it manage the creation of all the scripts and whatnot, but i can't flash new firmware to some of the routers i am managing all over the place, so i have downloaded lance's binaries for tinc and tincd and set up all the configs manually, and on one router, in the tinc-up script, i forgot to remove the '#' from the front of the ifconfig line, so it looked like this:
    Code:
    #ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0
    ...and the result was the same as you are seeing: tinc connected to all the nodes it was supposed to connect to and those nodes also saw this one as connected, but the node in question did not have the interface or the routing set up and so nothing could go out or come into the VPN for it.

    @lancethepants

    tinc is the shit and you are the bees knees. i have spent countless fruitless hours trying to force openVPN into giving me a workable private virtual lan routed between the various tomato routers i manage along with some linux VPS boxes. this is going to make a very nice change to my professional life. THANK YOU.
     
    lancethepants likes this.
  26. pjv__

    pjv__ Reformed Router Member

    so @lancethepants, i have tinc now installed on a couple tomato routers using your static binaries and on one linux VPS host. i've set up a little network with the routers and the VPS and when i bring up tinc on all the hosts, they all see each other fine. each node can directly connect with the others. i can ping any node using its internal VPN address from any of the other nodes.

    the routers each have a /24 subnet defined in their hosts file.

    BUT... i am missing some routing somewhere on the routers because i cannot get to any of the hosts on the LAN side of them. if i try to traceroute to the IP address of a host on one of the router's LANs from one of the other nodes on the VPN, it will make it to the router, but after that, it's all stars.

    Code:
    traceroute 192.168.5.105
    traceroute to 192.168.5.105 (192.168.5.105), 30 hops max, 60 byte packets
    1  192.168.5.1 (192.168.5.1)  254.730 ms  254.737 ms  254.765 ms
    2  * * *
    3  * * *
    4  * * *
    5  * * *
    6  * * *
    7  * * *
    8  * * *
    9  * * *
    10  * * *
    (105 is online and responsive)

    what am i missing?
     
  27. lancethepants

    lancethepants Network Guru Member

    @pjv__
    Tracert depends on the host responding to ICMP requests.
    I, for example, can remote desktop into a remote windows pc over the vpn. That same PC, however, will timeout when trying to ping or tracert it because it has not been configured to respond to ICMP. Even when I ssh into its router, it does not respond to its gateway's pings.
    Another host however, a linux server that does not have its firewall enabled, does respond to tracert for me.

    So tracert may not be the best indication that the vpn is or isn't working. Does it respond to tracert within it's local network? Can you access other services either locally and remotely?
     
    Goggy likes this.
  28. pjv__

    pjv__ Reformed Router Member

    @lancethepants sorry - ignore the tracert. i was just showing you an example. that host does respond to ICMP requests. it is pingable from other hosts on its local LAN (e.g. 192.168.5.1 - the tomato router - can ping 105 fine) and it is also running services (SSH for one) that i cannot connect to from the VPN.

    i think i must be missing some iptables rules that route from/to tomato on the LAN side. following your example configuration, all i put into the firewall was:

    Code:
    iptables -A INPUT -p tcp --dport 655 -j ACCEPT
    iptables -A INPUT -p udp --dport 655 -j ACCEPT
    are there any other iptables rules i need to be able to route to/from the hosts on the router's LAN?
     
  29. lancethepants

    lancethepants Network Guru Member

    @pjv__
    OK, that makes more sense.
    I forgot that since you're using the static binaries, that you would not be using the gui which handles the firewall for you.
    Yes, you do need a few more rules. Here is what the gui will automatically generate.

    Code:
    iptables -I INPUT -p udp --dport 655 -j ACCEPT
    iptables -I INPUT -p tcp --dport 655 -j ACCEPT
    iptables -I INPUT -i tinc -j ACCEPT
    iptables -I FORWARD -i tinc -j ACCEPT
    
    I named the tun/tap interface 'tinc', but you will have change that to whatever you've called your interface.
    That should allow all traffic through the tunnel.
     
    Goggy likes this.
  30. pjv__

    pjv__ Reformed Router Member

    @lancethepants
    perfect - that fixed it.

    interesting, i didn't actually call my interface anything on purpose, but when tinc comes up the way i have it installed/configured it names the network interface the same as the VPN network name.

    thanks again for this and super thanks for making tinc work on tomato.
     
  31. lancethepants

    lancethepants Network Guru Member

    @pjv__ Aweseome! Glad you got it working.

    That same issue hung me up too, forever ago when I was just messing with the binaries as well. I had some good learning experiences doing the tomato integration, and am glad when others find it useful too.
     
  32. pjv__

    pjv__ Reformed Router Member

    @lancethepants : i don't know how many people are going to do what i did and download your example configs (here) for working with the static-linked binaries, but you might want to update the file: "administration - scripts - firewall.txt" inside the tun example zip to include those two additional iptables rules just in case.

    wish i had known about tinc and about it being in shibby's AIO build before i flashed the last set of routers with the VPN build (maybe tinc should be included in that one...). i'll flash my local rtn66u with the AIO one of these days, but there are a handful of routers i manage in the wild out there that i am never going to be able to flash, so it is great to be able to use the static binaries on /jffs. tinc's super simple and logical text configs are such an incredible relief after fumbling with openVPN for so long, it's not really a big deal not having the gui. nice to be able to throw all the configs into a git repo too.

    i'm looking forward to deploying tinc to all of the routers and linux boxes (and friends and family's laptops) i manage all over the world and turning the whole thing into my own private cloudlan.

    i have a client who just bought a pair of rtn66u's, one for his office and one for home. i was going to set up an openVPN tunnel between them. he wants to be able to open his laptop at home and have it be the same experience as opening it at work in terms of access to office shares, printers, network applications, etc. he has fiber both at home and at work, so it should be pretty snappy for a wan. now i am thinking i'm going to try to set it up via tinc tap so he doesn't ever have to see an IP address. i guess i should make the lans on the two routers in the same subnet, and make sure that there are no overlapping IP addresses. you mentioned the DHCP issue; do you know of any way (more iptables rules?) to keep the dhcp and dns separated so hosts connecting to one of the routers get dhcp and dns only from the router they are on the LAN with?
     
  33. lancethepants

    lancethepants Network Guru Member

    @pjv
    I've updated the example configs with the additional firewall rules.

    I would have thought tinc would be in the 'VPN' set of shibby firmware images. Maybe it would make the firmware too large for some routers,

    I do really like the simplicity of tinc. Not a lot of hassle like you say, even when creating configs by hand.

    Here's a few relevant posts concerning blocking certain broadcasts over the vpn

    http://www.linksysinfo.org/index.php?threads/block-dhcp-over-bridged-vpn.68790/#post-231093
    http://linksysinfo.org/index.php?threads/block-dhcp-over-openvpn-bridge.36739/
    http://linksysinfo.org/index.php?threads/block-upnp-over-openvpn-bridge-tap11.36805/#post-178472
     
    Goggy and pjv__ like this.
  34. pjv__

    pjv__ Reformed Router Member

    So, this is probably a routing / iptables question more than specifically a tinc question, but here goes anyway in case @lancethepants or anyone else monitoring this thread knows the answer.

    I have a handful of tomato routers out there with a tinc mesh running on them in standard 'tun' ("router") mode in the 192.168.0.0/16 subnet. Call that pjvnet. Each router on pjvnet has its own 192.168.X.0/24 subnet. I can see/ping anything connected to a pjvnet router from any device connected to another pjvnet router.

    On one of the routers (whose subnet is 192.168.15.0/24 - call it Router B) I am also simultaneously running a WAN bridge via an additional tinc connection in 'tap' ("switch") mode (using a manually specified different port, on a manually created additional tun device - call this bridge "phonet") with another router (at 192.168.15.101 - Router C) that is not directly part of pjvnet. Over phonet between those two routers I can successfully treat either side of the bridge like a single LAN; broadcasts (like windows shares, network printers, etc.) can be seen on either side of the WAN bridge as though it were one big LAN.

    Now, from my laptop (behind Router A on pjvnet), I can connect to Router B. And I can also connect to all the devices that are directly connected to Router B (as I can with every other pjvnet router). And since Router B sees Router C and all its devices as on the same LAN / subnet as itself, I would have expected Router C and all its devices to be visible to and from pjvnet-connected devices exactly the same as all the devices that are directly connected to Router B. But even though Router B and all the devices directly connected to it sees Router C and all its devices as being on the same LAN / subnet, I cannot see or connect to Router C or anything that is on the other side of the WAN bridge from my laptop.

    In other words, it seems like there is no route between pjvnet and phonet traffic. Do I just need an IPtables rule or can I use the static routing GUI in tomato to set up a route somehow? Or what?

    Here's a simple pic representing the situation.

    [​IMG]
     
  35. lancethepants

    lancethepants Network Guru Member

    Hmmm, that's interesting. Make sure router B has the following rules if not already.

    Code:
    iptables -I INPUT -i pjvnet -j ACCEPT
    iptables -I FORWARD -i pjvnet -j ACCEPT
    
    iptables -I INPUT -i phonet -j ACCEPT
    iptables -I FORWARD -i phonet -j ACCEPT
    
    And maybe try the following as well
    Code:
    iptables -I FORWARD -o pjvnet -j ACCEPT
    iptables -I FORWARD -o phonet -j ACCEPT
    
    That's my first idea anyway.
     
  36. pjv__

    pjv__ Reformed Router Member

    Thanks Lance.

    I had the first four rules already. I tried adding the last two, but it made no difference.

    In my mind, because the tap interface is layer 2, everything on phonet should look like just another device directly connected to Router B without having to do anything special. But obviously I am missing something.
     
  37. pjv__

    pjv__ Reformed Router Member

    Thanks again @lancethepants for your static mipsel binaries. I put tcpdump on B & C so I could see what was happening and it looks like the missing piece is on router C. tcpdump told me that the pings from my laptop were getting routed correctly through B and were in fact hitting C, but the replies were not going back. And I think I see why, but not sure what to do about it. Check this route output from C:

    Code:
    # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.1.1     0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
    192.168.15.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 vlan2
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 vlan2
    One thing I left out of my original description is that Router C is actually behind a NAT (from the service provider) and as you can see, the default gateway for C on that NAT is 192.168.1.1. So when I am pinging C from my laptop whose IP address is 192.168.5.100 (on pjvnet), I think that C is sending the acks back through 192.168.1.1 and it of course has no idea where they should go.

    If the service provider's gateway was not 192.168.1.1, I think I could fix this problem by doing this on Router C:

    Code:
    route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.15.1
    But if I add that route (which is basically the pjvnet address space), won't it hose the default route on C that is supposed to go through the service provider's gateway at 192.168.1.1?

    Unfortunately, I am remote from router C, so if I try it as an experiment and it messes things up, I'll lose connectivity with it. So I'll have to wait until the next time I am heading over to where that router lives before I can try it.
     
  38. calisro

    calisro Connected Client Member

    I'm using a RT-AC68U overclocked to 1200mhz. It is a dual core ARM router which means tinc will use one core while other router functions can use the other. I've been using it for months now and I get 36-40 megabits across my tinc vpn. Im not using shibby's firmware and have stuck with merlin's custom asus firmware but that shouldn't matter. The RT-AC68P is good too but the AC68U is cheaper and can be overclocked to match the AC68P.
     
  39. yodaphone

    yodaphone Network Newbie Member

    Hi

    this is my setup

    node a- 192.168.11.0/24 - has a public IP & configured

    node b - 192.168.3.0/24 - no public IP (This is behind an ISP NAT)

    i set up the keys etc. link is up.

    i'm able to access the node b's router web interface just fine & the reverse works fine too

    BUT when i'm unable to access a webserver runnin on 192.168.3.112 from 192.168.11.20

    i'm able to ping, say 192.168.3.112 from the node A router terminal 192.168.11.1, but unable to do so from the desktop client in 192.168.11.20 & unable to access the web interface

    The reverse is not working either (from node b clients to node a clients)

    i set the iptables right

    Any ideas
     
    Last edited: Jul 6, 2015
  40. lancethepants

    lancethepants Network Guru Member

    @yodaphone
    Are you using tinc built into tomato shibby? or using the binaries I've provided to manually set it up at the command line?
     
  41. pjv__

    pjv__ Reformed Router Member

    @lancethepants or anybody happen to know how to start tinc (not the GUI version in shibby, but the binaries) so that the process will automatically respawn if it goes down?

    EDIT: i mean specifically on a tomato router - i know how to do this on other linux platforms, but i don't know anything about the init process on tomato.
     
  42. lancethepants

    lancethepants Network Guru Member

    @pjv__ You could script something up to check that the tincd process is running, and to start it if it doesn't exist. Then place it in cron to run every minute or so.
     
  43. pjv__

    pjv__ Reformed Router Member

    @lancethepants fer sure, but doesn't the linux distro running on tomato have some kind of service or daemon init system in place already and isn't there a way to launch a service so that it is monitored and respawned?
     
  44. pjv__

    pjv__ Reformed Router Member

    in case anyone else is interested, following the cron script suggestion, this is working for me in admin -> scheduler:

    Code:
    if ! pidof tincd > /dev/null; then
        /jffs/sbin/tinc -n tincnet start --debug=1
    fi
     
  45. BrandonS

    BrandonS Network Newbie Member

    @pjv__ , I am trying to do what you are because power outages have been leaving tincd in the stopped state for me.

    My binary is in /usr/sbin/tincd so I was thinking I could just use that. When my service is stopped the /tmp/etc/tinc is unmounted with the conf info so I don't know where all this info is held on a router. What is the command to start tincd from SSH? I haven't had success with 'service tincd start'.

    My /jffs is empty because I don't have it mounted. I am using Asus RT-AC68U 1.28.0000 -129 K26ARM USB AIO-64K
     
    Last edited: Oct 18, 2015
  46. pjv__

    pjv__ Reformed Router Member

    hi @BrandonS, since you are using the AIO shibby, i think you have a totally different setup than me. you have @lancethepants GUI for managing tinc and the binaries and configurations are integrated into the install. i am not running that version of shibby so i have installed tinc manually on /jffs and have my manually created configs in /jffs/etc. since i am not running the same setup as you, i don't know where the stuff you need is kept. maybe @lancethepants can suggest a way to keep tincd running for the GUI config in shibby AIO.
     
  47. lancethepants

    lancethepants Network Guru Member

    @BrandonS
    The cli command is 'service tinc start'.
     
  48. BrandonS

    BrandonS Network Newbie Member

    @pjv__ , @lancethepants thank you both. I guess I was thinking it used the daemon init so that was my oversight. For the integrated Shibby build creating a custom scheduler task with the following is working:

    if ! pidof tincd > /dev/null; then
    service tinc start
    fi

    Now I will have to do a little more digging to find out why the service keeps stopping on its own.
     
  49. RichtigFalsch

    RichtigFalsch Networkin' Nut Member

    Hello!

    I now tried the exact example configurations and i tried multiple varitions of it for hours. But the android "Tinc GUI" will always and everytime tell me "Could not set up a meta connection" after sending the METAKEY. :(

    Edit:
    In Tomato's Log I now found that there's the following error
    "node xyz tries to roll back protocol version to 17."
    So it seems that the age of the android client is a problem here. Does anyone use android tinc with Tomato at the moment? Is there a way for forcing an older protocoll version on Tomato's tinc?

    Thank you!
     
    Last edited: Dec 2, 2015
  50. lancethepants

    lancethepants Network Guru Member

    @RichtigFalsch
    To talk with tinc version 1.0 from the android app, you'll need to use RSA keys, so make sure you've generated those for each side. If you want you can also put in ed25519 keys, as well, or just put a space there for those keys in the tomato gui.
     
  51. RichtigFalsch

    RichtigFalsch Networkin' Nut Member

    Ok, as we know in between, the problem seesm to be the old android client.
    Could you help me ot get a current version for android on my phone?
     
  52. ACACAC

    ACACAC New Member Member

    Dear Mr. Pants,

    In case there was ever any doubt, you are THE MAN.

    -AC
     
    lancethepants likes this.
  53. ACACAC

    ACACAC New Member Member

    Hey Lancethepants (or anyone else who might be able to help),

    I've got tinc working great, but I'm not sure how to make DNS resolve correctly across my two joined networks (two different houses).

    Here's my setup:
    • home #1: network 10.0.0.0/22, domain network1.com, Tomato router is 10.0.0.1, running Shibby 132 (AIO build)
    • home #2: network 10.1.0.0/22, domain network2.com, Tomato router is 10.1.0.1, running Shibby 132 (AIO build)

    They are connected by tinc (TUN, netmask 255.0.0.0).

    Using IP addresses, devices can reach each other just fine within and across the networks, and can see the internet. So it seems tinc is working perfectly. But using DNS names, devices can only see devices within the same house and on the internet.

    So...
    • client.network1.com CAN resolve server.network1.com
    • client.network1.com can NOT resolve server.network2.com

    I'm not surprised this isn't working automatically, I just don't know where to start to make it work. I'll confess I've never understood DNS, so I may have done something stupid. With that said, here's my DNS setup...

    Each Tomato router serves as the DNS server for each house. In Tomato, on the Basic > Network page, each router has its own address listed under "Static DNS". On the Advanced > DHCP/DNS page, each router has all of the following options CHECKED:
    • Use internal DNS
    • Use received DNS with user-entered DNS
    • Prevent DNS-rebind attacks
    • Intercept DNS port (UDP 53)
    • Use user-entered gateway if WAN is disabled

    And under "Custom configuration", I've got "strict-order" because I found that recommended in the Tomato documentation somewhere.

    The hostnames for devices on each network are assigned on the Static DHCP page for the each router. The hostnames for network1.com appear only on the router for network #1, not both routers (and same for network #2).

    This all works properly within each house, but not across the VPN hop. I've tried adding the VPN address for the remote router as a second entry on the Basic > Network page under "Static DNS" (adding 10.1.0.1 as a secondary DNS server in the 10.0.0.1 configuration and vice-versa), but that doesn't fix the problem, and in fact it prevents me from resolving internet DNS names and therefore breaks the tinc connection altogether.

    Anybody have any ideas?

    And Lancethepants, thanks so much for integrating tinc, it's awesome! So much easier than OpenVPN, too, especially with your key generation webpage.

    -Aaron
     
    Last edited: Jan 13, 2016
  54. roberthuang

    roberthuang Reformed Router Member

    Hi Everyone,

    As you know, China blocks all VPN access to the outside world. That includes PPTP, L2TP, SSTP, OpenVPN. I'd like to try to set up the tinc VPN for my friends in China. I can configure the tinc in Tomato by Shibby. Thanks lancethepants. I just couldn't find the tutorial of how to set up the tinc client in Windows 7, especially where I can specify the server's (my Tomato router) IP address in Windows7 client machine in order to connect. Anyone can share the link of how to do it? Thanks.

    Robert
     
    Last edited: Jan 14, 2016
  55. lancethepants

    lancethepants Network Guru Member

    @ACACAC
    Haha, took me a little bit, but I managed to get this figured out.

    We need to tell dnsmasq to listen on the tinc vpn interface. Just to make sure we'll tell it no DHCP as well.

    Dnsmasq Custom configuration
    Code:
    interface=tinc
    no-dhcp-interface=tinc
    
    Then we need to tell each server where to send queries for your specific domains, also in Dnsmasq Custom configuration

    In home #1
    Code:
    server=/network2.com/10.1.0.1
    
    In home #2
    Code:
    server=/network1.com/10.0.0.1
    
    Then you need to make sure 'Prevent DNS-rebind attacks' is UN-checked, otherwise it thinks there's an attack and will not work. strict-order isn't necessary, and I would remove it unless you know why you might want it.

    I left all the other options what they are at default. I don't think they will influence this functionality anyway.
     
    Last edited: Jan 15, 2016
    ACACAC likes this.
  56. ACACAC

    ACACAC New Member Member

    Holy crap, you're a genius! This actually works! I never would have been able to figure it out.

    For the benefit of anyone who tries to follow along later... I think you have a typo above, and for home #2 you meant this, right?
    Code:
    server=/network1.com/10.0.0.1
    
    This is amazing. You've literally made my week. Thank you profusely.
     
    lancethepants likes this.
  57. lancethepants

    lancethepants Network Guru Member

    @ACACAC
    Whoops, you're right! I did some hasty copy/paste and forgot to change home #2. I've edited it to be correct. thanks!

    Awesome! I like a good challenge, and that was a fun one to figure out.
     
  58. lancethepants

    lancethepants Network Guru Member

    @roberthuang
    Here's a few tutorials, one of which talks about running tinc on Windows. Another one also talks about using tinc to tunnel your internet traffic. It only gives tunneling examples for linux, though I'm absolutely certain windows is possible as well.
    http://www.tinc-vpn.org/examples/

    I had my doubts that tinc could work to bypass the gfw. Doing some googling however, it looks that it might actually currently work. I have no way to test this myself, but it looks as though others have had success with it. Tinc is lesser known that other vpn solutions, so I think so far it hasn't called too much attention to itself. If people began using it in the masses I'm sure that would change.

    I know a sure fire way was to use shadowvpn. The main developer got shut down, but another guy kept it going. For some reason I can't find his repo any more though. Bypassing gfw is an every changing landscape.
     
  59. alf5683

    alf5683 Connected Client Member

    Hi !

    Thank you for this post !! now I have got a bridge whith tinc !!

    I read the doc, and I want to know how can I change the "algorithm used to authenticate" or anything else. I read all "openssl" is supported but how can change it ?


    Thx a lot !
     
  60. lancethepants

    lancethepants Network Guru Member

    @alf5683
    Tomato uses tinc1.1preX, which is the next generation of tinc, but it is still in development. Tinc1.1pre11, which is the latest development release, and also what shibby's latest release is using, always uses ChaCha-Poly1305 as its cipher.
    http://tinc-vpn.org/news/release-1.1pre11/

    It should be possible to run tinc using the legacy protocol, which has know security vulnerabilities, if you like. I haven't tried this myself, but I think this is what it would involve.

    In Config -> Custom
    Code:
    ExperimentalProtocol = no
    Cipher = blowfish (or whatever you want.)
    
    Also make sure you have generated and entered in the RSA keys, because that is what the legacy protocol uses.

    I want to say that ChaCha-Poly1305 is decently fast on routers. Here's what one person reported for an ARM router.
    http://www.linksysinfo.org/index.php?threads/tinc-mesh-vpn.70257/page-2#post-262875

    I'm not sure if you could get anything much faster using a weaker cipher on the legacy protocol.
    If you're asking for security reasons, then stick with what you've got because it will be more secure that going back to the legacy protocol, and I'm inclined to say it's a decently fast cipher as well.
     
  61. alf5683

    alf5683 Connected Client Member

    Yes !! it's only for security reasons. In OpenVpn I used "Encryption cipher : AES-256-cbc" and Openvpn use 3 big different keys.
    And now I have just 1 little key !
    I'm noob in chryptography, and I want to know if Tinc is better secure than OpenVpn or unless !
    For me speed is important but safety is more important !

    Thank for your quick response :)

    edit :

    I want to try SPTPS protocol. But where can I choose betwen "Legacy authentication protocol" and "Simple Peer-to-Peer Security"
     
    Last edited: Feb 24, 2016
  62. lancethepants

    lancethepants Network Guru Member

    While tinc1.1 hasn't reached a final release, it is so far considered secure. In fact, in some cases where OpenVPN has been affected because of OpenSSL vulnerabilities, tinc has been unaffected.

    SPTPS is used by default, so you are already using it. Unless you're using the custom config options to use the legacy protocol I mentioned in my previous post
     
  63. alf5683

    alf5683 Connected Client Member

    Perfect !! I did not understand that, when I read the doc ! So I restart my Tinc tests :)
    Thx for your quick answer, and sorrry for my english ^^
     
  64. eangulus

    eangulus Network Guru Member

    Seeing as I have not played with Tinc in a while, I just want to get everyones opinion.

    I am soon to setup a proper setup (as in live business use) setup.

    I will have a main Tomato Router at the Main Office.

    I will need to have 2 home offices with RT-AC66U Tomato routers, that will act as part of the main office network.

    What I need is, that each router will have internet and be used as the DNS/Gateway for devices connected directly to them.

    I need all computers (laptops that move between office and home) to access same IP address or UNC names for things like the Printers and NAS. NAS is in the Main office but printers could be a home printer or the office printer.

    I want things to work seamlessly when a user moves from the office to home with a laptop so that everything works the same as if they were still at the office.

    What I am not sure of is what would be the best setup for this, TUN or TAP and should I use seperate subnets for each location or use the one subnet.

    All and any advice is welcome. I am only in planning stages right now but this is expected to start happening in about 2 months.

    Oh and btw, if relevant, if I need to use subnetting it would be 10.0.0.0 for Office, 10.1.0.0 for Home 1 and 10.2.0.0 for home 2
     
  65. pjv__

    pjv__ Reformed Router Member

    I've set up a situation like that for a client of mine with a pair of RT-N66U's, one in his office and one at his home. I set up tinc in TAP mode with both LANs on the same subnet for layer 2 connectivity which lets things like windows shares and the ability to see printers across the WAN work relatively seamlessly.

    The one fiddly part of setting it up was that there were some additional routing rules needed to make sure that some traffic (e.g. dhcp stuff) didn't go across the bridge. Above in this thread, @lancethepants pointed me to several other posts that helped me get a working config.

    Good luck with it.
     
  66. eangulus

    eangulus Network Guru Member

    In regards to the subnetting...

    I plan on using subnets for breaking down location, device type and then the device.

    So 10.x.0.0 is location, 10.0.x.0 will be device types such as desktops, then 10.0.0.x as the individual device.

    So in regards to that, would I be best to follow above and make the subnet the same as 10.x.x.x and internally separate as above, or set up with each router being the subnet of the location as in 10.0.x.x - 10.1.x.x

    So should I got with 10.0.0.0/8 for network as a whole or each location 10.0.0.0/16 and join them. My main concern is that last time I tried setting up tomato with 10.0.0.1 & 255.0.0.0 it had some issues. Highest I could go with everything working properly was 10.0.0.1 & 255.255.0.0


    Also in terms of roaming users, there will be 1 or 2 staff needing access from "other" locations while traveling. Should I just setup PPTP access for then to VPN into the network when not at any of the network locations? Or is there a TINC program for Windows/iPhone/Android that can be used to better tie into the network?
     
  67. lancethepants

    lancethepants Network Guru Member

    @eangulus
    Do you think you might need more than 256 clients per network? Or at least maybe be prepared for the future? If that's the case I think the 10.0.0.0/8 (255.0.0.0) for the vpn would be the easiest route to go. Then each location with 10.x.0.0/16. Doing something between /16 and /24 would be possible, but it's more confusing where one network starts and the other one ends. This way you just know your 2nd octet denotes each location's respective subnet.
     
  68. eangulus

    eangulus Network Guru Member

    Well in most cases there won't be more than 256 devices.

    But I now have 2 clients that will definitely have more. And with things like IoT around the corner, things are just going to get bigger.

    So what I have done for my 2 large clients, is build an IP structure using 10.(location).(devicetype).(device). This lets me get a good idea on the location/device of an IP.

    So in terms of consistency, I have been using the same structure for all my networks.

    My only issue has been that I cannot seem to setup a tomato router with 10.0.0.1 and 255.0.0.0. They seem to do some weird crap. When I tried it I think on either 130 or 132, all sorts of things wouldn't work to the point that it was totally unusable.

    Everything seems to be fine using 255.255.0.0 thou.
     
  69. eangulus

    eangulus Network Guru Member

    I think I have worked out what I need.

    I (so far) plan to set each router to 10.0.0.0/16 (second octet as location) and follow my IP rules from above. Only issue I find with it is that for roaming devices, they will have the second octet change per location. eg. Laptop will be 10.0.40.10 at work but 10.1.40.10 at the home office. I don't see an issue with this yet, as anything that roams isn't being connected to like Printers, NAS etc. all devices that need a fixed IP no matter what are not roaming devices.

    Join all the networks over TINC with a 255.0.0.0 subnet.



    Now, my only and final issue that I am trying to solve. At 1 of the Home offices, there is a Family. The owner has 2 girls using iPads, Netflix etc.

    I plan on setting up a Virtual SSID and set those devices on a network of 172.16.0.0/16. This will let them have the Internet of course, and not have access to the rest of the network.

    But. There is a printer at home, that needs to be used by both networks. Obviously, so the boss can print work while at home, but also so the girls can print homework etc.


    Is there a way to make a single IP on the 10.0.0.0/16 network work on the 172.16.0.0/16 network as well?
     
  70. lancethepants

    lancethepants Network Guru Member

    I don't have any experience with vlan or setting up separate networks, but I think the Lan Access page deals with allowing cross network communication. Certainly some iptables rules could get things working as well.
     
  71. Malakai

    Malakai Networkin' Nut Member

    Hello,

    First thanks for your work on this.
    I am using Shibby's tomato-R7000-ARM--136-AIO-64K and am trying to set up tinc, but I have a little issue, on syslog it writes :
    Code:
    No known address for node02
    No known address for node03
    I have completed the Address and the Port sections with the correct infos.

    node02 is a Debian Wheezy server with tinc 1.0.19 and node03 is a Debian Jessie server with tinc 1.0.24.
    node02 and node03 can talk one to each other through tinc without any problem, but the router can't join them.

    Do you know if the version of tinc on Shibby's tomato-R7000-ARM--136-AIO-64K is compatible with versions 1.0.19 and 1.0.24?

    Also I am using only RSA keys as the versions of tinc in Debian use only those. Could this represent a problem?
     
  72. Malakai

    Malakai Networkin' Nut Member

    Ok, so I found the issue : when using only RSA keys you have to put a # in "Ed25519 Public Key" for each host not using it ; at first I've put a space but it gives the error mentioned earlier "No known address for ...".
    Now with # and only RSA it works even if it complains : "Parsing Ed25519 public key file `/etc/tinc/hosts/node02' failed."
     
  73. Malakai

    Malakai Networkin' Nut Member

    I was wondering if there is a possibility to have a policy based routing with tinc as we have now with openvpn. I was looking on the Internet and got over this : https://www.tinc-vpn.org/examples/redirect-gateway/
    Are there many changes to bring to that example to make it work on Tomato? I didn't have time to test it but it seems a little more complicated than with openvpn (when I was doing it from ssh, no integration in the gui).
    Will try and see if it works when I will have time but I was hopping that maybe someone more skilled than me could have a look at this @lancethepants

    Also what would be the best cipher and digest to use with tinc from a security and speed (as in download/upload speed) point of view?
     
  74. lancethepants

    lancethepants Network Guru Member

    @Malakai
    Sorry for the late response. I'll have to revisit some of the gui checks for setups like yours. I only use tinc1.1 on my systems, so I haven't yet encountered the barriers of getting it to work with tinc1.0

    I did explore a little bit trying to get tinc to redirect internet traffic to another node. That could maybe be an option someday. I'm not familiar with setting up full policy based stuff, so not sure on that.

    Since I only use tinc1.1 I can't really comment on different cipher speeds. Tinc1.1 doesn't give you the option, it just picks a single secure one for you. From a security standpoint, any cipher you use in tinc1.0 may not be sufficient, because tinc1.0 has known security flaws.
     
    Malakai likes this.
  75. Malakai

    Malakai Networkin' Nut Member

    But on the documentation of tinc 1.1 here it says :
    Code:
    Cipher = cipher (blowfish)
    The symmetric cipher algorithm used to encrypt UDP packets.  Any cipher supported by LibreSSL or OpenSSL is recognised. Furthermore, specifying "none" will turn off packet encryption.  It is best to use only those ciphers which support CBC mode.  This option has no effect for connections between nodes using ExperimentalProtocol.
    
    Digest = digest (sha1)
    The digest algorithm used to authenticate UDP packets.  Any digest supported by LibreSSL or OpenSSL is recognised. Furthermore, specifying "none" will turn off packet authentication.  This option has no effect for connections between nodes using ExperimentalProtocol.
    
    ExperimentalProtocol = yes | no (yes)
    When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it. Ephemeral ECDH will be used for key exchanges, and Ed25519 will be used instead of RSA for authentication.  When enabled, an Ed25519 key must have been generated before with tinc generate-ed25519-keys.
    So if you are not using the ExperimentalProtocol (which I think I don't, because I use only RSA, due to the 1.0 version of tinc in Debian) you can choose the Cipher and Digest you want to use. Or even if you use tinc 1.1 but you simply don't want to use the ExperimentalProtocol then you have a choice. Or am I misunderstanding?
     
  76. lancethepants

    lancethepants Network Guru Member

    @Malakai
    You're correct, when making connections to legacy version of tinc, the legacy protocol is used. The default encryption cipher for the legacy tinc1.0 protocol is blowfish. Some variant of aes might be a faster option because OpenSSL for mipsel and arm has some optimized assembly. You'll put the "Cipher" option in the Custom area for each host. Case matters so that's a capital 'C'. Just look in the forums for what's fastest for OpenVPN and it will be the same for tinc.
     
    Malakai likes this.
  77. Malakai

    Malakai Networkin' Nut Member

    So, I've been trying to make an policy based routing with tinc but I'm having some problems.

    What I've executed on the router :
    Code:
    ip route add table 200 default via 10.8.0.1
    ip rule add fwmark 12 lookup 200
    iptables -t mangle -I PREROUTING -i br0 -s 192.168.100.23 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 12
    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
    So the idea is to forward through tinc all connections from 192.168.100.23 on ports 80 and 443.

    10.8.0.1 = ip of tinc interface on router
    192.168.100.23 = ip of client on the lan that should be forwarded through tinc

    At this stage, it doesn't seem to work, so I fired up tcpdump on the router and on the server (which should be the gateway for tinc) and I got this :

    Public-WEB-Server = the web server I am trying to contact through tinc
    Server-Public-IP = the public ip of the tinc server (which should be used as a gateway)

    On the server :
    Code:
    # tcpdump -i any -n port http
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    11:27:14.208497 IP 10.8.0.1.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1397,sackOK,TS val 342267 ecr 0,nop,wscale 7], length 0
    11:27:14.208554 IP Server-Public-IP.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1397,sackOK,TS val 342267 ecr 0,nop,wscale 7], length 0
    11:27:14.258687 IP Public-WEB-Server.80 > Server-Public-IP.56483: Flags [S.], seq 3609065194, ack 1407645071, win 5840, length 0
    11:27:14.258702 IP Public-WEB-Server.80 > 10.8.0.1.56483: Flags [S.], seq 3609065194, ack 1407645071, win 5840, length 0
    11:27:15.195491 IP 10.8.0.1.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1397,sackOK,TS val 342517 ecr 0,nop,wscale 7], length 0
    11:27:15.195534 IP Server-Public-IP.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1397,sackOK,TS val 342517 ecr 0,nop,wscale 7], length 0
    11:27:15.245713 IP Public-WEB-Server.80 > Server-Public-IP.56483: Flags [S.], seq 4078827242, ack 1407645071, win 5840, length 0
    11:27:15.245728 IP Public-WEB-Server.80 > 10.8.0.1.56483: Flags [S.], seq 4078827242, ack 1407645071, win 5840, length 0
    11:27:17.197631 IP 10.8.0.1.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1397,sackOK,TS val 343018 ecr 0,nop,wscale 7], length 0
    11:27:17.197675 IP Server-Public-IP.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1397,sackOK,TS val 343018 ecr 0,nop,wscale 7], length 0
    11:27:17.247714 IP Public-WEB-Server.80 > Server-Public-IP.56483: Flags [S.], seq 4213044970, ack 1407645071, win 5840, length 0
    11:27:17.247729 IP Public-WEB-Server.80 > 10.8.0.1.56483: Flags [S.], seq 4213044970, ack 1407645071, win 5840, length 0
    11:27:21.205588 IP 10.8.0.1.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1397,sackOK,TS val 344020 ecr 0,nop,wscale 7], length 0
    11:27:21.205633 IP Server-Public-IP.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1397,sackOK,TS val 344020 ecr 0,nop,wscale 7], length 0
    11:27:21.255684 IP Public-WEB-Server.80 > Server-Public-IP.56483: Flags [S.], seq 1058928362, ack 1407645071, win 5840, length 0
    11:27:21.255699 IP Public-WEB-Server.80 > 10.8.0.1.56483: Flags [S.], seq 1058928362, ack 1407645071, win 5840, length 0

    On the router :
    Code:
    # tcpdump -i any -n port http
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    09:27:14.930609 IP 192.168.100.23.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 342267 ecr 0,nop,wscale 7], length 0
    09:27:14.930635 IP 192.168.100.23.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 342267 ecr 0,nop,wscale 7], length 0
    09:27:14.930736 IP 10.8.0.1.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 342267 ecr 0,nop,wscale 7], length 0
    09:27:15.022647 IP Public-WEB-Server.80 > 10.8.0.1.56483: Flags [S.], seq 3609065194, ack 1407645071, win 5840, length 0
    09:27:15.917664 IP 192.168.100.23.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 342517 ecr 0,nop,wscale 7], length 0
    09:27:15.917695 IP 192.168.100.23.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 342517 ecr 0,nop,wscale 7], length 0
    09:27:15.917763 IP 10.8.0.1.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 342517 ecr 0,nop,wscale 7], length 0
    09:27:16.009696 IP Public-WEB-Server.80 > 10.8.0.1.56483: Flags [S.], seq 4078827242, ack 1407645071, win 5840, length 0
    09:27:17.919791 IP 192.168.100.23.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 343018 ecr 0,nop,wscale 7], length 0
    09:27:17.919820 IP 192.168.100.23.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 343018 ecr 0,nop,wscale 7], length 0
    09:27:17.919891 IP 10.8.0.1.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 343018 ecr 0,nop,wscale 7], length 0
    09:27:21.927740 IP 192.168.100.23.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 344020 ecr 0,nop,wscale 7], length 0
    09:27:21.927766 IP 192.168.100.23.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 344020 ecr 0,nop,wscale 7], length 0
    09:27:21.927813 IP 10.8.0.1.56483 > Public-WEB-Server.80: Flags [S], seq 1407645070, win 29200, options [mss 1460,sackOK,TS val 344020 ecr 0,nop,wscale 7], length 0
    09:27:22.019572 IP Public-WEB-Server.80 > 10.8.0.1.56483: Flags [S.], seq 1058928362, ack 1407645071, win 5840, length 0

    I'm certainly not an expert of tcpdump but what I understand is that the packet gets back to the router through tinc but is not forwarded to the client (192.168.100.23). My FORWARD rules on the router are accepting packets coming from tinc interface so this is not the problem.
    Am I understanding correctly what is happening? Someone has an idea about how to solve it?
    Could it be related to : http://www.linksysinfo.org/index.ph...ior-of-iproute2-in-shibby-arm-multiwan.72495/
     
    Pess0g likes this.
  78. Malakai

    Malakai Networkin' Nut Member

    Got it to work :)
    I was so close :)

    All I had to do to redirect ports 80 and 443 of client 192.168.100.23 was (10.8.0.1 is the tinc ip of the router) :

    Code:
    ip route add table 200 default via 10.8.0.1
    ip rule add fwmark 12 lookup 200
    iptables -t mangle -I PREROUTING -i br0 -s 192.168.100.23 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 12
    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/tinc/rp_filter
    In my last post I didn't do
    Code:
    echo 0 > /proc/sys/net/ipv4/conf/tinc/rp_filter
    I think it wasn't necessary with older versions of Tomato as it worked before without this (with OpenVPN).

    You can play with this rule or add more of them to redirect more clients or specific ports :
    Code:
    iptables -t mangle -I PREROUTING -i br0 -s 192.168.100.23 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 12
    So it is not more complicated than with OpenVPN, it is quite the same approach.
     
    Pess0g likes this.
  79. Pess0g

    Pess0g Reformed Router Member

    http://www.linksysinfo.org/index.ph...te2-in-shibby-arm-multiwan.72495/#post-276098
     
  80. waeking

    waeking Networkin' Nut Member

    I am using shibby 132 AIO on a AC68U. I have been using tinc between routers for months. Works fantastic. Thanks so much.

    I have an android phone. I have installed tinc app and have used your example conf files. Thanks Again. I realize that I need to use th RSA Keys not the Ed25519 Keys. If I use a # in front of the Ed25519 Key on the router tinc page I can get the phone to connect. When I take out the # they cannot connect to to meta error.

    When I do get them to connect I cannot ping the phone. The Tinc Debug on the phone shows that packets are being received and writing. The router shows that the routing table for the phone is there.

    The only difference is that the routers are 192.168.1.0/24 and 192.168.2.0/24 and the phone is 192.168.252.1/32

    What more can I check?

    EDIT: error log from router

    Jun 13 14:46:06 router daemon.notice tinc[6319]: Ready
    Jun 13 14:46:29 router daemon.err tinc[6319]: Too little base64 data in PEM file
    Jun 13 14:46:29 router daemon.err tinc[6319]: Parsing Ed25519 public key file `/etc/tinc/hosts/JKandroid' failed.
    Jun 13 14:49:03 router daemon.err tinc[6319]: Too little base64 data in PEM file
    Jun 13 14:49:03 router daemon.err tinc[6319]: Parsing Ed25519 public key file `/etc/tinc/hosts/JKandroid' failed.
    Jun 13 14:49:05 router daemon.err tinc[6319]: Invalid packet seqno: 175 != 0

    EDIT AGAIN:

    Ok I just tried to setup between a centos 6 server 192.168.251.1 and router 192.168.1.1.... Same problem can't ping from either side. But shows they are connected in the nodes and both have routing tables showing it should work. I must be setting something up wrong. I am getting

    ping: sendmsg: Operation not permitted
     
    Last edited: Jun 13, 2016
  81. lancethepants

    lancethepants Network Guru Member

    @waeking
    Have you tried putting both Ed25519 keys and RSA keys at the same time? Unless you've put ExperimentalProtocol=no in the custom config, you still need the Ed25519 keys for the routers to talk to each other, and the RSA keys for the routers to talk to the legacy protocol. It's perfectly acceptable to have both, and will probably make things easier.

    The phone can be frustrating as well. I believe you must have root. I've had success on previous devices of mine running cyanogenmod, so obviously rooted. My current phone is practically un-rootable, so I haven't done it lately. I actually enabled pptp on the router for those rare moments I need access or to bypass a firewall.
     
  82. waeking

    waeking Networkin' Nut Member

    I have both types of keys registered in the config on the router and on the Centos server.

    The phone is rooted and tinc app has been granted root access. I have added both types of key to the phone host conf.
     
  83. lancethepants

    lancethepants Network Guru Member

    AFAIK the tinc gui app still only supports the tinc1.0 protocol, so you should only need RSA.
    Have you looked the instructions from the creator of the app?
    http://tinc_gui.poirsouille.org/

    android will at least need a special "ScriptsInterpreter" option in tinc.conf. Possibly more depending on what version of android you use.
     
  84. rs232

    rs232 Network Guru Member

    Lance, many thanks for this I have finally migrated from OpenVPN to Tinc and it seems to be working perfectly.

    One point of improvement if I might (and not even very important):

    for partial mesh configuration, defining a single subnet on a host basis is probably not enough. Two of my routers are actually gateways to dedicated subnets.

    I worked out that I just need to add a reference for each subnet under the Hosts/Custom on each of the gateways

    e.g.
    Code:
    Subnet = 10.10.4.0/24
    and this is propagated throughout the tinc network allowing the end to end connectivity which is what I wanted.

    So it seems that the subned defined next to the host is actually a "Subnet =" in the config

    Not suggesting you change much, but in my specific case having a single subnet field next to the host was a bit misleading. Perhaps a reference to additional subnets into the Custom config under the Hosts/Notes might help other users? Or perhaps you/somebody else have a better idea to address this?

    Thanks again!
     
  85. lancethepants

    lancethepants Network Guru Member

  86. rs232

    rs232 Network Guru Member

    Agreed, it's an uncommon scenario otherwise I would have advised to have the subnet expanded to muliple fields.
    A quick note should resolve nicely :)
     
  87. rs232

    rs232 Network Guru Member

    I have a peculiar scenario where the VPN (tinc) router is not the LAN default gateway.
    The gateway has a static route to this secondary LAN device to redirect VPN subnets.

    Since the GUI allows you to start the tinc process with the WAN, in this specific case there's no WAN for the device as it's a LAN only and the VPN doesn't come up automatically after a reboot.
    Is there a way to bring up the tinc process manually? How and what would you suggest? Firewall-script?

    Thanks
    rs232
     
  88. lancethepants

    lancethepants Network Guru Member

    Probably in start-up script put "service tinc start", and port forward from the gateway router to that one.
     
  89. rs232

    rs232 Network Guru Member

    Thanks! Ended up adding:

    /sbin/service tinc start

    to the init script. About the port forwarding (If I have understood this well) it is actually not needed as I only allow the device from this LAN (behind 2x NATs actually, please don't ask why :)) to connect, the other devices do have the reference about this host including the public key, but the "Connect to" flag is unset.
     
    Last edited: Jul 18, 2016
  90. Malakai

    Malakai Networkin' Nut Member

    Seems that I spoke too quickly.
    It does work this way if you have only the router and another tinc node, and you set a policy based routing.
    But it doesn't work if you add a third (or more) node, because in the way explained above, the router doesn't know to which node to send the traffic.
    So there isn't an easy way to set a policy based routing with more than 2 tinc nodes, but if you want to use an equivalent of openvpn's redirect-gateway you can thanks to the example from here.
     
  91. blackantt

    blackantt Serious Server Member

    can you compare tinc, n2n or another popular node to node vpn. we are confused, which one is better? then add it into tomato, please.
     
  92. lancethepants

    lancethepants Network Guru Member

    I cannot know what would be best for you, only you can know that. I only know tinc anyway.
     
  93. blackantt

    blackantt Serious Server Member

    if I set up a tinc vpn network on my routers, do they all need public ip on WAN interface? or just one of them need a public ip on WAN interface? most of time, all of my routers without public ip .
     
  94. rs232

    rs232 Network Guru Member


    As far as I know you need at least 1 Public IP, the other with private IPs will be able to connect to the public one and work out the best route in a full/partial mash topology.
     
    lancethepants likes this.
  95. yodaphone

    yodaphone Network Newbie Member

    i'm a noob here. I've setup tinc on my tomato shibby & its working fine. I have 1 question though. How do i route/forward traffic coming into Router A (192.168.1.x) to Router B (192.168.3.x)

    let me explain what i want to do.

    I setup tinc between Router A, which has a public IP & Router B. This works fine, as long as i'm inside the network in Router A OR B. i can talk both ways

    I have a NVR running behind Router B with IP 192.168.3.50 & the port is 8088. This routis double NATed. So I dont have a Public IP for this.

    So what do i need to do so that i can access the NVR through router A from the outside? Do i need tp add a route statement? I'm a noob as far as this is concerned & want to know how this can be achieved. I tried port forwarding 8088 on Router A to IP 192.168.3.50 but it doesnt work.

    THanks
     
  96. rs232

    rs232 Network Guru Member


    Set up the NATted router to connect to the one with public address. This is done enabling the "ConnectTo" under the Host tab. So you ask the Natted device to ConnectTO the unNatted (public IP).

    On the very same line (still in hosts) under Subnets you define what subnets are reachable via that end point e.g. 192.168.3.0/24 for 1 router and 192.168.1.0/24 for the other router.

    About the devices you want it to benefit from the VPN you need to either have the default route pointing to the VPN or having a specific route, for the subnet in question, on the device itself doing so.

    HTH
     
  97. yodaphone

    yodaphone Network Newbie Member

    thank for the quick reply.

    as i had indicated, i'm a total noob and most of what you said went over my head. will try to go thro it again.

    meanwhile this is what i have on the host tab & the tinc tunnel is up & running for me for a while now.

    The part i need help is setting the default route. how do i do that?

    upload_2016-9-15_8-55-11.png
     
  98. rs232

    rs232 Network Guru Member


    Overall this looks ok
    Are you sure you want compression to 9? I would leave it to 0 unless you really know what you're doing.
    About the route, if the NVR has already default gateway address pointing to the VPN gateway you don't need anything else really. If not you need to create a static route on the NVR itself telling: to reach 192.168.1.024 go via [VPN-GATEWAY IP]
    I've never seen an NVR before but I'm guessing this is not very easy e.g. you can only do what the GUI allows you to do. So you might want instead to change the NVR default gateway (under network settings) and use the VPN GATEWAY IP. So all the traffic will go towards the VPNGATEWAY but this should be be clever enough to recognise what needs to go in Internet directly and what via the VPN.

    HTH
     
  99. lancethepants

    lancethepants Network Guru Member

    @yodaphone

    Here's an example I got working.

    Router A 192.168.2.0/24 -> with IP 192.168.2.1
    Router B 192.168.10.0/24 -> with IP 192.168.10.1
    Device B - Sits behind router B. IP 192.168.10.5 with service running on port 8080

    Remove any port forwarding in the GUI you made for this, and use these rules. Adjust these rules for you IPs and Ports.

    Code:
    iptables -A wanin -d 192.168.10.5/32 -p tcp -m tcp --dport 8080 -j ACCEPT
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.10.5:8080
    iptables -t nat -A POSTROUTING -d 192.168.10.5/32 -p tcp -m tcp --dport 8080 -o tinc -j SNAT --to 192.168.2.1
    
    edit: These rules you put in Router A only.

    edit2: A good place to put these actually is, Tinc -> Scripts -> Firewall Rules, and select "additional"
     
    Last edited: Sep 15, 2016
    yodaphone likes this.
  100. yodaphone

    yodaphone Network Newbie Member

    thanks.. will try this
     

Share This Page