1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tinc Mesh VPN

Discussion in 'Tomato Firmware' started by lancethepants, Jul 25, 2014.

  1. yodaphone

    yodaphone Reformed Router Member

    when you mean VPN gateway IP , you mean the main IP of the router A (192.168.11.1)?
     
  2. yodaphone

    yodaphone Reformed Router Member

    /32 means your are specifying just 1 IP right?
     
  3. lancethepants

    lancethepants Network Guru Member

    Right. I also just tried this with a minecraft server. I connect to router A, and it communicates to Device B over the VPN, and I am able to connect. I am assuming your service is TCP. Otherwise you'll need to change everything to UDP.
     
  4. yodaphone

    yodaphone Reformed Router Member

    Awesome... this worked.

    I have one other question. how do i add more ports to that?

    can i just use a , to add additional ports or do i have to specify every port separately?
     
  5. lancethepants

    lancethepants Network Guru Member

    @yodaphone
    Unless you have port ranges, I would just do 1<->1 port mapping by running this multiple times with different ports. If you have a lot of ports or just a few?
     
  6. Mate Rigo

    Mate Rigo Networkin' Nut Member

    Hi all!

    I am having a hard time connecting a raspberry pi running tinc version 1.1pre11 to my Tomato, which also runs tinc version 1.1pre11.

    My goal is to reach the Raspberry even if the router which it is behind would be reconfigured (e.g port forwarding would be disabled)

    Raspberry has the ip 192.168.0.101 and is on the network: 192.168.0.0/24
    Tomato has the ip 192.168.10.1 and is on the network: 192.168.10.0/24
    Tomato2 has the ip 192.168.17.1 and is on the network: 192.168.17.0/24

    Tomato and Tomato2 are already hooked up, and can reach each other.


    My status with Raspberry is, that the ed25519 keys have been created and exchanged with Tomato/Tomato2.
    Raspberry connects to the Tomato mesh network, but it remains unreachable.


    Here is the setup of the Raspberry
    Name = rpi
    AddressFamily = ipv4
    Interface = tun0
    ConnectTo = Tomato

    ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0

    Ed25519PublicKey = *Secret*
    Subnet = 10.0.0.0/24

    Ed25519PublicKey = *Secret*
    Address = Tomato-ip
    Subnet = 192.168.10.0/24
    Compression = 0

    In the Tomato I also set up the tinc like this:
    upload_2016-10-14_21-38-2.png

    It shows up in the edge settings:
    upload_2016-10-14_21-38-9.png
    (Tomato is actually called rppafrany, but don't mind this, Tomato2 is manofrankfurt)

    But in the info settings it tells me that reachability is this:
    upload_2016-10-14_21-38-39.png

    Also I can not ping it from neither Tomatos.

    Here is the ifconfig output from the Rasbperry:
    eth0 Link encap:Ethernet HWaddr b8:27:eb:e9:6a:6e
    inet addr:192.168.0.101 Bcast:192.168.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:10069 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8071 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1614148 (1.5 MiB) TX bytes:2853561 (2.7 MiB)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:65536 Metric:1
    RX packets:5560 errors:0 dropped:0 overruns:0 frame:0
    TX packets:5560 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:404149 (394.6 KiB) TX bytes:404149 (394.6 KiB)

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.0
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:500
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    Can anyone give me maybe pointers?
    Any help would be greatly appreciated!

    Thanks a lot for your time!
     
  7. lancethepants

    lancethepants Network Guru Member

    @Mate Rigo
    The default VPN netmask in tomato is 255.255.0.0. The routers are using IP addresses 192.168....., then the whole VPN range is 192.168.0.0/16. Dividing that into /24 networks, you then have 192.168.0.0 -> 192.168.254.0 as your range of usable networks.

    You need to give the Raspberry Pi an address in that range as well, not 10.0... So you'll have to pick something else.
    Also, the IP address you decide on for the raspberry Pi needs to be on the VPN netmask. For example, it could be something like this.

    Code:
    ifconfig $INTERFACE 192.168.20.1 netmask 255.255.0.0
    
    Notice the netmask is 255.255.0.0

    Also, it's OK to assign a whole subnet to the Pi, but you really only need a single address. You could then change the hosts file for the Pi to 192.168.20.1/32.
     
    ryzhov_al likes this.
  8. Mate Rigo

    Mate Rigo Networkin' Nut Member

    @lancethepants

    Thanks a lot for the right pointers.
    The different subnet and the 255.255.0.0 netmask did the trick, now I am able to connect to my raspberry pi.

    You rock!
     
    lancethepants likes this.
  9. rs232

    rs232 Network Guru Member

    Hi all

    not very often at all, but in the last 3 months I have found tinc not running in a couple of occasions despite the "Start with WAN" setting on. Note: the devices where not rebooted.

    Last time happened 2 days ago and the latest reference in the log:
    Code:
    Oct 15 04:05:34 tomato36k daemon.err tinc[20011]: Metadata socket read error for tomato41a (1.2.3.4 port 27103): Connection timed out
    After that, all silent on the tinc side until it was manually (re)started

    So two questions:
    - is there anything you can think about where tincs the process automatically e.g. max connection attempts or something
    - does tinc have a built-in watchdog (or can one be implemented) to start the process if found not running? Yes an external script would do for sure, but I'm comparing with openvpn where this is available out of the box (see max attempts)


    thanks!
    rs232
     
  10. blackantt

    blackantt Serious Server Member

    I can't find tinc in shibby. which version is there a tinc inside?
     
  11. lancethepants

    lancethepants Network Guru Member

    @rs232 Hmm, hard to know why. pre11 was a pretty decent release but I've found the newer releases really good as well, though I don't know if they will fix your issue. I don't want shibby to try and hit a moving target, so pre11 I think is it until a final version comes out. But you could use tomatoware to compile tinc and mount bind it over the built in firmware's version. This is what I've done to test new releases.

    @blackantt I know they should be in his AIO releases. Not sure if they're in all the VPN versions, though I do remember someone saying something about him adding it later maybe to the VPN builds. Routers with limited rom may not get it.
     
  12. blackantt

    blackantt Serious Server Member


    1. yesterday I want to try tinc on ubuntu1404 according guide "https://www.digitalocean.com/commun...l-tinc-and-set-up-a-basic-vpn-on-ubuntu-14-04", after "sudo tincd ‐n netname ‐K4096 " , I got "Warning: old key(s) found and disabled.". this is a clean ubuntu. How to troubleshoot?

    2. are you author? can you give us a guide on Padavan-7620 router? Padavan-7620 is popular in China. we want to use tinc on Padavan-7620, but can't find guide.
     
  13. lancethepants

    lancethepants Network Guru Member

    @blackantt I am not the author of tinc. I have only created the tinc gui for Tomato Firmware. I limit my support in this forum to individuals who are using tinc on tomato firmware. I have never used Padavan and am completely unfamiliar with it.
     
  14. alf5683

    alf5683 Reformed Router Member

    Hi !!
    It's me again !!
    First, thanks to you I have a connection with my home and my brother's home since 6 month without any issues.

    Just one other question, how can I block the DHCP request ? Because when I conecting on my Wifi (at my home) sometimes the respond of me Dhcp request is answers by the tomato of my brother ! It's not a big problem but it's not the better way... !

    My configuration :

    My home :
    Tomato by shibby = 192.168.0.1
    Lan : 192.168.0.100

    My brother's home :
    Tomato by shibby = 192.168.0.2
    Lan : 192.168.0.200

    They are the same submask, tinc 1.1pre11 are install with "TAP" and "Switch". I already swith to "Hub" and the issu stay.
    I make this choice because I want see ALL the network in the "computer" menu of my windows 7...


    Any idee ?

    Thx
     
  15. lancethepants

    lancethepants Network Guru Member

  16. alf5683

    alf5683 Reformed Router Member

  17. yodaphone

    yodaphone Reformed Router Member

  18. lancethepants

    lancethepants Network Guru Member

    These are only necessary on bridged (tap) connections because they allow broadcast packets like DHCP to pass over the VPN.
     
  19. eangulus

    eangulus Network Guru Member

    Just wondering how QoS should work with Tinc?

    I currently have 2 sites connected, both on 100/40 Fibre. But I can't get a normal SMB file transfer to go any faster than around 1.6Mb/s transfer.

    Looking in the QoS I see it is transfering on port 445, I have added that port to the appropriate classification, and still nothing. Keeps showing up in QoS as Unclassified.

    PS: Routers are RT-AC66U and RT-AC68U both running Shibby 138.
     
  20. lancethepants

    lancethepants Network Guru Member

    @eangulus
    The default transport port for tinc is UDP 655 unless you have changed it. You can look at the output of "Edges" in the "Status" tab to verify the port.

    Because of encryption, there is a maximum throughput you can achieve, which will be the slower of your two devices. You will be limited to the RT-AC66U since that one uses a mipsel cpu. Somewhere in this thread I think someone mentions the throughput they achieved with mipsel and arm.

    My impression was that qos was broken in shibby 138. I would think you could achieve something faster than 1.6 megabits (Mb) per second.
     
  21. eangulus

    eangulus Network Guru Member

    Thanks. Strange that it is still defaulted to 655, but when I do a network file transfer it goes over 445. I would have thought it to go over 655 also.

    And yes, my mistake, 138 has broken QoS, I actually ment I have 132 (QoS being the reason I haven't gone higher yet).

    I have set the 445 and 655 ports up, but only 655 is classified right. 445 traffic shows as unclassified.

    I understand the CPU limitations, how much faster is the 68U over the 66U for this type of use? if significant enough may warrant an upgrade. But either way, both ends have 40Mbps upload speeds so I should be getting much faster transfers.
     
  22. Malakai

    Malakai Networkin' Nut Member

    The network transfer is taking place inside the VPN tunnel. This means that your VPN connection is taking place over your WAN interface on port 655 and the file transfer is taking place over your TINC interface (so through the tunnel) on port 445. Which means that the router has to encrypt and decrypt every packet that goes through the TINC interface (thus the speed limitation, because the CPU of the router is not strong enough to be faster).

    I hope I didn't say something stupid...
     
  23. rs232

    rs232 Network Guru Member

    @lancethepants

    I had 2 different devices where tinc failed in the last couple of days.
    What I can tell you is: when the tinc service is unavailable
    • nothing is recorded in the log (e.g. crash message)
    • the "tinc" interface disappears
    A quick manual workaround to restore the service could be a simple 1 liner
    Code:
    ifconfig | grep tinc >/dev/null || /sbin/service tinc restart

    Also,

    since OpenVPN has an option:
    Poll Interval (in minutes, 0 to disable)

    I'm wondering if tinc/tomato could have something similar where the existence of the tinc interface is assessed periodically and the service re-started if problems found. For the time being I'm testing this following command in the tomato system Firewall script but I guess it could run alternatively run in the WANUP.

    Code:
    nvram get tinc_wanup | grep 1 >/dev/null && cru a tinc-poller "*/15 * * * * /sbin/ifconfig | grep tinc >/dev/null || { /sbin/service tinc restart; logger \"tinc-poller: The service is down. Restarting...\";}" || cru d tinc-poller
    A dedicated field to accommodate this function within the tinc GUI (as per openVPN) would be very nice to have!

    Thanks
    rs232
     
    Last edited: Nov 20, 2016
  24. eangulus

    eangulus Network Guru Member

    I understand how it is suppose to work. What I find streange is that a LAN (tinc to tinc) file transfer shows traffic going over 445 on my router. I expect it to show traffic on 655 as it is suppose to be going over the tinc connection.
     
  25. lancethepants

    lancethepants Network Guru Member

    @eangulus
    Can you confirm that they are both connected to each other over port 665? It is possible that one of the routers is connected at a different port if it is not public facing. I have 3 pcs behind nat that connect to a router. Only one is connected over 655, the other two have to use a different port that they automatically determine.
     
  26. lancethepants

    lancethepants Network Guru Member

    @rs232
    That seems like a good idea. I'll see how OpenVPN does it and will probably do it the same.
     
  27. eangulus

    eangulus Network Guru Member

    They are setup exactly the same as each other. All Tinc configs on default 655 ports.

    And overall everything is working. I can access the whole setup as if its one big LAN.
     
  28. yodaphone

    yodaphone Reformed Router Member


    i am trying to migrate one end of my setup to pfsense (from both sides having tomato shibby) for squid & other features. (FYI:the setup with tomato on both sides work.)

    i tried setting up tinc, but the tinc on pfsense generate RSA Keys only & not Ed25519 Public/Private Keys. when i try to set up with remote site which is on tomato, it says Ed25519 Public Key is required. Any idea how i can do this?

    PS: pfsense 2.2.6 with tinc version 1.0.24
     
    Last edited: Jan 7, 2017
  29. Malakai

    Malakai Networkin' Nut Member

    Just put a # in the field for Ed25519 Public Key on Tomato and hit save. It should work because that's how I have it setup (with tinc on Tomato and Debian).
     
  30. yodaphone

    yodaphone Reformed Router Member

    Have you also set "ExperimentalProtocol=no" in config?
     
  31. yodaphone

    yodaphone Reformed Router Member

    finally figured the issue out.

    i had the hostname spelled with the 1 character with CAPS & all lower case on other side. it wouldnt validate it. Arrrrrrrrrrrrrg... what a stupid mistake. was pulling my hair for 3 days now

    the tinc tunnel is up (pfsense 192.168.1.0/24 -> with IP 192.168.1.1 & the tomato 192.168.3.0/24 -> with IP 192.168.3.1)

    now to the iptables part. pfsense doesnt support iptables. can i still pass these params & of so any help on how will be highly appreciated.

    these are what i want to pass on the 192.168.1.1 side

    iptables -A wanin -d 192.168.3.50/32 -p tcp -m tcp --dport 8088 -j ACCEPT
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 8088 -j DNAT --to-destination 192.168.3.50:8088
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8088 -o tinc -j SNAT --to 192.168.11.1
    iptables -A wanin -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -j ACCEPT
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65001 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65002 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65003 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65004 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65005 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65006 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
     
    Last edited: Jan 8, 2017
  32. Malakai

    Malakai Networkin' Nut Member

    No.

    Regarding your following post : Tomato has a Tinc Firewall tab where you can add all your rules so that they are added when the interface is up and removed when it is down. Just make sure to change Firewall Rules at manual.
     
  33. yodaphone

    yodaphone Reformed Router Member

    Lance: Finally figured the answer to an earlier question. it was a typo & had split my hair for 2 days over this. the tinc tunnel is up (pfsense 192.168.1.0/24 -> with IP 192.168.1.1 & the tomato 192.168.3.0/24 -> with IP 192.168.3.1)

    now to the iptables part. pfsense doesnt support iptables. ca
    thanks. regarding the rules, the Firewall tab is there only on the 192.168.3.0 side (which is a tomato router, with no Public IP as its double NATted). this doesnt exist on the pfsense side. moreover i'm not sure if iptables are understood by pfsense.
     
    Last edited: Jan 8, 2017
  34. lancethepants

    lancethepants Network Guru Member

    All I know is that it is based on FreeBSD, so not even linux. You'll have to ask them, but I have no doubt it is possible.
     
  35. koitsu

    koitsu Network Guru Member

    pfSense (based on FreeBSD) uses OpenBSD/FreeBSD pf. No, it does not use iptables. It's a firewall that is actually sane and clean. ;-)

    I could probably tell you what the relevant pf.conf rules are for what's needed, but I don't fully understand the iptables rules shown (partially, but not fully, esp. those in the nat table). The DNAT/SNAT stuff has never made much sense to me.
     
  36. rs232

    rs232 Network Guru Member

    mistake, ignore.
     
  37. blackantt

    blackantt Serious Server Member

    if I set up 2 p2p vpn client for windows pcs. How do I know after connected, the traffic forward by server or transmit between 2 clients directly ?
    Can I use 'netstat -n' to judge?
     
  38. lancethepants

    lancethepants Network Guru Member

  39. blackantt

    blackantt Serious Server Member

    Can you give me more hint?
    1. for 2 tomato routers, except Config, Hosts tabs, Do I need set up another tabs, iptables?
    2. main TT has public ip, so how to datafill the Hosts tab to connect vice TT?
    3. is the picture right for Hosts tab of vice TT ?
    4. Do I need exchange their public key in GUI? (I noticed it needs exchange public key by command line )
    5. where can I assign virtual ip to them (10.8.0.0) with GUI?

    thanks
     

    Attached Files:

    • tinc.jpg
      tinc.jpg
      File size:
      257.3 KB
      Views:
      12
  40. lancethepants

    lancethepants Network Guru Member

    @blackantt
    Your setup looks good, you just need to share each sides host information with the other side. That means both main and vice will have identical entries in the hosts area. So yes, you are sharing the public key with each side. Also, remove the IP address in Address for vice, because you said vice doesn't have a public IP. On vice you will then check ConnecTo on main, to tell it to connect to main. I can't see your general router config, but I'm guessing you did really setup main to be 192.168.11.1, and vice to be 192.168.10.1. There isn't any virtual IP between them, they will address each other at their real local addresses. You should only need to use the config and hosts tabs. The scripts tab is for more advanced used.
     
  41. blackantt

    blackantt Serious Server Member

    It's OK. successful.

    further questions
    1. if there are 100 hosts in this mess network, do I need add 99 hosts into Hosts tab for every host?
    2. Can I route traffic of A host to B host, traffic of C host to D host (just like the traffic of open vpn client go through open vpn server)?
     
  42. lancethepants

    lancethepants Network Guru Member

    @blackantt
    1. No, it is not necessary for every host to have the information of every other host. I explain this a bit in the first post, and you can read about it in section 4.3
    https://www.tinc-vpn.org/documentation-1.1/tinc.pdf

    2. This is possible, but it would require use of the scripts tab (more advanced use), writing some rules in there, and a good general knowledge of how networking works. I would maybe think about adding this to the GUI... some day. It complicates things a little bit. Honestly I would recommend just using OpenVPN for this right now. It should be possible to run both, and have OpenVPN handle internet while having tinc handle the vpn to other hosts, also complicated.

    Here's some writing on the topic, which illustrates how this could be done.
    https://www.tinc-vpn.org/examples/redirect-gateway/
     
  43. blackantt

    blackantt Serious Server Member

    more question, :)
    on my TT, the version is tinc 1.1pre11,
    1. when I setup tinc on Centos, 'yum install tinc -y', I got tinc 1.0.24 . So how to set up a new version on Centos, where can I post a request about it (I have searched online, can't find it)

    2. if I can't get new version on Centos, then how to add 'RSA Public Key' of vps into Hosts of TT. (I use 'tincd -n myvpn -K4096' to produce public key. ) when I did it, it was a warning 'Ed25519 Public Key is required.'

    or how to produce an Ed25519 Public Key with tinc 1.0 ?
     
  44. rs232

    rs232 Network Guru Member

    Hi @lancethepants

    2 things please:

    - I'm modifying p2partisan to take into account the 3 type of VPN we have in tomato (Openvpn/PPTP/Tinc)
    The idea is to whitelist IPs (preferred) or ports (TCP/UDP 655 for tinc) base on the technology used. At the moment in my latest p2partisan beta I'm whitelisting TCP/UDP 655 from the code if the below is set:
    nvram get tinc_wanup=1
    However I was thinking.... for tinc specifically I might actually whitelist the individual IPs as it's more secure and precise. Can you please confirm that getting the list of tinc nodes as per "nvram get tinc_hosts" is a comprehensive information when it comes to define source/destination sockets? Where I'm trying to get at is: if I'm the router and I dont' see the host/IP in that variable no other tinc router should try to connect to me right or me to them right?
    P.S. (lazy question) Do you happen to have a regex ready to go to extract hostanames from the current nvram variable? I can see you have some custom encoding in it...

    - Different question on the same topic: say I'd like to define a different port from the default 655, where do you advise the GUI user to change this for the local router? Also once changed would you always have a matching TCP/UDP port or could you potentially have tinc TCP on port X and tinc UDP on port Y?

    Many thanks!!
    :)
     
    Last edited: Jun 12, 2017
  45. rs232

    rs232 Network Guru Member

    On a router behind NAT connected via a weak wireless connection (long distance point-2-point) I get lots of tinc errors:

    Code:
    Jun 12 10:49:32 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2656
    Jun 12 10:49:32 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2656
    Jun 12 10:49:34 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2499
    Jun 12 10:49:34 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2499
    Jun 12 10:49:34 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2658
    Jun 12 10:49:34 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2658
    Jun 12 10:49:36 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2501
    Jun 12 10:49:36 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2501
    Jun 12 10:49:36 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2660
    Jun 12 10:49:36 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2660
    Jun 12 10:49:38 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2503
    Jun 12 10:49:38 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2503
    Jun 12 10:49:38 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2662
    Jun 12 10:49:38 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2662
    Jun 12 10:49:40 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2505
    Jun 12 10:49:40 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2505
    Jun 12 10:49:40 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2664
    Jun 12 10:49:40 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2664
    Jun 12 10:49:41 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2505
    Jun 12 10:49:41 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2505
    Jun 12 10:49:41 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2666
    Jun 12 10:49:41 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2666
    Jun 12 10:49:42 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2507
    Jun 12 10:49:42 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2507
    Jun 12 10:49:42 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2666
    Jun 12 10:49:42 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2666
    Jun 12 10:49:43 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2507
    Jun 12 10:49:43 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2507
    Jun 12 10:49:43 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2668
    Jun 12 10:49:43 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2668
    Jun 12 10:49:45 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:45 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:45 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2668
    Jun 12 10:49:45 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2668
    Jun 12 10:49:47 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:47 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:47 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2672
    Jun 12 10:49:47 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2672
    Jun 12 10:49:49 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:49 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:49 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    Jun 12 10:49:49 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    Jun 12 10:49:50 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2511
    Jun 12 10:49:50 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2511
    Jun 12 10:49:50 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    Jun 12 10:49:50 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    Jun 12 10:49:52 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2513
    Jun 12 10:49:52 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2513
    Jun 12 10:49:52 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    Jun 12 10:49:52 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    I'm wondering if there's anything that I or tomato-tinc can modify to prevent/mitigate this issue? The connection unfortunatelly, as much as I would like to change it, is always going to be unreliable :(

    Thanks
     
  46. lancethepants

    lancethepants Network Guru Member

    Yes, the "tinc_hosts" variable has all the information about all hosts and their Subnets including the local host. The variable "tinc_name" is how you can know which one of the hosts in "tinc_hosts" is the local host, and which port it is running on.
    The formatting of the data in "tinc_hosts" is the same as other pages in tomato that use "TomatoGrid()" ie port-forwarding is one. tinc.c parses the variable, but I'm guessing your project isn't using C. Outside of C I don't really have a way of programatically parsing the information, but if you want some help I'm sure it could be done with busybox shell tools that tomato has.

    To change the local host's port in tinc, it is just the Hosts tab, and add a value under the entry for the local host.

    Is tinc still functioning on your wireless connection? It looks as if it is. It looks as if it is just logging "late or replayed packet" errors because of the unreliable nature of the wireless connection.
     
    Last edited: Jun 12, 2017
  47. rs232

    rs232 Network Guru Member

    Has anybody idea how to enable DNS resolution over VPN?
    With OpenVPN I used to add manually tun11,tun12,tun21,tun22 to the Advanced DNS config page.
    If I go adding tinc to the list tomato complains saying the interface does not exist.

    Thanks!
     
  48. lancethepants

    lancethepants Network Guru Member

    @rs232
    What exactly is it you want to do? And what exactly have you placed in the Advance DNS config?
     
  49. rs232

    rs232 Network Guru Member

    It's pretty much what's documented in this thread of mine from long time ago. This is about OpenVPN but it's exactly the same concept.
    http://www.linksysinfo.org/index.php?threads/dns-queries-over-openvpn-site-to-site.69941/
    For tinc I added the interface:
    interface=tun11,tun12,tun21,tun22,tinc

    basically after updating tomato on my tinc sites (have a mixture of shibby anf Kille72) I noticed that the intrasite DNS resolution doesn't work any more.
     
    Last edited: Aug 17, 2017
  50. lancethepants

    lancethepants Network Guru Member

    @rs232

    Here is a question and then my response earlier in this thread that I think is releated. In particular the dns-rebind portion.

    http://linksysinfo.org/index.php?threads/tinc-mesh-vpn.70257/page-2#post-270665
    http://linksysinfo.org/index.php?threads/tinc-mesh-vpn.70257/page-2#post-270693

    There is also a "rebind-domain-ok" option to specify certain domains if you don't want to completely disable rebind protection. For example, I use "rebind-domain-ok=/plex.direct/" in order to allow plex to work on my local network.
    https://support.plex.tv/hc/en-us/articles/206225077-How-to-Use-Secure-Server-Connections
     
    rs232 likes this.
  51. rs232

    rs232 Network Guru Member

    Good catch, it worked perfectly!

    Worth adding this to the notes of the tinc GUI?
     
  52. alf5683

    alf5683 Reformed Router Member

    Hi @lancethepants, I want to know if it's possible to update the tinc release on your frimware for an old Linksys WRT54G ?

    Thx :d
     
  53. lancethepants

    lancethepants Network Guru Member

    Do you use the release from my site? That's the only one I'm aware of that has tinc for wrt54. It is pretty tricky since the limited space. Do you need tinc legacy protocol or do you use the new protocol. Being able to eliminate the legacy protocol will make it much easier to create.
     
  54. alf5683

    alf5683 Reformed Router Member

    Yes I use it ! "Tomato Firmware v1.28.7636 Toastman-IPT-ND ND TINC"
    The other device use "Tomato Firmware 1.28.0000 -140 K26ARM USB AIO-64K" the changelog on the Shibby's site say tinc: update to 1.1pre14. I don't know if it's the legacy protocol or not sorry :(

    Thx for your quick awnser !
     

Share This Page