1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tinc setup

Discussion in 'Tomato Firmware' started by i1135t, Jan 28, 2013.

  1. i1135t

    i1135t Network Guru Member

    Hi everyone, I am having some problems setting up tinc. I have been able to setup the configs and RSA key exchanges but cannot get it to ping any other computers on opposite endpoints other than the two VPN gateways. I thought it was an iptables issue, but I issued a wide-blanket ACCEPT for INPUT and FORWARD chains for the tinc interface and still on luck other than being able to ping only the router and tinc gateway from the outside. Below is my brief example of my setup. Has anyone been able to successfully been able to set this up on tomato and willing to share their knowledge/instructions?

    tinc.conf (home)
    Code:
    Name = home
    # ConnectTo = laptop
    Interface = mwh
    #Device = /dev/net/tun
    Mode = switch
    Subnet = 172.21.0.1/32
    Address = ***
    tinc-up
    Code:
    #!/bin/sh
    ifconfig $INTERFACE 172.21.0.1 netmask 255.255.255.0
    home
    Code:
    Compression = 9
    Subnet = 172.21.0.1/32
    Address = ***
    -----BEGIN RSA PUBLIC KEY-----
    -----END RSA PUBLIC KEY-----
    tinc.conf (laptop)
    Code:
    Name = laptop
    ConnectTo = home
    #Interface =
    #Device = /dev/net/tun
    Mode = switch
    Subnet = 172.21.0.2/32
    #Address =
    tinc-up
    Code:
    #!/bin/sh
    ifconfig $INTERFACE 172.21.0.2 netmask 255.255.255.0
    laptop
    Code:
    -----BEGIN RSA PUBLIC KEY-----
    -----END RSA PUBLIC KEY-----
    iptables -I INPUT -i mwh -j ACCEPT
    iptables -I FORWARD -i mwh -j ACCEPT
     
  2. rafwes

    rafwes Serious Server Member

    first decide what you want, bridged (switch) or routed mode. you can't use both. if you want switched mode, everyone (local and remote clients) should be on the same subnet and you'll need to add the tinc interfaces to your local bridges. if you use routed mode, allow local forwarding from/to the tinc interfaces since they will take care of the forwards to remote subnets.
     
  3. i1135t

    i1135t Network Guru Member

    All the setups that I've been able to come across on the www who were successful have in switch mode so I figured that worked best. When I comment out switch mode (which defaults to route mode) I cannot ping anything on my home subnet other than the tinc IP. I have put in route statements and iptable rules but no go..

    My internal networks are listed below.

    Home:
    192.168.7.0/24

    Tinc Home interface IP: 172.21.0.1

    Laptop:
    192.168.42.0/24 (but can changed depending one where I connect from)

    Tinc Laptop interface IP: 172.21.0.2

    Note that the tinc-up script has a CIDR of /32 but when I bring up the interface, it's a /24 subnet (255.255.255.0) - not sure why

    On the laptop I can ping 172.21.0.1 and my home gateway of 192.168.7.1 (in switch mode) but nothing else on the subnet, even after putting in route statements and iptables to allow from that tinc interface on INPUT and FORWARD chains..? How should I go about it and what am I doing wrong?
     
  4. apnar

    apnar Network Guru Member

    I've had good luck with routed mode with my tinc VPN. I also don't bother with seperate 172.x.x.x addressing like you did. I instead give the tinc interface the same IP as the internal LAN interface. Try configs like these:

    tinc.conf
    Code:
    name=home
    AddressFamily=ipv4
    
    tinc-up
    Code:
    ifconfig $INTERFACE 192.168.7.1 netmask 255.255.255.0
    home
    Code:
    Address=my.dynamic.dns.com
    Subnet=192.168.7.0/24
    ----BEGIN RSA.......
    For firewall rules I just use a 192.168.* to 192.168.* allowed. When debugging I also find it helpful to send the tincd process USR1 and USR2 signals which causes it to dump useful info into the log.
     
  5. apnar

    apnar Network Guru Member

    The netmask in the up script should have been 255.255.0.0, causing it to route all non-local 192.168 traffic through the VPN. so:

    tinc-up:
    Code:
    ifconfig $INTERFACE 192.168.7.1 netmask 255.255.0.0
    
    Also, I looked and here are the firewall rules I have in place:
    Code:
    iptables -I INPUT -p tcp -m tcp --dport 655 -j logaccept
    iptables -I INPUT -p udp --dport 655 -j logaccept
    iptables -I INPUT -i tun+ -j ACCEPT
    iptables -I FORWARD -i tun+ -j ACCEPT
    iptables -I FORWARD -o tun+ -j ACCEPT
     

Share This Page