Tinc Mesh VPN

Discussion in 'Tomato Firmware' started by lancethepants, Jul 25, 2014.

  1. yodaphone

    yodaphone Reformed Router Member

    when you mean VPN gateway IP , you mean the main IP of the router A (192.168.11.1)?
     
  2. yodaphone

    yodaphone Reformed Router Member

    /32 means your are specifying just 1 IP right?
     
  3. lancethepants

    lancethepants Network Guru Member

    Right. I also just tried this with a minecraft server. I connect to router A, and it communicates to Device B over the VPN, and I am able to connect. I am assuming your service is TCP. Otherwise you'll need to change everything to UDP.
     
  4. yodaphone

    yodaphone Reformed Router Member

    Awesome... this worked.

    I have one other question. how do i add more ports to that?

    can i just use a , to add additional ports or do i have to specify every port separately?
     
  5. lancethepants

    lancethepants Network Guru Member

    @yodaphone
    Unless you have port ranges, I would just do 1<->1 port mapping by running this multiple times with different ports. If you have a lot of ports or just a few?
     
  6. Mate Rigo

    Mate Rigo Networkin' Nut Member

    Hi all!

    I am having a hard time connecting a raspberry pi running tinc version 1.1pre11 to my Tomato, which also runs tinc version 1.1pre11.

    My goal is to reach the Raspberry even if the router which it is behind would be reconfigured (e.g port forwarding would be disabled)

    Raspberry has the ip 192.168.0.101 and is on the network: 192.168.0.0/24
    Tomato has the ip 192.168.10.1 and is on the network: 192.168.10.0/24
    Tomato2 has the ip 192.168.17.1 and is on the network: 192.168.17.0/24

    Tomato and Tomato2 are already hooked up, and can reach each other.


    My status with Raspberry is, that the ed25519 keys have been created and exchanged with Tomato/Tomato2.
    Raspberry connects to the Tomato mesh network, but it remains unreachable.


    Here is the setup of the Raspberry
    Name = rpi
    AddressFamily = ipv4
    Interface = tun0
    ConnectTo = Tomato

    ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0

    Ed25519PublicKey = *Secret*
    Subnet = 10.0.0.0/24

    Ed25519PublicKey = *Secret*
    Address = Tomato-ip
    Subnet = 192.168.10.0/24
    Compression = 0

    In the Tomato I also set up the tinc like this:
    upload_2016-10-14_21-38-2.png

    It shows up in the edge settings:
    upload_2016-10-14_21-38-9.png
    (Tomato is actually called rppafrany, but don't mind this, Tomato2 is manofrankfurt)

    But in the info settings it tells me that reachability is this:
    upload_2016-10-14_21-38-39.png

    Also I can not ping it from neither Tomatos.

    Here is the ifconfig output from the Rasbperry:
    eth0 Link encap:Ethernet HWaddr b8:27:eb:e9:6a:6e
    inet addr:192.168.0.101 Bcast:192.168.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:10069 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8071 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1614148 (1.5 MiB) TX bytes:2853561 (2.7 MiB)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:65536 Metric:1
    RX packets:5560 errors:0 dropped:0 overruns:0 frame:0
    TX packets:5560 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:404149 (394.6 KiB) TX bytes:404149 (394.6 KiB)

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.0
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:500
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    Can anyone give me maybe pointers?
    Any help would be greatly appreciated!

    Thanks a lot for your time!
     
  7. lancethepants

    lancethepants Network Guru Member

    @Mate Rigo
    The default VPN netmask in tomato is 255.255.0.0. The routers are using IP addresses 192.168....., then the whole VPN range is 192.168.0.0/16. Dividing that into /24 networks, you then have 192.168.0.0 -> 192.168.254.0 as your range of usable networks.

    You need to give the Raspberry Pi an address in that range as well, not 10.0... So you'll have to pick something else.
    Also, the IP address you decide on for the raspberry Pi needs to be on the VPN netmask. For example, it could be something like this.

    Code:
    ifconfig $INTERFACE 192.168.20.1 netmask 255.255.0.0
    
    Notice the netmask is 255.255.0.0

    Also, it's OK to assign a whole subnet to the Pi, but you really only need a single address. You could then change the hosts file for the Pi to 192.168.20.1/32.
     
    ryzhov_al likes this.
  8. Mate Rigo

    Mate Rigo Networkin' Nut Member

    @lancethepants

    Thanks a lot for the right pointers.
    The different subnet and the 255.255.0.0 netmask did the trick, now I am able to connect to my raspberry pi.

    You rock!
     
    lancethepants likes this.
  9. rs232

    rs232 Network Guru Member

    Hi all

    not very often at all, but in the last 3 months I have found tinc not running in a couple of occasions despite the "Start with WAN" setting on. Note: the devices where not rebooted.

    Last time happened 2 days ago and the latest reference in the log:
    Code:
    Oct 15 04:05:34 tomato36k daemon.err tinc[20011]: Metadata socket read error for tomato41a (1.2.3.4 port 27103): Connection timed out
    After that, all silent on the tinc side until it was manually (re)started

    So two questions:
    - is there anything you can think about where tincs the process automatically e.g. max connection attempts or something
    - does tinc have a built-in watchdog (or can one be implemented) to start the process if found not running? Yes an external script would do for sure, but I'm comparing with openvpn where this is available out of the box (see max attempts)


    thanks!
    rs232
     
  10. blackantt

    blackantt Serious Server Member

    I can't find tinc in shibby. which version is there a tinc inside?
     
  11. lancethepants

    lancethepants Network Guru Member

    @rs232 Hmm, hard to know why. pre11 was a pretty decent release but I've found the newer releases really good as well, though I don't know if they will fix your issue. I don't want shibby to try and hit a moving target, so pre11 I think is it until a final version comes out. But you could use tomatoware to compile tinc and mount bind it over the built in firmware's version. This is what I've done to test new releases.

    @blackantt I know they should be in his AIO releases. Not sure if they're in all the VPN versions, though I do remember someone saying something about him adding it later maybe to the VPN builds. Routers with limited rom may not get it.
     
  12. blackantt

    blackantt Serious Server Member


    1. yesterday I want to try tinc on ubuntu1404 according guide "https://www.digitalocean.com/commun...l-tinc-and-set-up-a-basic-vpn-on-ubuntu-14-04", after "sudo tincd ‐n netname ‐K4096 " , I got "Warning: old key(s) found and disabled.". this is a clean ubuntu. How to troubleshoot?

    2. are you author? can you give us a guide on Padavan-7620 router? Padavan-7620 is popular in China. we want to use tinc on Padavan-7620, but can't find guide.
     
  13. lancethepants

    lancethepants Network Guru Member

    @blackantt I am not the author of tinc. I have only created the tinc gui for Tomato Firmware. I limit my support in this forum to individuals who are using tinc on tomato firmware. I have never used Padavan and am completely unfamiliar with it.
     
  14. alf5683

    alf5683 Reformed Router Member

    Hi !!
    It's me again !!
    First, thanks to you I have a connection with my home and my brother's home since 6 month without any issues.

    Just one other question, how can I block the DHCP request ? Because when I conecting on my Wifi (at my home) sometimes the respond of me Dhcp request is answers by the tomato of my brother ! It's not a big problem but it's not the better way... !

    My configuration :

    My home :
    Tomato by shibby = 192.168.0.1
    Lan : 192.168.0.100

    My brother's home :
    Tomato by shibby = 192.168.0.2
    Lan : 192.168.0.200

    They are the same submask, tinc 1.1pre11 are install with "TAP" and "Switch". I already swith to "Hub" and the issu stay.
    I make this choice because I want see ALL the network in the "computer" menu of my windows 7...


    Any idee ?

    Thx
     
  15. lancethepants

    lancethepants Network Guru Member

  16. alf5683

    alf5683 Reformed Router Member

  17. yodaphone

    yodaphone Reformed Router Member

  18. lancethepants

    lancethepants Network Guru Member

    These are only necessary on bridged (tap) connections because they allow broadcast packets like DHCP to pass over the VPN.
     
  19. eangulus

    eangulus Network Guru Member

    Just wondering how QoS should work with Tinc?

    I currently have 2 sites connected, both on 100/40 Fibre. But I can't get a normal SMB file transfer to go any faster than around 1.6Mb/s transfer.

    Looking in the QoS I see it is transfering on port 445, I have added that port to the appropriate classification, and still nothing. Keeps showing up in QoS as Unclassified.

    PS: Routers are RT-AC66U and RT-AC68U both running Shibby 138.
     
  20. lancethepants

    lancethepants Network Guru Member

    @eangulus
    The default transport port for tinc is UDP 655 unless you have changed it. You can look at the output of "Edges" in the "Status" tab to verify the port.

    Because of encryption, there is a maximum throughput you can achieve, which will be the slower of your two devices. You will be limited to the RT-AC66U since that one uses a mipsel cpu. Somewhere in this thread I think someone mentions the throughput they achieved with mipsel and arm.

    My impression was that qos was broken in shibby 138. I would think you could achieve something faster than 1.6 megabits (Mb) per second.
     
  21. eangulus

    eangulus Network Guru Member

    Thanks. Strange that it is still defaulted to 655, but when I do a network file transfer it goes over 445. I would have thought it to go over 655 also.

    And yes, my mistake, 138 has broken QoS, I actually ment I have 132 (QoS being the reason I haven't gone higher yet).

    I have set the 445 and 655 ports up, but only 655 is classified right. 445 traffic shows as unclassified.

    I understand the CPU limitations, how much faster is the 68U over the 66U for this type of use? if significant enough may warrant an upgrade. But either way, both ends have 40Mbps upload speeds so I should be getting much faster transfers.
     
  22. Malakai

    Malakai Networkin' Nut Member

    The network transfer is taking place inside the VPN tunnel. This means that your VPN connection is taking place over your WAN interface on port 655 and the file transfer is taking place over your TINC interface (so through the tunnel) on port 445. Which means that the router has to encrypt and decrypt every packet that goes through the TINC interface (thus the speed limitation, because the CPU of the router is not strong enough to be faster).

    I hope I didn't say something stupid...
     
  23. rs232

    rs232 Network Guru Member

    @lancethepants

    I had 2 different devices where tinc failed in the last couple of days.
    What I can tell you is: when the tinc service is unavailable
    • nothing is recorded in the log (e.g. crash message)
    • the "tinc" interface disappears
    A quick manual workaround to restore the service could be a simple 1 liner
    Code:
    ifconfig | grep tinc >/dev/null || /sbin/service tinc restart

    Also,

    since OpenVPN has an option:
    Poll Interval (in minutes, 0 to disable)

    I'm wondering if tinc/tomato could have something similar where the existence of the tinc interface is assessed periodically and the service re-started if problems found. For the time being I'm testing this following command in the tomato system Firewall script but I guess it could run alternatively run in the WANUP.

    Code:
    nvram get tinc_wanup | grep 1 >/dev/null && cru a tinc-poller "*/15 * * * * /sbin/ifconfig | grep tinc >/dev/null || { /sbin/service tinc restart; logger \"tinc-poller: The service is down. Restarting...\";}" || cru d tinc-poller
    A dedicated field to accommodate this function within the tinc GUI (as per openVPN) would be very nice to have!

    Thanks
    rs232
     
    Last edited: Nov 20, 2016
  24. eangulus

    eangulus Network Guru Member

    I understand how it is suppose to work. What I find streange is that a LAN (tinc to tinc) file transfer shows traffic going over 445 on my router. I expect it to show traffic on 655 as it is suppose to be going over the tinc connection.
     
  25. lancethepants

    lancethepants Network Guru Member

    @eangulus
    Can you confirm that they are both connected to each other over port 665? It is possible that one of the routers is connected at a different port if it is not public facing. I have 3 pcs behind nat that connect to a router. Only one is connected over 655, the other two have to use a different port that they automatically determine.
     
  26. lancethepants

    lancethepants Network Guru Member

    @rs232
    That seems like a good idea. I'll see how OpenVPN does it and will probably do it the same.
     
  27. eangulus

    eangulus Network Guru Member

    They are setup exactly the same as each other. All Tinc configs on default 655 ports.

    And overall everything is working. I can access the whole setup as if its one big LAN.
     
  28. yodaphone

    yodaphone Reformed Router Member


    i am trying to migrate one end of my setup to pfsense (from both sides having tomato shibby) for squid & other features. (FYI:the setup with tomato on both sides work.)

    i tried setting up tinc, but the tinc on pfsense generate RSA Keys only & not Ed25519 Public/Private Keys. when i try to set up with remote site which is on tomato, it says Ed25519 Public Key is required. Any idea how i can do this?

    PS: pfsense 2.2.6 with tinc version 1.0.24
     
    Last edited: Jan 7, 2017
  29. Malakai

    Malakai Networkin' Nut Member

    Just put a # in the field for Ed25519 Public Key on Tomato and hit save. It should work because that's how I have it setup (with tinc on Tomato and Debian).
     
  30. yodaphone

    yodaphone Reformed Router Member

    Have you also set "ExperimentalProtocol=no" in config?
     
  31. yodaphone

    yodaphone Reformed Router Member

    finally figured the issue out.

    i had the hostname spelled with the 1 character with CAPS & all lower case on other side. it wouldnt validate it. Arrrrrrrrrrrrrg... what a stupid mistake. was pulling my hair for 3 days now

    the tinc tunnel is up (pfsense 192.168.1.0/24 -> with IP 192.168.1.1 & the tomato 192.168.3.0/24 -> with IP 192.168.3.1)

    now to the iptables part. pfsense doesnt support iptables. can i still pass these params & of so any help on how will be highly appreciated.

    these are what i want to pass on the 192.168.1.1 side

    iptables -A wanin -d 192.168.3.50/32 -p tcp -m tcp --dport 8088 -j ACCEPT
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 8088 -j DNAT --to-destination 192.168.3.50:8088
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8088 -o tinc -j SNAT --to 192.168.11.1
    iptables -A wanin -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -j ACCEPT
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65001 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65002 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65003 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65004 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65005 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 65006 -j DNAT --to-destination 192.168.3.50:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1
     
    Last edited: Jan 8, 2017
  32. Malakai

    Malakai Networkin' Nut Member

    No.

    Regarding your following post : Tomato has a Tinc Firewall tab where you can add all your rules so that they are added when the interface is up and removed when it is down. Just make sure to change Firewall Rules at manual.
     
  33. yodaphone

    yodaphone Reformed Router Member

    Lance: Finally figured the answer to an earlier question. it was a typo & had split my hair for 2 days over this. the tinc tunnel is up (pfsense 192.168.1.0/24 -> with IP 192.168.1.1 & the tomato 192.168.3.0/24 -> with IP 192.168.3.1)

    now to the iptables part. pfsense doesnt support iptables. ca
    thanks. regarding the rules, the Firewall tab is there only on the 192.168.3.0 side (which is a tomato router, with no Public IP as its double NATted). this doesnt exist on the pfsense side. moreover i'm not sure if iptables are understood by pfsense.
     
    Last edited: Jan 8, 2017
  34. lancethepants

    lancethepants Network Guru Member

    All I know is that it is based on FreeBSD, so not even linux. You'll have to ask them, but I have no doubt it is possible.
     
  35. koitsu

    koitsu Network Guru Member

    pfSense (based on FreeBSD) uses OpenBSD/FreeBSD pf. No, it does not use iptables. It's a firewall that is actually sane and clean. ;-)

    I could probably tell you what the relevant pf.conf rules are for what's needed, but I don't fully understand the iptables rules shown (partially, but not fully, esp. those in the nat table). The DNAT/SNAT stuff has never made much sense to me.
     
  36. rs232

    rs232 Network Guru Member

    mistake, ignore.
     
  37. blackantt

    blackantt Serious Server Member

    if I set up 2 p2p vpn client for windows pcs. How do I know after connected, the traffic forward by server or transmit between 2 clients directly ?
    Can I use 'netstat -n' to judge?
     
  38. lancethepants

    lancethepants Network Guru Member

  39. blackantt

    blackantt Serious Server Member

    Can you give me more hint?
    1. for 2 tomato routers, except Config, Hosts tabs, Do I need set up another tabs, iptables?
    2. main TT has public ip, so how to datafill the Hosts tab to connect vice TT?
    3. is the picture right for Hosts tab of vice TT ?
    4. Do I need exchange their public key in GUI? (I noticed it needs exchange public key by command line )
    5. where can I assign virtual ip to them (10.8.0.0) with GUI?

    thanks
     

    Attached Files:

    • tinc.jpg
      tinc.jpg
      File size:
      257.3 KB
      Views:
      17
  40. lancethepants

    lancethepants Network Guru Member

    @blackantt
    Your setup looks good, you just need to share each sides host information with the other side. That means both main and vice will have identical entries in the hosts area. So yes, you are sharing the public key with each side. Also, remove the IP address in Address for vice, because you said vice doesn't have a public IP. On vice you will then check ConnecTo on main, to tell it to connect to main. I can't see your general router config, but I'm guessing you did really setup main to be 192.168.11.1, and vice to be 192.168.10.1. There isn't any virtual IP between them, they will address each other at their real local addresses. You should only need to use the config and hosts tabs. The scripts tab is for more advanced used.
     
  41. blackantt

    blackantt Serious Server Member

    It's OK. successful.

    further questions
    1. if there are 100 hosts in this mess network, do I need add 99 hosts into Hosts tab for every host?
    2. Can I route traffic of A host to B host, traffic of C host to D host (just like the traffic of open vpn client go through open vpn server)?
     
  42. lancethepants

    lancethepants Network Guru Member

    @blackantt
    1. No, it is not necessary for every host to have the information of every other host. I explain this a bit in the first post, and you can read about it in section 4.3
    https://www.tinc-vpn.org/documentation-1.1/tinc.pdf

    2. This is possible, but it would require use of the scripts tab (more advanced use), writing some rules in there, and a good general knowledge of how networking works. I would maybe think about adding this to the GUI... some day. It complicates things a little bit. Honestly I would recommend just using OpenVPN for this right now. It should be possible to run both, and have OpenVPN handle internet while having tinc handle the vpn to other hosts, also complicated.

    Here's some writing on the topic, which illustrates how this could be done.
    https://www.tinc-vpn.org/examples/redirect-gateway/
     
  43. blackantt

    blackantt Serious Server Member

    more question, :)
    on my TT, the version is tinc 1.1pre11,
    1. when I setup tinc on Centos, 'yum install tinc -y', I got tinc 1.0.24 . So how to set up a new version on Centos, where can I post a request about it (I have searched online, can't find it)

    2. if I can't get new version on Centos, then how to add 'RSA Public Key' of vps into Hosts of TT. (I use 'tincd -n myvpn -K4096' to produce public key. ) when I did it, it was a warning 'Ed25519 Public Key is required.'

    or how to produce an Ed25519 Public Key with tinc 1.0 ?
     
  44. rs232

    rs232 Network Guru Member

    Hi @lancethepants

    2 things please:

    - I'm modifying p2partisan to take into account the 3 type of VPN we have in tomato (Openvpn/PPTP/Tinc)
    The idea is to whitelist IPs (preferred) or ports (TCP/UDP 655 for tinc) base on the technology used. At the moment in my latest p2partisan beta I'm whitelisting TCP/UDP 655 from the code if the below is set:
    nvram get tinc_wanup=1
    However I was thinking.... for tinc specifically I might actually whitelist the individual IPs as it's more secure and precise. Can you please confirm that getting the list of tinc nodes as per "nvram get tinc_hosts" is a comprehensive information when it comes to define source/destination sockets? Where I'm trying to get at is: if I'm the router and I dont' see the host/IP in that variable no other tinc router should try to connect to me right or me to them right?
    P.S. (lazy question) Do you happen to have a regex ready to go to extract hostanames from the current nvram variable? I can see you have some custom encoding in it...

    - Different question on the same topic: say I'd like to define a different port from the default 655, where do you advise the GUI user to change this for the local router? Also once changed would you always have a matching TCP/UDP port or could you potentially have tinc TCP on port X and tinc UDP on port Y?

    Many thanks!!
    :)
     
    Last edited: Jun 12, 2017
  45. rs232

    rs232 Network Guru Member

    On a router behind NAT connected via a weak wireless connection (long distance point-2-point) I get lots of tinc errors:

    Code:
    Jun 12 10:49:32 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2656
    Jun 12 10:49:32 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2656
    Jun 12 10:49:34 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2499
    Jun 12 10:49:34 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2499
    Jun 12 10:49:34 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2658
    Jun 12 10:49:34 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2658
    Jun 12 10:49:36 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2501
    Jun 12 10:49:36 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2501
    Jun 12 10:49:36 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2660
    Jun 12 10:49:36 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2660
    Jun 12 10:49:38 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2503
    Jun 12 10:49:38 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2503
    Jun 12 10:49:38 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2662
    Jun 12 10:49:38 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2662
    Jun 12 10:49:40 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2505
    Jun 12 10:49:40 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2505
    Jun 12 10:49:40 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2664
    Jun 12 10:49:40 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2664
    Jun 12 10:49:41 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2505
    Jun 12 10:49:41 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2505
    Jun 12 10:49:41 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2666
    Jun 12 10:49:41 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2666
    Jun 12 10:49:42 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2507
    Jun 12 10:49:42 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2507
    Jun 12 10:49:42 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2666
    Jun 12 10:49:42 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2666
    Jun 12 10:49:43 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2507
    Jun 12 10:49:43 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2507
    Jun 12 10:49:43 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2668
    Jun 12 10:49:43 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2668
    Jun 12 10:49:45 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:45 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:45 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2668
    Jun 12 10:49:45 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2668
    Jun 12 10:49:47 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:47 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:47 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2672
    Jun 12 10:49:47 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2672
    Jun 12 10:49:49 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:49 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2509
    Jun 12 10:49:49 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    Jun 12 10:49:49 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    Jun 12 10:49:50 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2511
    Jun 12 10:49:50 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2511
    Jun 12 10:49:50 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    Jun 12 10:49:50 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    Jun 12 10:49:52 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2513
    Jun 12 10:49:52 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2513
    Jun 12 10:49:52 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    Jun 12 10:49:52 tomato41ap2 daemon.err tinc[937]: Received late or replayed packet, seqno 0, last received 2674
    I'm wondering if there's anything that I or tomato-tinc can modify to prevent/mitigate this issue? The connection unfortunatelly, as much as I would like to change it, is always going to be unreliable :(

    Thanks
     
  46. lancethepants

    lancethepants Network Guru Member

    Yes, the "tinc_hosts" variable has all the information about all hosts and their Subnets including the local host. The variable "tinc_name" is how you can know which one of the hosts in "tinc_hosts" is the local host, and which port it is running on.
    The formatting of the data in "tinc_hosts" is the same as other pages in tomato that use "TomatoGrid()" ie port-forwarding is one. tinc.c parses the variable, but I'm guessing your project isn't using C. Outside of C I don't really have a way of programatically parsing the information, but if you want some help I'm sure it could be done with busybox shell tools that tomato has.

    To change the local host's port in tinc, it is just the Hosts tab, and add a value under the entry for the local host.

    Is tinc still functioning on your wireless connection? It looks as if it is. It looks as if it is just logging "late or replayed packet" errors because of the unreliable nature of the wireless connection.
     
    Last edited: Jun 12, 2017
  47. rs232

    rs232 Network Guru Member

    Has anybody idea how to enable DNS resolution over VPN?
    With OpenVPN I used to add manually tun11,tun12,tun21,tun22 to the Advanced DNS config page.
    If I go adding tinc to the list tomato complains saying the interface does not exist.

    Thanks!
     
  48. lancethepants

    lancethepants Network Guru Member

    @rs232
    What exactly is it you want to do? And what exactly have you placed in the Advance DNS config?
     
  49. rs232

    rs232 Network Guru Member

    It's pretty much what's documented in this thread of mine from long time ago. This is about OpenVPN but it's exactly the same concept.
    http://www.linksysinfo.org/index.php?threads/dns-queries-over-openvpn-site-to-site.69941/
    For tinc I added the interface:
    interface=tun11,tun12,tun21,tun22,tinc

    basically after updating tomato on my tinc sites (have a mixture of shibby anf Kille72) I noticed that the intrasite DNS resolution doesn't work any more.
     
    Last edited: Aug 17, 2017
  50. lancethepants

    lancethepants Network Guru Member

    @rs232

    Here is a question and then my response earlier in this thread that I think is releated. In particular the dns-rebind portion.

    http://linksysinfo.org/index.php?threads/tinc-mesh-vpn.70257/page-2#post-270665
    http://linksysinfo.org/index.php?threads/tinc-mesh-vpn.70257/page-2#post-270693

    There is also a "rebind-domain-ok" option to specify certain domains if you don't want to completely disable rebind protection. For example, I use "rebind-domain-ok=/plex.direct/" in order to allow plex to work on my local network.
    https://support.plex.tv/hc/en-us/articles/206225077-How-to-Use-Secure-Server-Connections
     
    rs232 likes this.
  51. rs232

    rs232 Network Guru Member

    Good catch, it worked perfectly!

    Worth adding this to the notes of the tinc GUI?
     
  52. alf5683

    alf5683 Reformed Router Member

    Hi @lancethepants, I want to know if it's possible to update the tinc release on your frimware for an old Linksys WRT54G ?

    Thx :d
     
  53. lancethepants

    lancethepants Network Guru Member

    Do you use the release from my site? That's the only one I'm aware of that has tinc for wrt54. It is pretty tricky since the limited space. Do you need tinc legacy protocol or do you use the new protocol. Being able to eliminate the legacy protocol will make it much easier to create.
     
  54. alf5683

    alf5683 Reformed Router Member

    Yes I use it ! "Tomato Firmware v1.28.7636 Toastman-IPT-ND ND TINC"
    The other device use "Tomato Firmware 1.28.0000 -140 K26ARM USB AIO-64K" the changelog on the Shibby's site say tinc: update to 1.1pre14. I don't know if it's the legacy protocol or not sorry :(

    Thx for your quick awnser !
     
  55. lancethepants

    lancethepants Network Guru Member

    @alf5683 If you're only connecting between routers then the legacy protocol shouldn't be needed. If I can find time I'll try to make a new version, and it might exclude the legacy protocol. It's a time and mental consuming effort, especially when I haven't looked at it in years.
     
  56. lancethepants

    lancethepants Network Guru Member

    Hey guys, just thought I'd advertise here a new(ish) app for running tinc on your androi devices.

    http://tincapp.pacien.org/

    Last I looked it costs money on the play store, but the author also has it downloadable for free from his site that you can side load.

    This is an open source app that takes advantage of android's built in VPN capabilities. It does not require root like the tinc_gui app, and works well (tun only). It is still in it's infancy, so there are a couple quirks, but it is working well for me.
     
  57. Halcyon

    Halcyon New Member Member

    Hi,

    I'm a new to networking but I'm attempting to link two networks together. Tinc was suggested to me. After reading a bit more into it, it seemed like the perfect solution to my problem. First, on Network A, I'm running a router Tomato with Tinc1.1pre11. However, on Network B, it's running OpenWRT with Tinc1.0.19. I assumed Tinc would be backward compatible but I'm not so sure now.

    After much fiddling with the settings, I seem to have finally gotten the two networks to connect. According to Tomato's Tinc status:
    Code:
    Node:         NetworkA
    Node ID:      e4c10e3eaf28
    Address:      MYSELF port 2222
    Online since: 2018-02-16 22:29:55
    Status:       visited reachable
    Options:      pmtu_discovery clamp_mss
    Protocol:     17.4
    Reachability: can reach itself
    Edges:        NetworkB
    Subnets:      192.168.0.0/24
    
    Node:         NetworkB
    Node ID:      c24e970214f5
    Address:      222.222.222.222 port 2222
    Online since: 2018-02-16 22:31:11
    Status:       validkey visited reachable udp_confirmed
    Options:      pmtu_discovery clamp_mss
    Protocol:     17.0
    Reachability: directly with UDP
    PMTU:         1408
    Edges:        NetworkA
    Subnets:      192.168.1.0/24 
    Most of the settings are similar to the OP guide except I had
    Code:
    ExperimentalProtocol = no
    under Custom in Config and
    Code:
    Cipher = none
    in Hosts->NetworkA->Custom.

    Finally, I also added a tinc-down script:
    Code:
    ifconfig $INTERFACE down
    
    Yet, after all this, from NetworkA, I'm unable to ping 192.168.1.1 on NetworkB nor access it. Any suggestions on why that may be? Am I missing some kind of configuration?

    Update:
    After looking at my configuration, I realized I made some configuration errors on NetworkB. Moreover, I needed to add some routing rules to the router of each network site. I can now ping and access NetworkA router (at 192.168.0.1) from NetworkB. However, this is the only device from NetworkB that I can access. All other devices on NetworkA are inaccessible from NetworkB. I feel like I'm very close. I just don't know what I'm missing.

    For those interested, this is the subnet-up script (slightly modified from Openwrt instructions, all credits goes to them) on NetworkA router to add routing rules.
    Code:
    [ $NODE = NetworkA ] && exit
    case $SUBNET in
        */32) targetType=-host ;;
        *) targetType=-net ;;
    esac
    route add $targetType $SUBNET dev $INTERFACE
    
    I also have a similar script for subnet-down but replacing
    Code:
    route add
    with
    Code:
    route del
    . Similarly, on NetworkB router there are subnet-up and -down scripts but replace the
    Code:
    $NODE = NetworkA
    with
    Code:
    $NODE = NetworkB
     
    Last edited: Feb 18, 2018
  58. lancethepants

    lancethepants Network Guru Member

    @Halcyon On the tomato router, ssh in and take a look at directory /etc/tinc. On tomato, tinc automatically generates tinc.conf and tinc-up for you. It also has tinc-fw.sh that tomato will run, that creates some firewall rules you may be missing on the openwrt router.
     
    kille72 likes this.
  59. Halcyon

    Halcyon New Member Member

    Thanks for the reply! I should add that no matter which network I'm on, I can only access the router address of the other network. i.e. on NetworkA, I can only access and ping 192.168.1.1 on NetworkB; on NetworkB, I can only access and ping 192.168.0.1 on NetworkA.

    Do you think it's still a firewall setting on the Openwrt router (on NetworkB)?
     
  60. lancethepants

    lancethepants Network Guru Member

    tinc-up
    Code:
    ifconfig $INTERFACE 192.168.10.1 netmask 255.255.0.0
    
    Substituting your router's IP in place of 192.168.10.1.
    This is what I do with tomato instead of having any sort of "subnet-up". Not sure exactly how to your your "subnet-up" script, but I do see /32 in it, which would represent a single device, and not a whole network, maybe that's the issue.
     
  61. Halcyon

    Halcyon New Member Member

    @lancethepants
    Sorry for the delayed reply. It looks like I had no luck. I removed all the subnet-up and subnet-down scripts. I insert the above line for ifconfig into tinc-up (and replaced my router IP) but either network still refused to access/ping any other computers on the opposite network. Any other pointers? I should mention that Tomato router has tinc-up on automatic.

    It is so strange that I can access both routers on any computers on either network, yet none of the computers can see across to the other network.

    Edit:
    To make the matter more confusing, it appears I can ping some, but not all the computers on other network.

    To recap:
    All I wanted is that for computers on NetworkA (192.168.0.0/24) to be able to access servers at NetworkB (192.168.1.0/24), and vice versa. For example, a computer (192.168.1.149) on NetworkB should be able map a network drive located on the server (192.168.0.102) on at NetworkA and access its web interface at 192.168.0.102:5001 through a browser.

    Yet, the only web interface I can access is each network's routers at 192.168.0.1 and 192.168.1.1 on NetworkA and B, respectively, while I'm on either network.
     
    Last edited: Mar 4, 2018
  62. Halcyon

    Halcyon New Member Member

    From a computer (192.168.1.149) on NetworkB,

    USR2 dump:
    Code:
    Statistics for Linux tun/tap device (tun mode) /dev/net/tun:
     total bytes in:       19672
     total bytes out:       4879
    Nodes:
     NetworkB at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop NetworkB via NetworkB pmtu 1518 (min 0 max 1518)
     NetworkA at 234.243.233.244 port 2222 cipher 0 digest 64 maclength 4 compression 10 options c status 001a nexthop NetworkA via NetworkA pmtu 1404 (min 1404 max 1404)
    End of nodes.
    Edges:
     NetworkB to NetworkA at 123.132.122.133 port 2222 options c weight 140
     NetworkA to NetworkB at 234.243.233.244 port 2222 options c weight 140
    End of edges.
    Subnet list:
     192.168.0.0/24#10 owner NetworkA
     192.168.1.0/24#10 owner NetworkB
    End of subnet list.
    
     
  63. lancethepants

    lancethepants Network Guru Member

    Code:
    iptables -I INPUT -i tinc -j ACCEPT
    iptables -I FORWARD -i tinc -j ACCEPT
    
    Tomato has some firewall rules like this you might need on OpenWRT router.
     
  64. Halcyon

    Halcyon New Member Member

    Thanks for the reply, @lancethepants
    I believe I have those rules in OpenWRT. Though now, I'm half thinking my problem is unrelated to Tinc and/or Firewall...

    With Tinc setup, I can access routers on both NetworkA and NetworkB, no matter which network I'm on. When I'm on NetworkB, I can ping some, but not all hosts on NetworkA. Zemblanitiously (I just learned this word), the host I can't ping is the server I want access. If I ssh into router on NetworkA (remember I have access to both routers) and ping all the hosts on NetworkA, they all reply just fine.

    Similarly, when I'm on NetworkA, I can't ping the computer that I usually work from on NetworkB but I can ping other computers on NetworkB. I know that computer will respond to ping because other computers on NetworkB can ping it just fine.

    To make the matter even more confusing, everything seemed to have worked briefly (ability to access all hosts on both networks) then fell back to the above scenario without reason. If it was a misconfiguration in Firewall or Tinc, I don't I would experience this type of intermittency (I think?). Now, I'm not quite sure what's going on.

    Sorry to bother this thread about this and I'm afraid to go off topic. Let me know if I should ask this in a different (new?) thread or forum.

    I'm going to try running tcpdump later on this week to see if I can get more info.
     
  65. Halcyon

    Halcyon New Member Member

    I think I found my problem (serendipitously). The NetworkA router (Tomato) is also running an OpenVPN client. The server on NetworkA, which I'm trying so hard to connect, has its outgoing/incoming traffic routed through the OpenVPN client using Routing Policy. Any traffic source from the server's IP is redirected through the OpenVPN.

    My guess (correct me if I'm wrong) is that OpenVPN is a higher priority so all traffic outside of LAN is routed through OpenVPN.

    In any case, once I turn off the OpenVPN client, I can access the server again from NetworkB.

    ... now I just have to figure out what's going on and whether or not my OpenVPN client (and my intended functionality) can exist simultaneously with Tinc... :(
     
  66. blackantt

    blackantt Serious Server Member

    sorry for mis-place.

    request:

    lancethepants,can you update your haproxy(mipsel) binary to 1.7.9 or the latest? cause it can bypass wrong dns query.
     
  67. blackantt

    blackantt Serious Server Member

    It's said that tinc1.1 can statistic the forward traffic via tinc-server (client1--->server---->client2), is it easy to do this? How to do it?
     
  68. lancethepants

    lancethepants Network Guru Member

    If one router cannot talk to another router directly, tinc will automatically handle forwarding traffic through an intermediate node. The default ("Forwarding" rule "internal") is to let tinc handle routing when it comes to forwarding packets. These packets don't even hit the tun/tap device, but are routed by tinc straight on to the next node. There is also an option ("Forwarding" rule "kernel")to allow forwarded traffic to go through the kernel to be routed and shaped by firewall rules if wanted.

    https://www.tinc-vpn.org/documentation-1.1/tinc.pdf

    Now you are asking this question while quoting me talking about using the NETMAP feature. Are you using NETMAP? Because I'm not sure how forwarding packets through intermediate nodes will play with NETMAP going on in the background. I think with tinc's internal routing that is default that it would work, but I'm not sure.
     
  69. blackantt

    blackantt Serious Server Member

    sorry, misled . I didn't mean netmap, just want to let you know someone wanted to ask a question.

    all of my tinc clients don't have public ip, so I have to connect them via vps which has a public ip. so after 2 clients start to talk via vps, a situation is they can't talk directly, vps will forward the traffic. I am figuring out to statistic these traffics. it seems iptables and vnstat can do it, vnstat is better. but vnstat is for network adapter. if I run multi tinc network on 1 vps, will it give me many network adapter (tun0, tun1, tun2...) or not?
     
  70. lancethepants

    lancethepants Network Guru Member

    @blackantt I'm not sure I understand your question to answer it. If you are setting up your tinc network on the vps, you can set the tun adapter name to whatever you want.
     
  71. rs232

    rs232 Network Guru Member

    @lancethepants

    Lance I have 3 questions if you don't mind:

    1) I can see on the 1.1 documentation there's an "invite" function. Haven't tried it yet but as setting up clients can be a pain (especially a non tomato ones) I was wondering if this currently works and if it's worty adding it to the GUI

    2) Any tip on how to set up a windows 10 client to connect to tomato? It would be great for laptops but I don't seem to be able to find a comprehensive guide (the tinc one seems not udated)...

    3) Is ti possible to get an updated MIPS1 <4MB made available with the latest tinc?
    https://files.lancethepants.com/Firmware/MIPSR1/Toastman 7636 + Tinc1.1.pre11/

    Thanks!!!
     
  72. lancethepants

    lancethepants Network Guru Member

    1) I haven't messed much with the invite option. The tinc gui makes it so easy to exchange just a few details, the invite option sounds the more complicated route.

    2) I use tinc on a couple windows 10 computers. I just used the guide that is on the tinc website with few changes. Instead of manually setting the IP address of the tinc device, I do it in tinc-up.bat
    tinc-up.bat
    Code:
    netsh interface ip set address tinc static 192.168.1.1 255.255.0.0
    
    Having the script set the devices IP feels so much cleaner to me. Plus on a rare occasion I stop tinc to run OpenVPN just using the same adapter, so this way there is not conflict. It is recommended however to use the Windows TAP driver that tinc supplies. The latest one that OpenVPN uses works, but isn't recommended for tinc.

    3) I would suggest looking at the FreshTomato-MIPS to see if such a firmware could be made. Seems they've been keeping MIPS up-to-date, though I'm not sure if they are doing MIPSR1 devices. I would have to dig up my old wrt54gl and spend several hours setting things up again. My time is at a premium now-a-days since getting married a couple months ago. I can see why marriage has all but obliterated shibby's participation. At least until life settles down.

    Feel free to reach out again though if you're not having success with Windows 10 and tinc. tinc on Windows for a while had a few hiccups, not real bad, but some bugs that caused it to crash on a rare occasion I would notice. They seem to have figured all those out now, and luckily none of the issues I had ever happened at a critcal moment.
     
    rs232 likes this.
  73. alf5683

    alf5683 Reformed Router Member

    Hey !

    Someone can help me to join my TINC vpn on my android phone ?

    Thx
     
  74. lancethepants

    lancethepants Network Guru Member

    First you need to determine which tinc app you want to use. One requires a phone with super-user permissions (root), and the other does not.

    no root needed
    http://tincapp.pacien.org/

    root needed
    http://tinc_gui.poirsouille.org/

    The pacien tincapp only supports the tun interface, while tinc gui app is capable of both tun and tap. Pacien tincapp uses the latest tinc1.1preX versions, while tinc gui last I checked uses tinc 1.0, but there should be forks of it that use tinc1.1preX. Both sites should have instructions. They both have some android specific things you have to do to get it running. I've used both, but am currently using the pacien tincapp.
     
  75. alf5683

    alf5683 Reformed Router Member

    Thank you again :d
    All is working fine ! I use tincapp and all fine :d
     
  76. rs232

    rs232 Network Guru Member

    @lancethepants

    1) I have just noticed that all the outputs of the Status page are displayed in one line.
    I'm wondering if this is wanted or perhaps it can be formatted with text wrap to improve readability.

    2) On the same topic, would you consider having a single status page with no buttons?
    I do see why there are buttons and dropdowns in there, but perhaps a large single page that tells you everything would gives a better insight of the VPN status. Or alternatively without removing what done you could add a standalone button "show all". Just a thought...

    3) I can't find any reference in tinc config files to the GUI specified "VPN Netmask". Can you help me finding the relevant file? (doing some intense troubleshooting trying to set up my android mobile in these days

    4) Finally can I suggest to add the LogLevel parameter in the GUI? It is extremely helpful when troubleshooting new connections

    Many Thanks! :)
     
    Last edited: Oct 1, 2018
  77. lancethepants

    lancethepants Network Guru Member

    1) I'm not sure I know what you mean. The output on the Status page looks just as it would if you ran the command in the cli. They are multi-lined and I find them very readable. The last image in my very first post shows what it should look like. Maybe a theme you have is causing it to be formatted as all one line? The one issue is the "Nodes" button, which stretches and distorts the rest of the tinc GUI because the lines are so long, but I also find it the least useful output.

    2) I will wait to see what you have to say about #1. It sounds as though your output is not appearing as it should by your description. If even one output is unreadable, then having all the outputs at once isn't going to help. The Edges output gives me about everything I need to know at a glance. Then the info with the drop-down if I need to look at a particular node's status.

    3) "VPN Netmask" is used to in the creation of the tinc-up file. Rather than creating an up/down script for each individual node to add and remove routes, it's much easier, and recommended by the creator of tinc, to just create a subnet under which all the nodes are encompassed. The option to completely re-write tinc-up is also available in the GUI.

    4) You can do this by putting "LogLevel = 5" or your desired Log Level in Config -> Custom
     
    rs232 likes this.
  78. rs232

    rs232 Network Guru Member

    1) Running FreshTomato on 2018.4 on 3x ARM routers, all the outputs look like 1 liners

    ScreenShot012.png

    2) I do see the output on your OP, I think it's good for very large network to have the division, but for "family" networks with 3 or 4 tinc nodes only I still think it would be nice to have a "show all" to have all the diagnostic in a single page. Not trying to convince anybody, just a personal feedback that's all

    3) Totally missed that, many thanks for the clarification!

    4) Super thanks a lot for the support!
     
  79. lancethepants

    lancethepants Network Guru Member

    @rs232
    Yeah, it shouldn't look like that. I don't know if this is a theme issue, or an issue with FreshTomato. If you are not using the default theme, could you switch to the default theme and see if it appears any differently? Seems like you've been using tinc since a way back. Have you noticed a point in your upgrading firmware when it went from displaying correctly to how it displays now?
     
  80. rs232

    rs232 Network Guru Member

    Unfortunately both Freshtomato default and the original Tomato theme all behave the same.
    I guess (guess!) it was working on Shibby but now I'm on FreshTomato. Wondering if this is related...
     
  81. lancethepants

    lancethepants Network Guru Member

    @pedro311
    Could you take a look at this and see what might be causing the output we've been discussing here to not display correctly. Looks like a lot of GUI changes went into FreshTomato, lots of backslashes for escaping, with whatever changes you guys made. Possibly line 322 an issue. The results of whatever function was run is run through "escapeText". maybe with all these other escapes going on causing an issue. thanks.

    https://bitbucket.org/kille72/fresh...vpn-tinc.asp?diff2=86d558f895dd&at=shibby-arm
     
  82. amomp3

    amomp3 Networkin' Nut Member

    Hello, i wanted to try tinc since a long time i discovered.

    I have an asus 3200 with advanced tomato, i recently founded an old linksys e2500 and thought that finally gonna be able to experiment with tinc. Flashed advanced tomato and could not find tinc. Flashed shibby and also no tinc...

    Can someone point a link where i can download a firmware version for linksys e2500 v1 that has tinc or this is impossible ?

    Thank you very much for YOUR Time and dedication.
     
  83. rs232

    rs232 Network Guru Member

    I *think* for tinc you need a megaVPN build. Not sure you will be able to fit it on a 8MB device.
     
  84. amomp3

    amomp3 Networkin' Nut Member

  85. pedro311

    pedro311 Networkin' Nut Member


    Tinc is available only in "Mega-VPN" and "AIO" builds.
     
  86. Bill_S

    Bill_S Network Guru Member

    I am really a novice at this so I hope you all will bear with me.

    I have a router in California and another in Brazil, both are Asus RT-AC68P/U’s running Tomato Shibby version 1.28.0000 -3.5-140 K26ARM USB AIO-64K. My goal is to be able to connect both routers and then use that connection to allow my Fire TV and Fire Sticks, located in Brazil, to mimic being in the USA using the routers built in Tinc Daemon. The Fire TV is connected to the router using an Ethernet cable but the Fire Stick uses my Wi-Fi.

    I believe I have the Tinc Daemon setup correctly and the two routers are “talking to each other”. I know this by viewing the status and because I can ping devices on each network using the other networks router. I use Shibby’s built in Tools/Ping on each router to ping the other routers attached devices. But I can’t ping the other network from any other device. What I haven’t been able to figure out is how to get the Fire devices to use the other network.
    Can anyone offer suggestions?

    Here are the current Tinc settings (B=Brazil, H=USA):

    Router B:
    Interface Type: TUN
    VPN Netmask: 255.255.0.0
    Subnet: 192.168.122.0/24

    Router H:
    Interface Type: TUN
    VPN Netmask: 255.255.0.0
    Subnet: 192.168.123.0/24

    I have nothing setup on either router in the Scripts area.
     
  87. Yim Sonny

    Yim Sonny Serious Server Member

    I was able to get mine working with the TAP interface. I also like my two LANs on the same subnet with no extra routing to cause problems. One big LAN network with two gateway routers. Use static ( gateway ) addresses on the devices to select the internet service you want them to use.
     
  88. Bill_S

    Bill_S Network Guru Member

    Really novice so I hope you can bear with me.
    I have a guest network setup on the Brazil router could I use that to distinguish between the two networks? The Brazil router guest network is setup with the ip address of 192.168.124.1. If that would work I am not sure what settings I would have to change in the Tinc Daemon and would I then set the ip address of the guest network to match the USA router?
     
  89. Yim Sonny

    Yim Sonny Serious Server Member

    The entire network in Brazil can remain un-touched and working as is. The TINC-TAP connection will behave as a long CAT5 jumper cable connecting the two routers from LAN to LAN. Just change the USA network to be 192.168.122.0/24 the same as the Brazil network. Program your LAN devices to avoid duplicate IP addresses. The Brazil router LAN IP would remain 192.168.122.1, the USA router LAN IP could be 192.168.122.2 and if you need a DHCP server for something then enable the DHCP server on only one of the two routers. Devices in Brazil for the FireTV service would use the USA Gateway IP 192.168.122.2
     
  90. Bill_S

    Bill_S Network Guru Member

    Yim Sonny I want to thank you very much for your guidance but I have been able to accomplish my goal of having my Fire TV devices attach to my USA network without making any network changes. I am using a VPN that I was able to load onto the Fire devices and it connects to my router in the USA. It was much simpler than making all the network changes.
    Sorry to have put you to the trouble, thank you again.
     
  91. Yim Sonny

    Yim Sonny Serious Server Member

    You are quite welcome. I am happy to hear that you solved the problem. One drawback with TINC connections is a limitation of bandwidth due to router processing power. Chances are high that there would have been problems watching HD video even if the link had worked.
    Cheers.
     
  92. amomp3

    amomp3 Networkin' Nut Member

    it can be a problem for tinc to achieve succesfull connections being if the tomato where i'm running at is connected to the internet as wireless ethernet bridge ?

    i am sending this message from a notebook connected trough ethernet port directly attached to the n66u router with the tomato router hosting tinc so the internet conection is OK but i get:

    Reachability: unreachable
     
  93. lancethepants

    lancethepants Network Guru Member

    @amomp3 A long time ago I ran tinc on one router that was in wireless client (not ethernet bridge) which worked. I think wireless ethernet bridge should work. It sounds like the tinc configuration is the issue since your internet is working. Is the other device you're connecting to also a tomato router? Does the other end of the tunnel have it's own public IP address you can connect to? Are you trying to run in tap or tun mode as well?
     
  94. amomp3

    amomp3 Networkin' Nut Member

    i am also trying with the notebook (w7) as a client and also can not do it...

    Thank you for your answers because is very frustrating that is almost like 2 years this issue is in my head, sometimes i leave it and then i try again and i have never been able to connect 2 hosts !

    zutink: AC3200 with advanced tomato 3.5-140 K26ARM USB AIO-64K is at a public ip that answers ping with subnet 10.0.0.0/24


    DarKnight: n66u with tomato shibby MIPSR2-140 K26AC USB AIO-64K is at a public ip that answers ping with subnet 10.10.0.0/24

    TUN
    VPN Netmask: 255.0.0.0
     
  95. lancethepants

    lancethepants Network Guru Member

    Can you post some screenshots of your config and hosts tab?
     
  96. amomp3

    amomp3 Networkin' Nut Member

     
  97. lancethepants

    lancethepants Network Guru Member

    @amomp3 No screenshots seem to be attached if that was your intention.
     
  98. amomp3

    amomp3 Networkin' Nut Member

    sorry i made changes, wanted to delete whole post and couldn't find how to do it...

    [ZuKo] Tinc Configuration A.png [ZuKo] Tinc Configuration B .png DarKnight A.png DarKnight B.png
     
  99. lancethepants

    lancethepants Network Guru Member

    Hmmm, one possible issue could be different tinc 1.1 versions. It's still in pre-releases, so it's important that both firmwares have the same version of tinc. You could also try putting ExperimentalProtocol = no in custom config to use the legacy protocol. I've never experimented with this.
     
  100. amomp3

    amomp3 Networkin' Nut Member

    That was it !!!

    Now it says:


    Node: zutink
    Node ID: 415d2253e1b7
    Address: BLA BLA
    Online since: 2018-12-13 23:29:33
    Status: validkey visited reachable udp_confirmed
    Options: pmtu_discovery clamp_mss
    Protocol: 17.0
    Reachability: directly with UDP
    PMTU: 1518
    Edges: DarKnight
    Subnets: 10.0.0.0/24

    Node: DarKnight
    Node ID: 267d47b5d1BLABLA
    Address: BLABLA
    Online since: 2018-12-13 19:29:32
    Status: validkey visited reachable udp_confirmed
    Options: pmtu_discovery clamp_mss
    Protocol: 17.0
    Reachability: directly with UDP
    PMTU: 1518
    Edges: zutink
    Subnets: 10.10.0.0/24

    So now what can i do ?

    Can you suggest a link where are things to do to take advantage of this ?
    For example how can i put \\machinename and access other side computers trhough SMB or.. i don't know... anything i'm so exited i managed that i don't know what use to give it now !!!

    Thank You !
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice