4

I am attempting to setup a VPN connection between a cloud server on DigitalOcean and an on-premise server using Tinc. Thus far, I have been successful in getting the connection up and running and the servers can talk to each other via the VPN address - according to this tutorial.

I am unable to, however, ping any devices on my local LAN (172.23.6.0/24) from the server on DigitalOcean. I've tried specifying my local subnet as the subnet for the tinc hosts file, but it doesn't work. When I attempt to ping from the cloud server, I simply get a "Destination host unreachable" error.

This is my first time working with Tinc so the learning curve is quite steep. I'm still reading through the documentation but finding it a bit confusing at the moment. Not that it's not well written, I'm just not getting it for some reason.

Anybody out then been successful with what I'm trying to do that can lend me a hand please? Thanks.

PS. My ultimate goal with this is to get the cloud server and the in-house server communicating with each other, so that the cloud server is aware of the LAN subnet behind our firewall. This way I'll be able to do some Active Directory authentication without exposing the AD Server to the internet (at least not directly).

Sven
  • 98,649
  • 14
  • 180
  • 226
Kismet Agbasi
  • 323
  • 1
  • 4
  • 17
  • Have you solve this problem ? I want to do the same thing, https://unix.stackexchange.com/q/422991/47774 but don't know how. – wener Feb 11 '18 at 03:04

1 Answers1

6

First -- please post config files and logs with your question.

I'm assuming you're setup mostly correct since you have connections machine to machine.

Tinc handles the routing natively -- it does not use the routing tables on the machines (since that can create unnecessary traffic).

In the hosts file for tinc, you must include the subnets you want visible. Here's a sample config connecting mars (the server these configs are on) to venus (the remote server).

The remote server has subnets 10.1.74.0/24 and 10.12.1.0/24 visible, the local server has 10.1.1.0/24 visible. Notice tinc-up adds the routes, but the mars and venus files define what segments are allowed through the vpn (Subnet option).

These are the config files on server mars:

/etc/tinc/venus/tinc.conf

Name = vpn
Device = /dev/net/tun
PrivateKeyFile = /etc/tinc/venus/rsa_key.priv
TCPOnly=yes
AddressFamily=any

/etc/tinc/venus/tinc-up

#!/bin/sh
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
ifconfig $INTERFACE 10.1.1.90 netmask 255.0.0.0 -arp
route add -net 10.1.74.0 netmask 255.255.255.0 gateway 10.1.1.90
route add -net 10.12.1.0 netmask 255.255.255.0 gw 10.1.74.6

/etc/tinc/venus/hosts/venus

Address = 189.22.2.252
Port=260
Subnet = 10.1.74.0/24
Subnet = 10.12.1.0/24
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAMti4IsVr3UKqg24pVfvHRyL+0S1uGWKGsmNw1drAPn18PgY7hC8DKdO
+aEiboP2vOJTzj0pgpsdf43OypWzqXDQkIpjMLLjJMa0X9WLrQ3UKq4pVm9FBWVp
yiT7iZirkv6+iqTJq94rWKdOFaHg44h536hethdfghy54ubGlplJjGxHAgMBAAE=
-----END RSA PUBLIC KEY-----

/etc/tinc/venus/hosts/mars

Address = tinc.public.net
Port=260
Subnet = 10.1.1.0/24
-----BEGIN RSA PUBLIC KEY-----
MIGJyUGiL/WWZu6AoGBALvkoE+oSSO0a997Xb4+3woqJLAOi/js1ctlIpeLliN1T
DEv5+mu7fXXCAuOrgteHFYAsmwHPG+7VBSoDNa3WuZNlDFUa8WzHx6lJ6Rmrk6WV
A22Ya2MVvG09b1HTWgzw1MvVKkENeYW6TCiUGsNJh15ADGpb2dG3AgMBAAE=
-----END RSA PUBLIC KEY-----
Ed King
  • 941
  • 5
  • 9