Estou tentando seguir este guia da TinC sobre como encaminhar todo o tráfego da web por meio de um túnel VPN até uma conexão segura com a Internet. Problema típico de tipo de conexão de cafeteira não segura.
De qualquer forma, estou usando o TinC, e posso me conectar ao servidor sem problemas, mas não estou roteando nenhum tráfego da Internet por meio dessa conexão. Tenho certeza disso porque meu IP público ainda é diferente do IP que eu esperaria de volta no lado seguro da VPN.
Aqui está a configuração que se conecta, mas não tem tráfego de interet para o tinc-up:
ip link set $INTERFACE up
ip addr add 10.0.0.3/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE
E aqui está o tinc-down:
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.3/32 dev $INTERFACE
ip link set $INTERFACE down
E aqui está o arquivo host do cliente:
Subnet = 10.0.0.3/32
E aqui está o arquivo host do servidor:
Address = foo.bar.net
Port = 655
Subnet = 10.0.0.1/32
.... Então, tudo bem e bem ... Aqui está um exemplo de saída:
foo@local:~ » route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.254 0.0.0.0 UG 202 0 0 enp0s3
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 alpha
192.168.0.0 0.0.0.0 255.255.255.0 U 202 0 0 enp0s3
Mas, tento seguir este guia aqui: link
novo tinc-up:
set -x
ip link set dev $INTERFACE up
#ip addr add 10.0.0.3/32 dev $INTERFACE
#ip route add 10.0.0.0/24 dev $INTERFACE
VPN_GATEWAY=10.0.0.0
ORIGINAL_GATEWAY='ip route show | grep ^default | cut -d ' ' -f 2-5'
ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY
ip route add $VPN_GATEWAY dev $INTERFACE
ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
novo tinc-down:
set -x
ORIGINAL_GATEWAY='ip route show | grep ^default | cut -d ' ' -f 2-5'
ip route del $REMOTEADDRESS $ORIGINAL_GATEWAY
ip route del $VPN_GATEWAY dev $INTERFACE
ip route del 0.0.0.0/1 dev $INTERFACE
ip route del 128.0.0.0/1 dev $INTERFACE
ip link set dev $INTERFACE down
E os scripts agora lançam erros de sintaxe para o ip route e, é claro, nada acontece. Eu tentei jogar com algumas das rotas, eu tentei explicitamente definir algumas variáveis, e eu até tentei executar estes passo a passo em um shell, mas nada parece funcionar. O host está sempre inacessível.
O que estou fazendo de errado aqui?
Obrigado
EDIT 2: Aqui estão os novos arquivos tinc-up / down sendo executados com sugestões dos comentários, incluindo a opção set-x. Isto segue uma execução do script tinc-up seguido de uma morte do processo, que inicia o script tinc-down mostrado acima.
:~ » sudo tincd -n alpha -D -d3
tincd 1.0.31 starting, debug level 3
/dev/net/tun is a Linux tun/tap device (tun mode)
Executing script tinc-up
+ ip link set dev alpha up
+ VPN_GATEWAY=10.0.0.0
++ ip route show
++ cut -d ' ' -f 2-5
++ grep '^default'
+ ORIGINAL_GATEWAY='via 192.168.0.254 dev enp0s3'
+ ip route add via 192.168.0.254 dev enp0s3
Usage: ip route { list | flush } SELECTOR
ip route save SELECTOR
ip route restore
ip route showdump
ip route get ADDRESS [ from ADDRESS iif STRING ]
[ oif STRING ] [ tos TOS ]
[ mark NUMBER ] [ vrf NAME ]
[ uid NUMBER ]
ip route { add | del | change | append | replace } ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ]
[ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ]
[ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ]
[ table TABLE_ID ] [ proto RTPROTO ]
[ scope SCOPE ] [ metric METRIC ]
INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]...
NH := [ encap ENCAPTYPE ENCAPHDR ] [ via [ FAMILY ] ADDRESS ]
[ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
[ rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ]
[ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ]
[ ssthresh NUMBER ] [ realms REALM ] [ src ADDRESS ]
[ rto_min TIME ] [ hoplimit NUMBER ] [ initrwnd NUMBER ]
[ features FEATURES ] [ quickack BOOL ] [ congctl NAME ]
[ pref PREF ] [ expires TIME ]
TYPE := { unicast | local | broadcast | multicast | throw |
unreachable | prohibit | blackhole | nat }
TABLE_ID := [ local | main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
PREF := [ low | medium | high ]
TIME := NUMBER[s|ms]
BOOL := [1|0]
FEATURES := ecn
ENCAPTYPE := [ mpls | ip | ip6 ]
ENCAPHDR := [ MPLSLABEL ]
+ ip route add 10.0.0.0 dev alpha
+ ip route add 0.0.0.0/1 via 10.0.0.0 dev alpha
+ ip route add 128.0.0.0/1 via 10.0.0.0 dev alpha
Listening on 0.0.0.0 port 655
Ready
Trying to connect to alpha (74.78.156.164 port 655)
Error while connecting to alpha (74.78.156.164 port 655): Network is unreachable
Could not set up a meta connection to alpha
Trying to re-establish outgoing connection in 5 seconds
Purging unreachable nodes
Trying to connect to alpha (74.78.156.164 port 655)
Error while connecting to alpha (74.78.156.164 port 655): Network is unreachable
Could not set up a meta connection to alpha
Trying to re-establish outgoing connection in 10 seconds
Purging unreachable nodes
Got TERM signal
Statistics for Linux tun/tap device (tun mode) /dev/net/tun:
total bytes in: 346
total bytes out: 306
Closing connection with charlie (MYSELF)
Executing script tinc-down
++ cut -d ' ' -f 2-5
++ grep '^default'
++ ip route show
+ ORIGINAL_GATEWAY='via 192.168.0.254 dev enp0s3'
+ ip route del via 192.168.0.254 dev enp0s3
Usage: ip route { list | flush } SELECTOR
ip route save SELECTOR
ip route restore
ip route showdump
ip route get ADDRESS [ from ADDRESS iif STRING ]
[ oif STRING ] [ tos TOS ]
[ mark NUMBER ] [ vrf NAME ]
[ uid NUMBER ]
ip route { add | del | change | append | replace } ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ]
[ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ]
[ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ]
[ table TABLE_ID ] [ proto RTPROTO ]
[ scope SCOPE ] [ metric METRIC ]
INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]...
NH := [ encap ENCAPTYPE ENCAPHDR ] [ via [ FAMILY ] ADDRESS ]
[ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
[ rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ]
[ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ]
[ ssthresh NUMBER ] [ realms REALM ] [ src ADDRESS ]
[ rto_min TIME ] [ hoplimit NUMBER ] [ initrwnd NUMBER ]
[ features FEATURES ] [ quickack BOOL ] [ congctl NAME ]
[ pref PREF ] [ expires TIME ]
TYPE := { unicast | local | broadcast | multicast | throw |
unreachable | prohibit | blackhole | nat }
TABLE_ID := [ local | main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
PREF := [ low | medium | high ]
TIME := NUMBER[s|ms]
BOOL := [1|0]
FEATURES := ecn
ENCAPTYPE := [ mpls | ip | ip6 ]
ENCAPHDR := [ MPLSLABEL ]
+ ip route del dev alpha
Usage: ip route { list | flush } SELECTOR
ip route save SELECTOR
ip route restore
ip route showdump
ip route get ADDRESS [ from ADDRESS iif STRING ]
[ oif STRING ] [ tos TOS ]
[ mark NUMBER ] [ vrf NAME ]
[ uid NUMBER ]
ip route { add | del | change | append | replace } ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ]
[ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ]
[ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ]
[ table TABLE_ID ] [ proto RTPROTO ]
[ scope SCOPE ] [ metric METRIC ]
INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]...
NH := [ encap ENCAPTYPE ENCAPHDR ] [ via [ FAMILY ] ADDRESS ]
[ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
[ rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ]
[ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ]
[ ssthresh NUMBER ] [ realms REALM ] [ src ADDRESS ]
[ rto_min TIME ] [ hoplimit NUMBER ] [ initrwnd NUMBER ]
[ features FEATURES ] [ quickack BOOL ] [ congctl NAME ]
[ pref PREF ] [ expires TIME ]
TYPE := { unicast | local | broadcast | multicast | throw |
unreachable | prohibit | blackhole | nat }
TABLE_ID := [ local | main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
PREF := [ low | medium | high ]
TIME := NUMBER[s|ms]
BOOL := [1|0]
FEATURES := ecn
ENCAPTYPE := [ mpls | ip | ip6 ]
ENCAPHDR := [ MPLSLABEL ]
+ ip route del 0.0.0.0/1 dev alpha
+ ip route del 128.0.0.0/1 dev alpha
+ ip link set dev alpha down
Terminating
EDIT 3:
Acho que mudar para:
ORIGINAL_GATEWAY='ip route show | grep ^default | cut -d ' ' -f 3-5'
dá 192.168.0.254 dev enp0s3
e agora meus scripts não lançam erros de sintaxe para o iproute ... No entanto, eles reclamam do seguinte:
+ ip route add 192.168.0.254 dev enp0s3
RTNETLINK answers: File exists
Tags networking vpn