External VPN access to LE box behind FW...

Borygo77 · September 21, 2020 at 9:14 PM

awiouy I begging you now for help! I know you mastered all those things as I've seen your posts from years back about tinc...

After couple days ofr esting from it I'm back with new ideas

Managed to get my own config like you said using "$DIR_LEGACY" in your tinc.start

So far so good. I'm connected and vpn ip works (can browse 10.0.0.1

Need to add my home subnet and if possible have my home ip address as main mobile ip.

Here is my tinc.conf

Code

Name = vpn
AutoConnect = yes
Interface = tun0
AddressFamily = ipv4
ExperimentalProtocol = yes
Ed25519PrivateKeyFile = /storage/.kodi/userdata/addon_data/service.system.tinc/vpn/ed25519_key.priv
PrivateKeyFile = /storage/.kodi/userdata/addon_data/service.system.tinc/vpn/rsa_key.priv
LocalDiscovery = yes
Broadcast = mst
LogLevel = 3
Mode = router
Port = 5721

Display More

tinc-up

Bash

#!/bin/sh
ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0

tinc-down

Bash

#!/bin/sh
ip addr del 10.0.0.1 dev $INTERFACE
ip link set $INTERFACE down

hosts/server

Code

Address = xxx.xxx.co.uk

Subnet = 10.0.0.1/32

Subnet = 192.168.1.0/24

Port = 5721

-----BEGIN RSA PUBLIC KEY-----

==================

-----END RSA PUBLIC KEY-----

Ed25519PublicKey = ===================

Display More

hosts/mobile

Code

Subnet = 10.0.0.2/32
Subnet = 192.168.1.0/24
Ed25519PublicKey = =================================
Port = 11443

Code

HTPC:~ # ip route
default via 192.168.1.254 dev eth0 
10.0.0.0/24 dev tun0 scope link  src 10.0.0.1 
172.17.0.0/16 dev docker0 scope link  src 172.17.0.1 
172.18.0.0/16 dev br-cb2fc26669fb scope link  src 172.18.0.1 
192.168.1.0/24 dev eth0 scope link  src 192.168.1.111 
192.168.1.254 dev eth0 scope link

**awiouy** · September 21, 2020 at 11:48 PM Official Post

I do not understand your configuration. Why do you use two subnets?

It has been a long time that I have not played with tinc, but I remember that it was complicated.

Some advice:

- on LibreELEC, use an interface name that is blacklisted by connman, eg vmnet_foo, to prevent connman from messing with its configuration,

- by default interfaces on LibreELEC will not forward traffic, so you have to enable ip forwarding (for tinc in router mode) or promiscuitous mode (for tinc in switch mode),

- use two addresses of your home network for the tinc interfaces (home ip 192.168.1.200 with a route to remote 192.168.0.201, remote ip 192.168.1.201 with a route to 192.168.1.0/24 via 192.168.0.200)

- I vaguely remember static routes on the router and/or brutils.

It will therefore probably be easier to configure a device more suitable to your purpose than a LibreELEC mediacenter

Borygo77 · September 22, 2020 at 2:35 AM

Everything I was reading always said to not make vpn subnets same as host subnet is or you will get in troubles?

And it actually doesn't work when I change setup to 192.168.1.200 and 192.168.1.0/24 subnet

Got also tp-link 1043v1 but it'll be too weak to serve any files for me I'm afraid

My htpc old machine with x86 arch is working for me as emby server and is quite doing nothing so why not to give it another life ?

It was quite loud in living room so I switched to amlogic as my players connected to htpc....

Think all I miss id some route from network 10.0.0.0/24 to 192.168.1.0/24 but I'm so lost with linux that I got no idea how to add it

This is friend of mine OpenVPN server on strong machine

Code

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 enp1s0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 enp1s0

And this is how mine looks like

Code

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         fritz.box       0.0.0.0         UG    0      0        0 eth0
10.0.0.0        *               255.255.255.0   U     0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.1.254   *               255.255.255.255 UH    0      0        0 eth0

And my proper iptables

Code

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s 10.0.0.0/24 -j SNAT --to-source 185.178.71.131
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A FORWARD -i tun0 -s 10.0.0.0/24 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d 10.0.0.0/24 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

Display More

**awiouy** · September 22, 2020 at 7:56 AM Official Post

Unless you bridge your devices, the tinc subnet should be different from the lan subnet. It can be a subnet of the lan subnet or a different subnet. Traffic must somehow be routed: you can add a route in your dhcp server for that.

Borygo77 · September 22, 2020 at 8:28 AM

So what would be best? I might try do same Subnet as my home Subnet is for vpn and try bridge eth0 with tun0.

I don't think I can add static routes in Fritzbox which I got from my network provider. Again. Would like to have my openwrt as main router but this won't serve 1gbps connection

I'm really thankful that you answering all my question but I'm feeling really dumb speaking about networks, bridges and forwardings.. 😳

edit; I do actually found this just now 😁

Configuring a static IP route in the FRITZ!Box | FRITZ!Box 4040 | AVM International

Might try this first....

**awiouy** · September 22, 2020 at 8:51 AM Official Post

If you really can't route, then configure tinc in switch mode and set both the network and tinc devices of LibreELEC in promisc mode. You might even not need routes (just 192.168.1.20x/32) if the arp tables are propagated.

Borygo77 · September 22, 2020 at 9:05 AM

All sorted! If anyone is looking for help I can provide full support with configs to get full tunel working

Thank you awiouy!

Borygo77 · September 22, 2020 at 10:01 AM

Delete please

Borygo77 · September 24, 2020 at 7:46 AM

Delete please