How Do I Reach Local Subnet Behind Tinc VPN

I am attempting to setup a VPN connection between a cloud server on DigitalOcean and an on-premise server using Tinc. Thus far, I have been successful in getting the connection up and running and the servers can talk to each other via the VPN address - according to this tutorial.

I am unable to, however, ping any devices on my local LAN (172.23.6.0/24) from the server on DigitalOcean. I've tried specifying my local subnet as the subnet for the tinc hosts file, but it doesn't work. When I attempt to ping from the cloud server, I simply get a "Destination host unreachable" error.

This is my first time working with Tinc so the learning curve is quite steep. I'm still reading through the documentation but finding it a bit confusing at the moment. Not that it's not well written, I'm just not getting it for some reason.

Anybody out then been successful with what I'm trying to do that can lend me a hand please? Thanks.

PS. My ultimate goal with this is to get the cloud server and the in-house server communicating with each other, so that the cloud server is aware of the LAN subnet behind our firewall. This way I'll be able to do some Active Directory authentication without exposing the AD Server to the internet (at least not directly).

Solution 1:

First -- please post config files and logs with your question.

I'm assuming you're setup mostly correct since you have connections machine to machine.

Tinc handles the routing natively -- it does not use the routing tables on the machines (since that can create unnecessary traffic).

In the hosts file for tinc, you must include the subnets you want visible. Here's a sample config connecting mars (the server these configs are on) to venus (the remote server).

The remote server has subnets 10.1.74.0/24 and 10.12.1.0/24 visible, the local server has 10.1.1.0/24 visible. Notice tinc-up adds the routes, but the mars and venus files define what segments are allowed through the vpn (Subnet option).

These are the config files on server mars:

/etc/tinc/venus/tinc.conf

Name = vpn
Device = /dev/net/tun
PrivateKeyFile = /etc/tinc/venus/rsa_key.priv
TCPOnly=yes
AddressFamily=any

/etc/tinc/venus/tinc-up

#!/bin/sh
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
ifconfig $INTERFACE 10.1.1.90 netmask 255.0.0.0 -arp
route add -net 10.1.74.0 netmask 255.255.255.0 gateway 10.1.1.90
route add -net 10.12.1.0 netmask 255.255.255.0 gw 10.1.74.6

/etc/tinc/venus/hosts/venus

Address = 189.22.2.252
Port=260
Subnet = 10.1.74.0/24
Subnet = 10.12.1.0/24
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAMti4IsVr3UKqg24pVfvHRyL+0S1uGWKGsmNw1drAPn18PgY7hC8DKdO
+aEiboP2vOJTzj0pgpsdf43OypWzqXDQkIpjMLLjJMa0X9WLrQ3UKq4pVm9FBWVp
yiT7iZirkv6+iqTJq94rWKdOFaHg44h536hethdfghy54ubGlplJjGxHAgMBAAE=
-----END RSA PUBLIC KEY-----

/etc/tinc/venus/hosts/mars

Address = tinc.public.net
Port=260
Subnet = 10.1.1.0/24
-----BEGIN RSA PUBLIC KEY-----
MIGJyUGiL/WWZu6AoGBALvkoE+oSSO0a997Xb4+3woqJLAOi/js1ctlIpeLliN1T
DEv5+mu7fXXCAuOrgteHFYAsmwHPG+7VBSoDNa3WuZNlDFUa8WzHx6lJ6Rmrk6WV
A22Ya2MVvG09b1HTWgzw1MvVKkENeYW6TCiUGsNJh15ADGpb2dG3AgMBAAE=
-----END RSA PUBLIC KEY-----

How can I find out the storage type of an EC2 instance's root volume (SSD vs. magnetic)?

Adding an Active Directory to a computer-local group - which scope to choose?

Can NFS server limit the amount of disk space that the NFS client can use?

What happens to a daemon without a "K" link in /etc/rcX.d/

Postfix rejects an outgoing email with multiple destinations due to one invalid address

Broken RabbitMQ cluster wont 'restart

Nginx / PHP-FPM = Blank pages

Why the time taken to fetch results of a query for 10,000 times from a RDS is so uneven? (experiment)

How can I remove "Red Hat Network Code" from the RedHat?

What is the meaning of an IIS http status code 404.503?

keyboard cover for iPad Mini 2019 (gen 5)

Is it safe to charge my iPhone using my lightning cable and someone else’s adapter at the Airport?