How to trust the TINC interface

sunmast

New Around Here
First time post...

Hello, does any one know how to trust the TINC interface created by the TINC VPN? Here is my setup:

Computer1 <--TINC VPN (TAP mode)--> Router1 (running latest Asuswrt-Merlin)

Computer1 can talk to Router1 on the VPN network and vise versa, but it can't talk to any other computers in the network of Router1. Routing rules are setup correctly on both Computer1 and Router1.

Tcpdump shows the Router does see all incoming requests from Computer1, but I believe all of them are just dropped. Tcpdump on the destination computer doesn't see any traffic.

I've tried to trust the interface manually (on Router1):

iptables -A INPUT -i tinc -j ACCEPT
ip6tables -A INPUT -i tinc -j ACCEPT
iptables -A OUTPUT -o tinc -j ACCEPT
ip6tables -A OUTPUT -o tinc -j ACCEPT
iptables -A FORWARD -o tinc -j ACCEPT
ip6tables -A FORWARD -o tinc -j ACCEPT
iptables -A FORWARD -i tinc -j ACCEPT
ip6tables -A FORWARD -i tinc -j ACCEPT

It doesn't help. I think somehow the Router1 just doesn't want to forward any traffic from the tinc interface to the br0 interface which connects to the LAN.

Interestingly, br0 -> tinc forwarding is working fine. Computers in the network of Router1 can just ping Computer1.

BTW, OVPN works in a similar setup. It looks like the router is treating OVPN tap interfaces differently.

Thanks in advance!
 
Last edited:

heysoundude

Very Senior Member
I think (in fact, I'd bet) you're going to really like WireGuard. https://www.wireguard.com/
It's coming in an upcoming Asus firmware release (and will naturally follow to Merlin's), but if you pop over to the Asuswrt-Merlin Addons subforum, they've been working on/with it for a few years now. Perhaps you might want to investigate and consider that alternative to Tinc to achieve your desires/goals/needs, if you're confident in your knowledge/understanding/skills.

For your convenience:
 
Last edited:

sunmast

New Around Here
I think (in fact, I'd bet) you're going to really like WireGuard. https://www.wireguard.com/
It's coming in an upcoming Asus firmware release (and will naturally follow to Merlin's), but if you pop over to the Asuswrt-Merlin Addons subforum, they've been working on/with it for a few years now. Perhaps you might want to investigate and consider that alternative to Tinc to achieve your desires/goals/needs, if you're confident in your knowledge/understanding/skills.

For your convenience:
Thanks for your reply! I'll definitely look into WireGuard.

For now I'm going back to FreshTomato on my AC68P.

It's really unfortunate that Tomato series don't support newer routers... I've been using it for many years. It has never disappointed me.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top