Hi,

I have some issues with my VPN.
I use tinc on my N800, I created a lan (10.40.0.0/255.255.255.0) between the nokia and a server at home.
This lan works perfectly, the nokia (10.40.0.12) ping the server (10.40.0.2) and the server ping the nokia.

But at home I have not only the server, I have several device on different netmask.

here the kernel IP routing table from the server at home

srvrx:/home/sbrutin# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.1 * 255.255.255.255 UH 0 0 0 tun0
10.40.10.0 * 255.255.255.0 U 0 0 0 vpn1
10.20.20.0 * 255.255.255.0 U 0 0 0 eth1
10.20.10.0 * 255.255.255.0 U 0 0 0 eth0
10.40.0.0 * 255.255.255.0 U 0 0 0 vpn0
10.10.0.0 10.0.0.1 255.255.0.0 UG 0 0 0 tun0
default 10.20.10.50 0.0.0.0 UG 0 0 0 eth0

To be able to connect from the nokia to the rest of the network, I add a route : use the vpn to connect any device on 10.0.0.0/255.0.0.0


Nokia-N800-51:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0
10.40.0.0 * 255.255.255.0 U 0 0 0 vpn0
10.0.0.0 10.40.0.2 255.0.0.0 UG 0 0 0 vpn0
default 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0



When from the nokia I tried to ping a device on 10.20.20.60, it doesn't work
here the tcpdump from the nokia

00:01:41.442871 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 10.40.0.12 > 10.20.20.60: ICMP echo request, id 24075, seq 0, length 64
00:01:41.443390 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto: ICMP (1), length: 112) 10.20.20.60 > 10.40.0.12: ICMP net 10.20.20.60 unreachable - unknown, length 92
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 10.40.0.12 > 10.20.20.60: ICMP echo request, id 24075, seq 0, length 64
00:01:42.449799 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 10.40.0.12 > 10.20.20.60: ICMP echo request, id 24075, seq 256, length 64
00:01:42.450043 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto: ICMP (1), length: 112) 10.20.20.60 > 10.40.0.12: ICMP net 10.20.20.60 unreachable - unknown, length 92
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 10.40.0.12 > 10.20.20.60: ICMP echo request, id 24075, seq 256, length 64


and another test, a device inside the network try to ping the nokia
here the tcpdump

Nokia-N800-51:~# ./tcpdump -i vpn0 -vv
tcpdump: WARNING: arptype 65534 not supported by libpcap - falling back to cooked socket
tcpdump: listening on vpn0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
00:09:23.906006 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 10.0.0.1 > 10.40.0.12: ICMP echo request, id 63611, seq 0, length 64
00:09:23.919861 IP (tos 0x0, ttl 64, id 43556, offset 0, flags [none], proto: ICMP (1), length: 84) 10.40.0.12 > 10.0.0.1: ICMP echo reply, id 63611, seq 0, length 64
00:09:23.910553 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto: ICMP (1), length: 112) 10.0.0.1 > 10.40.0.12: ICMP net 10.0.0.1 unreachable - unknown, length 92
IP (tos 0x0, ttl 64, id 43556, offset 0, flags [none], proto: ICMP (1), length: 84) 10.40.0.12 > 10.0.0.1: ICMP echo reply, id 63611, seq 0, length 64
00:09:24.862030 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 10.0.0.1 > 10.40.0.12: ICMP echo request, id 63611, seq 256, length 64
00:09:24.862153 IP (tos 0x0, ttl 64, id 43557, offset 0, flags [none], proto: ICMP (1), length: 84) 10.40.0.12 > 10.0.0.1: ICMP echo reply, id 63611, seq 256, length 64
00:09:24.862336 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto: ICMP (1), length: 112) 10.0.0.1 > 10.40.0.12: ICMP net 10.0.0.1 unreachable - unknown, length 92
IP (tos 0x0, ttl 64, id 43557, offset 0, flags [none], proto: ICMP (1), length: 84) 10.40.0.12 > 10.0.0.1: ICMP echo reply, id 63611, seq 256, length 64

6 packets captured
12 packets received by filter
0 packets dropped by kernel


==> the nokia receives the echo request but doesn't know where send the echo reply.
In this test, a tcpdump on the server detects nothing

So I conclude, I have a problem on my nokia, but where ? My routing table is not good ? on tinc configuration ?

Thanks,
sbrutin

When using VPN you want the default route to go through the VPN. Otherwise you'll only be able to reach VPN addresses that are in the same subnet as your VPN address. Remove the 192.168. route and add a default route that goes through your VPN.

To connect to VPN, I need an internet connection.
If I remove the default route, I lose my internet connection and thus the VPN connection.
I don't want always use the VPN, I want it only for 10.*.*.* network.

You can use a specific route to reach your vpn server.
However, looking a bit more closely on your setup, it seems your N800 is doing the right thing, and that the problem is in the other end.
10.40.0.0 * 255.255.255.0 U 0 0 0 vpn0
Is this really what you want? The address looks like a class B net, but the network mask indicates it's a C net. It should work I suppose, but who knows. Actually, since you also have this one:
10.40.10.0 * 255.255.255.0 U 0 0 0 vpn1
.. there could be trouble. If you change that 10.40.0.0 C net to e.g. 10.40.20.0 then things might work out better (then obviously the N800 route also has to change)