workaround for bug in tinc package
-
I like to report a workaround for the tinc package necessary for anyone who uses manual up/down scripts, especially tinc-up.
tl;dr add # the the end of each line of each script, add
ifconfig $INTERFACE group pkg_tinc #
and add the necessary firewall rules for pkg_tinc interface.The problem is that all scripts added via the web interface are stored with CRLF line endings and the CRs are then evaluated by the shell as a regular character.
-
It took me a full evening to find and fix the problem and I like to report my progress as it might help others to find this thread.
The goal was simply connecting multiple networks together with tinc in router mode). The actual tinc connection was running perfectly, according to Status > Tinc VPN. However, no package made it through, as the firewall droped all packets as I found out in the Status > System Logs > Firewall
tun0 Default deny rule IPv4 (1000000103) 192.168.18.7 192.168.21.1 ICMP
I then hit the plus sign "Easy Rule: Pass this traffic", hit confirm and got the error "Invalid interface for pass rule: ". The interface is called tun0.
As "tun" interfaces are filtered out in /etc/inc/util.inc they can't be added as interface in the web frontend and thus it is not possible to add manual firewall rules.
I noticed that by default the tinc-up script contains the lineifconfig $INTERFACE group pkg_tinc
and the corresponding interface group is visible in the web interface. So I tried adding a pass all rule for the interface => no success.
-
So I tried to rename the interface by adding this line to the tinc-up script.
ifconfig "$INTERFACE" name "tnc0"
-
with the result that the OS seemed to totally mess up the interface names.
$ ifconfig -l [...] tnc0 $ ifconfig tnc0 ifconfig: interface tnc0 does not exist $ ifconfig (considered as spam by akismet)
For some strange reason ifconfig does not show an interface name in front of the colon. It than occurred to me that maybe a bloody carriage return character is involved. And indeed
$ ifconfig `printf "tnc0\r" ` (considered as spam by akismet) [...]
The reason for the \r was this one...
$ file /usr/local/etc/tinc/tinc-up /usr/local/etc/tinc/tinc-up: ASCII text, with CRLF, LF line terminators
while the default tinc-up script (when the text field is left empty) is
/usr/local/etc/tinc/tinc-up: ASCII textThis is the actual problem that caused all the trouble and that definitely needs to be fixed in the tinc package for pfSense.
As a workaround I added comment signs # at the end of each line, to the \r character is not appended to the interface name, e.g.ifconfig $INTERFACE name tnc0 #
After a reboot the interface was finally named correctly, however, after adding the "tnc0" interface in the web interface the next boot hang with
Warning: Configuration references interfaces that do not exist: tnc0
and the interfaces have to be manually reassigned first.
I than finally noticed that renaming of the interface isn't actually necessary and the problem was that the \r was also appended to the group name, i.e. "pkg_tinc\r".
My final working tinc-up script thus readsifconfig $INTERFACE 192.168.21.7 netmask 255.255.255.255 # ifconfig $INTERFACE group pkg_tinc # route add -host 192.168.21.7 -interface $INTERFACE # route add -net 192.168.18.0/24 192.168.21.7 #
(sorry for the partial postings, but as a single post it was considered as spam by stupid "akismet")