Mesh networking help
I have a dozen VPSes with OpenVPN/PPTP/L2TP installed, Each server (node) have its own 172.x.0.0/16 to be allocated to clients. I wanted to build a mesh between all the VPSes, so the clients connected to different nodes can communicate with each other (within the 172.x.0.0/12). Note the clients are NOT part of the mesh.
Does anyone have a clue how to do it? I heard OpenVPN can do it with a special configuration, and tinc could do it too.
I am not good at linux networking so I am not sure how to get this working correctly. Any input is welcomed.
I am thinking of using tinc to do it but I am not sure how to make it pass the traffic through correctly, and how to advertise the routes correctly to the clients. My main concern is if it is compatible with the existing OpenVPN/PPTP/L2TP setup.
So the traffic would be going like this (IP as sample):
Client 1 (172.16.4.123) <-> Node A (172.16.1.1) <-> Node B (172.17.1.1) <-> Client 2 (172.17.8.13)
Client 1 (172.16.4.123) <-> Node A (172.16.1.1) <-> Node C (172.18.1.1) <-> Client 3 (172.18.1.31)
Client 2 (172.17.8.13) <-> Node B (172.17.1.1) <-> Node C (172.18.1.1) <-> Client 3 (172.18.1.31)
The connection can only goes through 2 nodes at most, so NEVER Client 1 <-> Node A <-> Node C <-> Node B <-> Client 2.
Have to get this working, otherwise a dozen VPSes sits idling (not really LEBs). This is quite an uncommon setup. I guess people normally use multiple Cisco routers to achieve the same effect. Thanks.
On the server you can
in OpenVPN to allow clients to talk to other subnets (Only add this to the server config as it gets automatically pushed to the client.)
No idea about mesh network with OpenVPN, but tinc indeed does this very easily (and automatically). It basically just emulates an Ethernet network between all your hosts, and any communication between any two hosts goes directly between them if it can (i.e. if none of those are NAT'ed), not via some designated router.
I'll give tinc a try tonight. I am indeed just making a LAN over VPN, no NAT whatsoever.
Here's a small howto about tinc: http://www.vanheusden.com/Linux/tinc_mini_howto.html
Setup a L3 VPN (routed) between each node and assign them a /30 or larger IP range so they can talk to each other. Then on each node, static route the respective VPN IP range to the other node's /30.
Node A - 172.16.0.0/16, 10.1.1.1 (Node A-B), 10.1.2.1 (Node A-C)
Node B - 172.17.0.0/16, 10.1.1.2 (Node B-A), 10.1.3.1 (Node B-C)
Node C - 172.18.0.0/16, 10.1.2.2 (Node C-A), 10.1.3.2 (Node C-B)
ip route 172.17.0.0/16 gw 10.1.1.2
ip route 172.18.0.0/16 gw 10.1.2.2
ip route 172.16.0.0/16 gw 10.1.1.1
ip route 172.18.0.0/16 gw 10.1.3.2
ip route 172.16.0.0/16 gw 10.1.2.1
ip route 172.17.0.0/16 gw 10.1.3.1
Yes, yes, that's the kind of hassle people had to endure with VPNs before there was Tinc
Does tinc perform full mesh on it's own? In other words it will assume that all endpoints can connect to each other via internet and create all the tunnels?
Will probably fool around with it soon.
Yes it does: http://www.tinc-vpn.org/
Automatic full mesh routing
But it does not hard-assume everything is reachable, e.g. if some nodes are not reachable directly for some reason, it will still work, other nodes will automatically forward for them.
I wonder if anyone could give me a hand showing me a sample tinc config file to join 3 (or more) LAN segments (172.16.0.0/16, 172.17.0.0/16, 172.18.0.0/16) and the relevant routes to be added to each server.
Got tinc to work between the nodes but it is not forwarding traffic like I wanted in the top post. Thanks.