Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Tinc mesh network setup...
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Tinc mesh network setup...

bitbit Member

Question for those who have used Tinc for a while.

My setup is basically as follows:

2 machines that I'm designating as the "servers" all clients connect to.

5 other machines which all have "ConnectTo" to either one or both of the 2 servers.

The problem(s) that I have is that the machine which has the default gateway for the /24 tinc network (one of the 2 servers). If it goes down (say I reboot it) then everything stops working.

If I set Mode to router, nothing works. All are setup in switch mode.

Would I need to run say ucarp and have the second server bring up the default gateway as one of its interfaces, in order to have resiliency if the “gateway” server goes down permanently.

Any suggestions would be greatly appreciated.

Thanks in advance.

Comments

  • rm_rm_ IPv6 Advocate, Veteran

    bit said: has the default gateway for the /24 tinc network

    You mean all the other servers use that machine to reach the outside world (via NAT)?
    As that's what the "default gateway" is for, and you don't need it just to communicate within the network.

    bit said: everything stops working.

    What everything?

    As long as at least one of your 2 "ConnectTo" machines is up, all clients should be able to reach each other by their IPs, they are in the same /24 on the Tinc network after all.

  • The /24 is an internal network only. No NAT, no access from the network out.
    If the machine with the default gateway is not reachable, access to the other machines in the /24 stops. Even when clients are set to ConnectTo the other server.

    For router mode, if its set, nothing can communicate inside the /24.

  • rm_rm_ IPv6 Advocate, Veteran

    bit said: If the machine with the default gateway is not reachable, access to the other machines in the /24 stops.

    Shouldn't be like that, seems you have set up something wrong. In fact why set up one machine as a "default gateway" in the first place if there's no access "out" from the network? Just don't set up a gateway or default route on the Tinc network.

    bit said: For router mode, if its set, nothing can communicate inside the /24.

    Forget about the router mode, it's irrelevant and there's no need to use it.

  • I'v just tried changing the gateway machine to a different address on the /24 network. The moment I restart tinc on that machine, connectivity on the network stops, I can't ping other hosts, nor ssh to them through the network. After resetting it to the gateway address and restarting tinc, connectivity works again.

  • Are you using dnsmasq or some other DHCP server to issue IP addresses on your VPN, or are they hard-coded? What's your tinc-up script look like? Do you have a GraphDumpFile entry in your tinc.conf (on any host), and if so, what are the contents of the graph file?

    You can try "ip ro" on each of your hosts to look at their routing; there should be a route for your tinc subnet. As rm_ mentioned, you don't need a default gateway on your tinc VPN in order for your hosts to see each other.

    Best of luck,
    Sean

  • bitbit Member
    edited September 2015

    IP addresses are hard coded.

    tinc-up script on all the nodes are as follows:

    ifconfig vpn {ip address of node} netmask 255.255.255.0 up

    >

    route add -net 10.10.0.0 netmask 255.255.255.0 gw 10.10.0.1 dev vpn

    ip address of the nodes are 10.10.0.x

    GraphDumpFile from the secondary server

    digraph {

    client_1 [label = "client_1"];

    srv_1 [label = "srv_1"];

    srv_2 [label = "srv_2"];

    srv_test [label = "srv_test"];

    client_1 -> srv_1;

    srv_1 -> client_1;

    client_1 -> srv_2;

    srv_2 -> client_1;

    srv_2 -> srv_test;

    srv_test -> srv_2;

    srv_1 -> srv_test;

    srv_test -> srv_1;

    srv_1 -> srv_2;

    srv_2 -> srv_1;

    }

    GraphDumpFile from the gateway server

    digraph {

    client_1 [label = "client_1"];

    srv_1 [label = "srv_1"];

    srv_2 [label = "srv_2"];

    srv_test [label = "srv_test"];

    client_1 -> srv_1;

    srv_1 -> client_1;

    client_1 -> srv_2;

    srv_2 -> client_1;

    srv_2 -> srv_test;

    srv_test -> srv_2;

    srv_1 -> srv_2;

    srv_2 -> srv_1;

    srv_1 -> srv_test;

    srv_test -> srv_1;

    }

  • bitbit Member
    edited September 2015

    ip ro on gateway server:

    10.10.0.0/24 via 10.10.0.1 dev vpn scope link

    10.10.0.0/24 dev vpn proto kernel scope link src 10.10.0.1

    ip ro on secondary server:

    10.10.0.0/24 via 10.10.0.1 dev vpn

    10.10.0.0/24 dev vpn proto kernel scope link src 10.10.0.2

  • rm_rm_ IPv6 Advocate, Veteran

    So the Tinc network interface is

    bit said: framevnet

    or

    bit said: dev vpn

    ?

  • Copied from wrong text file. It's vpn.
    All the interfaces have the same name on each node.

    There's not much difference in the configurations apart from ConnectTo, Name in the nodes tinc.conf file.
    And "Address" set in the host files. Only set if they have public IP addresses, those behind NAT and on DHCP don't have their Address set in thier host file.

    The NATed machine is not up at the moment, but it shows the same problem when the gateway goes down.

  • rm_rm_ IPv6 Advocate, Veteran
    edited September 2015

    route add -net 10.10.0.0 netmask 255.255.255.0 gw 10.10.0.1 dev vpn

    Just remove this line. Not entirely sure it causes the problem, but at least to simplify things somewhat. And if you think a little about it (and know at least something about networking.........), you would realize it is not necessary in your setup whatsoever.

  • I concur. There might still be other problems, but that line for sure will force all intra-VPN traffic to go through 10.10.0.1. It's not even setting the default gateway (i.e., out to the internet), only for the VPN.

    The tinc documentation has a (somewhat more complicated) example that basically just has the ifconfig line in tinc-up, no additional routes required:
    http://www.tinc-vpn.org/documentation/Example-configuration.html

Sign In or Register to comment.