All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Tinc mesh network setup...
Question for those who have used Tinc for a while.
My setup is basically as follows:
2 machines that I'm designating as the "servers" all clients connect to.
5 other machines which all have "ConnectTo" to either one or both of the 2 servers.
The problem(s) that I have is that the machine which has the default gateway for the /24 tinc network (one of the 2 servers). If it goes down (say I reboot it) then everything stops working.
If I set Mode to router, nothing works. All are setup in switch mode.
Would I need to run say ucarp and have the second server bring up the default gateway as one of its interfaces, in order to have resiliency if the “gateway” server goes down permanently.
Any suggestions would be greatly appreciated.
Thanks in advance.
Comments
You mean all the other servers use that machine to reach the outside world (via NAT)?
As that's what the "default gateway" is for, and you don't need it just to communicate within the network.
What everything?
As long as at least one of your 2 "ConnectTo" machines is up, all clients should be able to reach each other by their IPs, they are in the same /24 on the Tinc network after all.
The /24 is an internal network only. No NAT, no access from the network out.
If the machine with the default gateway is not reachable, access to the other machines in the /24 stops. Even when clients are set to ConnectTo the other server.
For router mode, if its set, nothing can communicate inside the /24.
Shouldn't be like that, seems you have set up something wrong. In fact why set up one machine as a "default gateway" in the first place if there's no access "out" from the network? Just don't set up a gateway or default route on the Tinc network.
Forget about the router mode, it's irrelevant and there's no need to use it.
I'v just tried changing the gateway machine to a different address on the /24 network. The moment I restart tinc on that machine, connectivity on the network stops, I can't ping other hosts, nor ssh to them through the network. After resetting it to the gateway address and restarting tinc, connectivity works again.
Are you using dnsmasq or some other DHCP server to issue IP addresses on your VPN, or are they hard-coded? What's your tinc-up script look like? Do you have a GraphDumpFile entry in your tinc.conf (on any host), and if so, what are the contents of the graph file?
You can try "ip ro" on each of your hosts to look at their routing; there should be a route for your tinc subnet. As rm_ mentioned, you don't need a default gateway on your tinc VPN in order for your hosts to see each other.
Best of luck,
Sean
IP addresses are hard coded.
tinc-up script on all the nodes are as follows:
>
ip address of the nodes are 10.10.0.x
GraphDumpFile from the secondary server
GraphDumpFile from the gateway server
ip ro on gateway server:
ip ro on secondary server:
So the Tinc network interface is
or
?
Copied from wrong text file. It's vpn.
All the interfaces have the same name on each node.
There's not much difference in the configurations apart from ConnectTo, Name in the nodes tinc.conf file.
And "Address" set in the host files. Only set if they have public IP addresses, those behind NAT and on DHCP don't have their Address set in thier host file.
The NATed machine is not up at the moment, but it shows the same problem when the gateway goes down.
Just remove this line. Not entirely sure it causes the problem, but at least to simplify things somewhat. And if you think a little about it (and know at least something about networking.........), you would realize it is not necessary in your setup whatsoever.
I concur. There might still be other problems, but that line for sure will force all intra-VPN traffic to go through 10.10.0.1. It's not even setting the default gateway (i.e., out to the internet), only for the VPN.
The tinc documentation has a (somewhat more complicated) example that basically just has the ifconfig line in tinc-up, no additional routes required:
http://www.tinc-vpn.org/documentation/Example-configuration.html