packet default route
Guus Sliepen
guus at tinc-vpn.org
Mon Jul 23 21:42:41 CEST 2007
On Mon, Jul 23, 2007 at 02:22:18PM -0500, Ashwin Ganti wrote:
> 1. If I setup a default route to a particular network to go to the tun
> device which in turn is picked up by the tinc daemon how does the
> subsequent UDP/TCP connection made by the tinc daemon to the peer
> daemon go through the network to the other end and not go to the local
> tun device again ( by the virtue of the default route that we setup
> earlier ).I am curious how tinc handles this.
Tinc does not handle this. You are responsible to add another route so
that tinc's own UDP and TCP traffic does not loop back to the tun
device. This is easy if you don't use the IP addresses of the hosts
running the tinc daemons on the VPN itself. But if you do, you can use
techniques like source based routing or firewall techniques (for
example, netfilter's ROUTE target) to divert only tinc's traffic to a
real interface.
> 2. If a default is route is set up in such a way that all the packets
> can be intercepted by the tinc, then how does tinc handle the case of
> an individual packet being forwarded to a particular host. Would the
> setup be bypassed in that case.Once we setup the network so that *all*
> the packets being sent out or being received _should_ go through the
> daemon ( iptables etc.) would there be any case where this setup is
> not used.
On the host that sends a packet, the kernel will first use the routing
table to see to which interface it has to send the packet. If it goes to
tinc's tun interface, then tinc will encrypt and forward the packet. If
the routing table says the packet can be sent directly, the kernel will
send it to a real interface, thus bypassing tinc. A default route always
has the lowest priority, any other route has a higher priority. So you
have to check yourself if your routing table allows packets for certain
destinations to bypass tinc.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://brouwer.uvt.nl/pipermail/tinc-devel/attachments/20070723/528e7f03/attachment.pgp
More information about the tinc-devel
mailing list