Tricky VPN Configurations

md at rpzdesign.com md at rpzdesign.com
Tue Dec 9 13:10:15 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guus:

Thanks for the reply.

Did you like the PDF examples?

Do you want to help me build more examples for the web site so people
can download the PDF network diagrams and have sample config files to
match them?

What changes should I make to allow for easier setup/config/config
files of the 2 use cases?

For the production example, would it be better to run each data center
on its own class C  (Netmask 255.255.0.0) and then the routing
commands to allow the local tincd daemon to just send the packets

On the self contained example, I planned to run 4 instances of TINC.

I could run them in 4 different directories with netnames

/tinc1/conf/netname/
/tinc2/conf/netname/
/tinc3/conf/netname/
/tinc4/conf/netname/

Is there a way to run tinc without regard to netnames?

/tinc1/tincd --config=/tinc1/conf
/tinc2/tincd --config=/tinc2/conf
/tinc3/tincd --config=/tinc3/conf
/tinc4/tincd --config=/tinc4/conf

/tinc1/conf/
/tinc1/conf/hosts

/tinc2/conf/
/tinc2/conf/hosts

/tinc3/conf/
/tinc3/conf/hosts

/tinc4/conf/
/tinc4/conf/hosts

I am having some difficulty understanding how the device=/dev/net/tun
relates to the ConnectTo= and the binding address since I want tincd
to bind to the VPN ipaddress and not bind to 0.0.0.0

My software can communicate with tincd via the bound VPN address.

Your answers appreciated,

marco




On 12/9/2014 3:32 AM, Guus Sliepen wrote:
> On Mon, Dec 08, 2014 at 11:02:24PM -0500, md at rpzdesign.com wrote:
> 
>> The self contained example is tricky because I created 4
>> ip-address on the eth0 device (192.168.1.30/31/32/33) so I could
>> test a 4 node VPN that lives entirely within a single server.
> 
> That's quite hard to do, it's far easier to run four instances of
> tinc on four different ports on the same machine.
> 
>> But the tinc command line utility is written assuming a single
>> host with a single reference instead of 4 hosts stuffed into a
>> single /etc/tinc/netname directory.
> 
> The "netname" does not have to be the same on all nodes of a VPN.
> It is merely a quick way to tell tinc where its configuration data
> lives and how to name the VPN interface. So in your self-contained
> example, use four different netnames.
> 
> If you don't like this, then you should properly simulate four
> different machines on a single one, either using containers (like
> LXC) or full virtualisation (like KVM).
> 
> 
> 
> _______________________________________________ tinc-devel mailing
> list tinc-devel at tinc-vpn.org 
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc-devel
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUhuanAAoJEPo4S5nQw5H/LjUH/3VEOG2n4AZ7UvDSfhCddJeZ
r2NlKgU4z7DgcPTnhFcd5qIQP8YRe5x9Ymfqx5jfZl3D6P3f3eIuUuLrU2qEdqMB
8v1fYsOQNXxgg2fo0VpnxekIoQukecOmiuqh3S2t0mW5nJTvOn8qoPNFvePT4TyB
72rDymuO3znFvG/Gjxlfokkxl4Dv1Ka/P3WhqRO9hJ6205hO7gb/vGcsFhJlwN78
UixqMQD8bSNSk8eLrsHV2O0GVZlNrRgs/hFDLqIQ4kFpGiM6ty/a+cXXU7kofZ0m
oZ7ka9T1B9O7msjQyjrVaKn0GCLNkhuzaWb4m+SEkk6c3q6tbr8aut8NJhQIyKA=
=QM6i
-----END PGP SIGNATURE-----

More information about the tinc-devel mailing list