Tricky VPN Configurations

Guus Sliepen guus at tinc-vpn.org
Tue Dec 9 14:17:14 CET 2014 

On Tue, Dec 09, 2014 at 07:10:15AM -0500, md at rpzdesign.com wrote:

> Did you like the PDF examples?

They are OK. But I have learned long ago that what is clear and
intuitive to some is incomprehensible to others, and vice versa.

> Do you want to help me build more examples for the web site so people
> can download the PDF network diagrams and have sample config files to
> match them?

No, sorry. I don't have much time to spend on this, I'd rather focus on
getting tinc 1.1 out.

> What changes should I make to allow for easier setup/config/config
> files of the 2 use cases?

The test server is not a real use case. Focus on the data center setup.
I haven't seen any configuration files for the setups, only the diagrams
are in the PDF file.

> For the production example, would it be better to run each data center
> on its own class C  (Netmask 255.255.0.0) and then the routing
> commands to allow the local tincd daemon to just send the packets

The problem is that everyone's network is different. What seems a
logical setup to you might not fit another person's setup. So it doesn't
really matter much what netmask you choose I think.

> I could run them in 4 different directories with netnames
> 
> /tinc1/conf/netname/
[...]
> 
> Is there a way to run tinc without regard to netnames?
> 
> /tinc1/tincd --config=/tinc1/conf

Either use --config or --net. The following are equivalent (assuming
tinc is installed in /usr/sbin and expects configuration files in /etc):

tincd --net foo
tincd --config /etc/tinc/foo --option Interface=foo

> I am having some difficulty understanding how the device=/dev/net/tun
> relates to the ConnectTo= and the binding address since I want tincd
> to bind to the VPN ipaddress and not bind to 0.0.0.0

The Device option has no relation to ConnectTo or BindToAddress.
Furthermore, don't let tinc bind to a VPN IP address, otherwise it might
not be able to communicate with other tinc daemons, which are themselves
not in the VPN.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20141209/cb61f2f1/attachment.sig>

More information about the tinc-devel mailing list