VPN Single Daemon For LAN/WAN

Guus Sliepen guus at tinc-vpn.org
Tue Dec 16 00:03:56 CET 2014 

On Mon, Dec 15, 2014 at 05:29:16PM -0500, md at rpzdesign.com wrote:

> I guess my primary point of confusion is that the non-vpn LAN ip
> addresses are duplicated in each cluster.  So within a cluster, the LAN
> addresses are unique.
> 
> But when you look at 2 clusters, 2 different servers share the
> 10.99.0.11 address.

That should not be a problem for tinc. As long as both nodes in each
cluster connect to another node in the other cluster, all nodes will
know each other's WAN addresses and they can all talk to each other.
For the connections between two nodes in a cluster, just provide them
with their LAN address.

So on Server #A, in hosts/ServerB, you put:

Address = 145.61.252.81

And in hosts/ServerD you put:

Address = 10.99.0.12

On Server #C, in hosts/ServerB you put:

Address = 10.99.0.11 (assuming that's what it's LAN IP address is in
Data Center #2)

And in hosts/ServerD you put:

Address = 105.61.252.21

So when Server #A makes a connection to Server #D, it knows and will use
the LAN address, and when Server #C makes a connection to #D, it uses
its WAN address.

Note that you might also be able to add routes so that traffic from
105.61.252.20 to 105.51.252.21 will go via the LAN interface, for
example using this command on Server #A:

ip route add 105.51.252.21 via 10.99.0.12

That way you don't have to worry about what tinc is doing at all.

> So that is why I created a VPN for inside the cluster on the LAN
> interfaces using the private 10.0.1.xx range.  THen, I created a
> separate VPN on the WAN interfaces using publicly visible IP Addresses.
>  This VPN solely exists to process cross cluster traffic.
> 
> So at the end of the day, every server has a Real IP on eth0, a Private
> IP on eth1, and then a TINC VPN LAN IP on 10.0.1.x and a TINC VPN WAN on
> 10.1.x.x.

The question is whether you really want to have two separate VPNs with
their own network interface and address range? I think you just want one
VPN with one range, so just set up only one tinc daemon on each node.
With the above configuration tinc should choose the right addresses for
traffic between the nodes.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20141216/ad067228/attachment.sig>

More information about the tinc-devel mailing list