Automatic configuration of direct routes behind NAT

Guus Sliepen guus at tinc-vpn.org
Sun Mar 11 09:34:14 CET 2012 

On Sat, Mar 10, 2012 at 10:20:34PM +0000, Pedro Côrte-Real wrote:

> > Get it from http://tinc-vpn.org/repository/, read the README.git, compile, and
> > add "LocalDiscovery = yes" to tinc.conf to enable this feature.
[...]
> I've just had some time to finally pick that up, build some packages
> and quickly deploy it. My results are pretty much in line with what
> you mentioned.
> 
> My setup was:
> - One CentralNode with a public Internet IP
> - Two ServerNodes behind the same NAT (same LAN)
> - One LeafNode behind a NAT that's also behind the first NAT (It's
> just a virtualbox instance running on a computer that's on the same
> LAN)
> 
> The result was:
> 1- The two ServerNodes connected to each other fine and pings went for
> >200ms to <1ms. Great!
> 2- I didn't do extensive testing but it seemed I was only able to get
> it to work once I enabled the feature on both ServerNodes and
> restarted tinc on both

Hm, it should work with only one. Are the two server nodes identical or does
one have perhaps more network interfaces than the other? It could be that it
was broadcasting on another interface (yes, that's a drawback of the current
broadcast code).

> 3- LeafNode still had to route through CentralNode since it doesn't
> get any broadcast packets from the LAN
> 
> All in all a great outcome. Point 3 is the only sticking point and
> would be solved by my suggestion of having CentralNode tell LeafNode
> what it's IP is and having LeafNode connect to that. This way you'd
> stop relying on everyone getting broadcast packets, which fails when
> the network topology is a little less straightforward (e.g., two
> subnets fully routable between each other, and behind the same NAT).

I will think a bit more about what the best way is to exchange the necessary
information between nodes. The broadcast method was very simple to implement,
and it works with older versions without any special backwards compatibility
considerations.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120311/0ecb0ce6/attachment.pgp>

More information about the tinc mailing list