keeping UDP "session" alive when using NAT

Donald Pearson donaldwhpearson at gmail.com
Tue Oct 23 22:57:22 CEST 2012 

That's strange.  You do have a rule to NAT the UDP traffic from outside to
your Tinc host inside right?

On Tue, Oct 23, 2012 at 3:55 PM, Nathan Stratton Treadway <
nathanst at ontko.com> wrote:

> I'm running Tinc on a Linux machine inside my home network, connecting
> through a NATing router to a Tinc server out on the Internet.
>
> I've noticed that fairly frequently the SSH sessions I leave open (but
> unused) get aborted with a "Connection reset by peer" message.  When I
> investigated closely, I found that after a period of inactivity my
> router times out the UDP "session" between the remote and local Tinc
> nodes, and thus any VPN traffic that then attempts to come in from the
> remote side toward my SSH client gets dropped by the router (because it
> no longer has a record of where forward the incoming Tinc packets).
> When this condition lasts long enough, the remote SSH server times out
> and closes the login session.  (During this period, of course, other
> inbound traffic is also lost, e.g. syslog messages send toward my local
> machine, etc.)
>
> As soon as something on the local side needs to sent traffic to the
> office side, the local Tinc node sends new outbound UDP packets, the
> router re-establishes the virtual session between the two nodes, and all
> traffic resumes passing normally (at least until the next period of
> inactivity).
>
>
> I see that the PingInterval setting allows me to set a minimum inactivity
> period on the metadata connection, and that seems to be enough to
> prevent the TCP session from timing out in the router... but I haven't
> found any way cause Tinc to ensure the data/UDP "session" also stays
> active.
>
> (I'm currently using v1.0.x, but I checked the v1.1 documentation on the
> web site as well and didn't see any new features that appeared to apply
> to this situation.)
>
>
> So, I'm wondering if I've missed some aspect of the Tinc configuration
> that would address this issue, and (assuming I haven't) what other
> people have done when facing this situation?
>
> For now I can use a "ping" command or something running locally to make
> sure that I have some traffic sent out over the VPN toward to the office
> side once a minute or so -- but is seems cleaner to have Tinc itself
> monitor for "long" stretches of inactivity on the data link.  Would it
> make sense to add functionality to Tinc to accomplish that (i.e. an
> option named something like "DataPingInterval" or
> "DataKeepaliveInterval")?
>
> Thanks.
>                                                         Nathan
>
>
>
> ----------------------------------------------------------------------------
> Nathan Stratton Treadway  -  nathanst at ontko.com  -  Mid-Atlantic region
> Ray Ontko & Co.  -  Software consulting services  -
> http://www.ontko.com/
>  GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
>  Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20121023/b1020206/attachment.html>

More information about the tinc mailing list