Switched tinc VPN question
Valentin Bud
valentin at databus.ro
Mon Oct 29 15:25:59 CET 2012
Hello World,
I have met tinc a few days ago and started with a simple connection
between 2 machines. I have fallen in love witht tinc, it's very simple
to configure, although I haven't used tinc in production yet, because of
its simplicity I think it's very robust. I also like how the
configuration is organized with hosts/ directory, up/down scripts. Thank
you for such a great tool.
My setup is as follows. I have a total of 4 servers. 2 of them are
directly connected with one Gbps link. The other two of them are located
elsewhere and they are connected via WAN connection. I would mention
that the latter two servers are in the same Data Center provider and
have 100Mbps link between them.
Each of those 4 servers have an OpenvSwitch instance and a few VLANs. I
want to extend the Layer 2 network over the WAN with VPN tunnels using
tinc because this would ease firewall management, address assignment and
enable VM migration.
My first approach was to connect all the four nodes, over the WAN, with
a tinc switched mode VPN. Let's assume, for the sake of this example
that A and B are the nodes that have 1 Gbps direct link between them and
that C and D are the remote nodes, the nodes that don't have a direct
connection but are connected via WAN.
Topology:
+-----+ +-----+
| | | |
| A +--------1 Gbps-------+ B |
| | | |
+--+--+ +--+--+
| |
100Mbps 100Mbps
| |
+--+---------------------------+--+
| INTERNET |
+--+---------------------------+--+
| |
100Mbps 100Mbps
| |
+-----+ +-----+
| | | |
| C | | D |
| | | |
+--+--+ +--+--+
In my first approach I have configured A to ConnectTo C and D, B to
ConnectTo C and D, C to ConnectTo A,B,D and D to ConnectTo A,B,C.
At connect time, the tinc-up script adds the $INTERFACE to the
OpenvSwitch bridge. The tinc-down one deletes the port from the
OpenvSwitch bridge.
/usr/local/etc/tinc/intranet/tinc-up
```
#!/bin/bash
/usr/bin/ovs-vsctl add-port ovsbr1 $INTERFACE
/sbin/ip link set $INTERFACE up
```
Without STP after starting up the tinc daemons on all 4 machines a
broadcast storm results. This was expected. Adding tinc as a port to the
switch basically transforms the network in 4 switches connected each
other, thus giving a loop. Activating STP on all 4 OvS switches resulted
in endless STP Root Bridge election. So this approach, connecting all
four together, didn't work out.
My second approach was to connect only A to C, C to D and D to B.
I have activated STP from start and after the Root Bridge election the
`tinc` port on B is in STP_BLOCK status, which is good. I have
connectivity throughout the entire network.
There is also a third approach. Connecting A to C with one tinc tunnel,
C with D with another, and D with B with yet another tunnel. This would
bring a little bit of complexity to the tinc setup because it requires
one tunnel for each two nodes I want to connect.
My question is, which approach would be better? I am asking this because
in the second approach I have one `tinc` on node C that connects A to C
and C to D. If for example that interface gets on STP_BLOCK status no
traffic will flow from A to C or from C to D.
On the other hand, having one `tinc` interface for A to C and one for C
to D would let the traffic flow between C and D if the `tinc` interface
connecting C to A gets into STP_BLOCK.
Are my assumptions right or am I completely out of the track here? Is it
really necessary to have one `tinc` interface between two nodes, or will
it work reliably only with one?
Cheers and Goodwill,
Valentin
More information about the tinc
mailing list