Switched tinc VPN question

Guus Sliepen guus at tinc-vpn.org
Wed Oct 31 11:18:07 CET 2012 

On Wed, Oct 31, 2012 at 11:26:09AM +0200, Valentin Bud wrote:

> > > Activating STP on all 4 OvS switches resulted
> > > in endless STP Root Bridge election. So this approach, connecting all
> > > four together, didn't work out.
> > 
> > This is strange, that should just work... But check that each OvS instance has
> > a unique MAC address, and/or give each instance a different priority.
> 
> It really works. I don't know what happened when I first tried this.
> I have reconfigured everything from scratch and connecting all the four
> servers via tinc works. I have also forced A to become the Root Bridge
> via its Bridge Priority. 

Ok, great!

> I have found out an old tinc mailing list thread in which you said that one
> can think of tinc in switch mode like a switch without management. That
> helped me grasp the concept better. Basically I have 4 L3 switches all
> connected to the `tinc` one via their `tinc` interfaces.

Yes.

> After I have configured the network I was curios about performance so I
> have ran iperf via tinc VPN. I have noticed that running iperf without
> any customized options switches the VPN to TCP because of MTU.
> 
> iperf test 1
> ============
> 
>   * iperf server on A, VPN interface - tinca, # iperf -s
>   * iperf client on C, VPN interface - tincc, # iperf -c A -m
> 
> ### tinc debug log on C
> ...
> Packet for tinca (10.128.3.55 port 655) length 1518 larger than MTU 1459
> Packet for tinca (10.128.3.55 port 655) larger than minimum MTU forwarding via TCP

Aha, I see the problem... tinc would normally use two mechanisms to have the
packet size of iperf's TCP stream reduced to the correct value by using MSS
clamping and ICMP Fraagmentation Needed packets. However, I see your packets
have VLAN tags, and then tinc doesn't recognize those packets as IPv4 anymore,
and those mechanisms are not used. So then the only way tinc has left to send
those large packets is via TCP.

> I don't want the VPN to switch to TCP because of performance issues.
> Should I modify the tinc interface MTU to 1459, the MTU negotiated by tinc?

That would help. But you should set the interface MTU to 1441 (which is 1459
minus the size of the Ethernet header and VLAN tag).

> Or should I not bother with this because only a small percentage of
> traffic will trigger the switch to TCP mode? Maybe another good things
> would be to deploy tinc without MTU modifications and monitor it closely
> and see how it behaves.

No, all the TCP traffic inside VLANs would cause tinc to tunnel it via TCP. I
will fix this soon so that you don't have to set the interface MTU manually.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20121031/88c6d7fd/attachment.pgp>

More information about the tinc mailing list