Intermittent TCP connect issues when using tinc 1.0.23 and IPv6

tomp at Tomp.co.uk tomp at Tomp.co.uk
Thu Nov 28 12:49:50 CET 2013 

Hi,

I am using tinc 1.0.23 in router mode and am having trouble with 
intermittent TCP connect timeouts that do not occur when routing the TCP 
over the internet directly.

I am using a pure IPv6 setup (i.e direct IPv6 connections, and tunneled 
IPv6 subnets).

My configs are as follows:

Site 1:
-----------------------

tinc.conf:

Name = rsukmhb
AddressFamily = ipv6
BindToAddress = 2001:1b40:5000:19::2
ConnectTo = rps
IffOneQueue = yes

tinc-up:

#!/bin/sh
logger -t tinc Bringing up interface $INTERFACE
ip -6 link set "$INTERFACE" up
ip -6 link set "$INTERFACE" txqueuelen 10
ip -6 addr add fdd1:c52a:3c24:3384::2/64 dev "$INTERFACE"

subnet-up:

#!/bin/sh
[ -z "$NAME" ] && exit 0
[ "$NAME" = "$NODE" ] && exit 0
logger -t tinc Adding route to $SUBNET for $NODE on $NAME
ip -6 route replace $SUBNET dev $INTERFACE

Site 2:
-----------------------

tinc.conf:

Name = rps
AddressFamily = ipv6
BindToAddress = 2001:1b40:5000:9::2
ConnectTo = rsukmhb
IffOneQueue = yes

tinc-up:

#!/bin/sh
logger -t tinc Bringing up interface $INTERFACE
ip -6 link set "$INTERFACE" up
ip -6 link set "$INTERFACE" txqueuelen 10
ip -6 addr add fdd1:c52a:3c24:3384::1/64 dev "$INTERFACE

subnet-up:

#!/bin/sh
[ -z "$NAME" ] && exit 0
[ "$NAME" = "$NODE" ] && exit 0
logger -t tinc Adding route to $SUBNET for $NODE on $NAME
ip -6 route replace $SUBNET dev $INTERFACE

The VPN tun interfaces use private IPv6 IP addresses in the 
fdd1:c52a:3c24:3384::/64 range.

I am then using the host entries at each site to advertise an IPv6 /64 
subnet used internally (although still publically routable address 
subnet) so that it is routed over the VPN tunnel to the other side.


This is working pretty well and I am getting around 80MBits/sec 
throughput.

However we have an cron process that runs every 1 minute and makes 
several HTTP requests over the VPN every 10s.

About 10-12 times a day we are getting these errors after the specified 
5 second connect timeout set in the app.

Request failed: connect() timed out!


If we disable the VPN and just route the requests over the internet (as 
I said they are publically routable addresses) then we do not see these 
errors, suggesting this is not an application problem.

We are also running Cacti and Nagios over the VPN for monitoring the 
remote site.

The traffic level is low, averaging about 20 kbps, but quiet bursty, as 
every few minutes nagios/cacti runs, and the rest of the time the tunnel 
is quiet except for this cron app that makes a very small HTTP request 
every 10s.


Do you know what I could be looking at to fix this?

I have found these posts that suggest a similar connect() timeout 
issue:

Page 12 of this doc: 
http://tinc-vpn.org/presentations/fosdem-2011/ec2_vpn_fosdem2011.pdf

http://thr3ads.net/tinc-devel/2010/10/1964008-Tweaks-for-high-bandwidth-tinc

I have tried disabled replay protection, setting IffOneQueue, lowering 
and increasing the txqueuelen, setting priority of the tinc process.

None of these settings have improved things though.

Any thoughts would be much appreciated.

Thanks
Tom

More information about the tinc mailing list