workaround to use tinc as default gateway

kyler-keyword-tinc.0fe9e4 at lairds.com kyler-keyword-tinc.0fe9e4 at lairds.com
Sat Apr 11 15:16:39 CEST 2015 

I have been delighted by tinc.  Building a mesh like I need would have 
been horrible in OpenVPN.  tinc makes it easy.

I decided to share a workaround for a problem that's been vexing me.  
Either I'm being dumb (and can do this better with a hint) or this is 
something others might need.

I've been moving a bunch of services from our university to Amazon 
(EC2).  To do this, I bring up a VPN, start an OpenVZ server, then start 
virtual environments (VEs) within that.  The VEs have addresses from our 
campus network.  Some now also have Amazon (EIP) addresses so that we 
can reach them without traversing the VPN.

Originally I used OpenVPN and configured the VPN interface (tap0) with 
DHCP.  tinc does not appear to have a clean way of running commands 
after an interface is active and I don't really need a valid address for 
the VPN interface anyway, so I decided to just use a non-routable 
address.  This is also cleaner because I don't have to delete the 
interface's route from the main routing table.

I'm using source routing tables to ensure that traffic from my campus 
addresses routes through the VPN and other traffic routes through the 
Amazon interface.  Also, each VE gets an entry in the main routing table 
so I set the priority of the rule for that to be lower so that my rules 
are evaluated later.

The problem I encountered was that although I could establish routing to 
my VPN's gateway, I could not use the gateway as a default route.  I 
struggled with this for quite awhile before realizing that it works if I 
put the gateway route in the main table, then set the default route in 
my VPN table, then remove the route from the main table.  It's clumsy, 
but it works.

Here's a brief demo, using 76.54.32.1 as the VPN's gateway which I'm 
trying to use in the VPN table, 201.

# sh -x /tmp/route.sh
+ ifconfig tap0 192.168.1.100 netmask 255.255.255.0 up
+ ip route add 76.54.32.1 dev tap0 table 201
+ ip route add default via 76.54.32.1 table 201
RTNETLINK answers: No such process
+ ip route add 76.54.32.1 dev tap0 table main
+ ip route add default via 76.54.32.1 table 201
+ ip route show table 201
76.54.32.1 dev tap0  scope link
default via 76.54.32.1 dev tap0
+ ip route del 76.54.32.1 dev tap0 table main
+ ip route show table 201
76.54.32.1 dev tap0  scope link
default via 76.54.32.1 dev tap0

I welcome suggestions for making this cleaner.

Thanks for tinc!

--kyler

More information about the tinc mailing list