Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs

[Raimund Sacherer]

Hello Guus, 

thank you very much for your suggestions, I could not dive into it further because I was traveling, but now I have time to reconfigure the network. 

At first I really like the idea of having 3 Daemons on the headquarter, one for each ISP. The firewall should forward the port 655 from each ISP's public IP Address to my internal server and to the ports 655, 656, 657 respectively, which I guess you had in mind when you wrote: 

> If you want/need tighter control, you might have to run three tinc
> daemons at the headquarters, one for each ISP you have there.

My question now is, for every tinc daemon I need a tun or tap device, so how should the routing be done correctly? I have the VPN Network 10.69.0.0/11.

Right now I have one tinc daemon and one tun0 device. I route the complete 10.96.0.0/11 to tun0. How do I have to proceed if I want this 10.96.0.0/11 be available from all 3 tinc-deamons (which from the internet-side will have every one it's own public IP with a different ISP)? 

The idea would be that I:

* do not have to care if a line goes down, remote offices just reconnect to one of the other lines
* in the event of a severe degradation of a line I just stop the corresponding daemon, all remote offices which had used this internet line just reconnect to one of the others
* do not really care to which ISP every remote office connects

But I am not sure about the routing on the VPN server where the 3 daemons should reside ... 

Thank you,
best
Ray