Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs

Sven-Haegar Koch haegar at sdinet.de
Fri Apr 24 22:26:18 CEST 2015 

Comments below

On Fri, 24 Apr 2015, Guus Sliepen wrote:

> On Thu, Apr 16, 2015 at 10:09:05PM +0200, Raimund Sacherer wrote:
> 
> > At first I really like the idea of having 3 Daemons on the headquarter, one for each ISP. The firewall should forward the port 655 from each ISP's public IP Address to my internal server and to the ports 655, 656, 657 respectively
> [...]
> > My question now is, for every tinc daemon I need a tun or tap device, so how should the routing be done correctly? I have the VPN Network 10.69.0.0/11.
> > 
> > Right now I have one tinc daemon and one tun0 device. I route the complete 10.96.0.0/11 to tun0. How do I have to proceed if I want this 10.96.0.0/11 be available from all 3 tinc-deamons (which from the internet-side will have every one it's own public IP with a different ISP)? 
> > 
> > The idea would be that I:
> > 
> > * do not have to care if a line goes down, remote offices just reconnect to one of the other lines
> > * in the event of a severe degradation of a line I just stop the corresponding daemon, all remote offices which had used this internet line just reconnect to one of the others
> > * do not really care to which ISP every remote office connects
> 
> In this case, I think it's best if you do not add any routes in the
> tinc-up script. So there, you just configure the address of the
> interface, but don't supply a netmask:
> 
> #!/bin/sh
> ifconfig $INTERFACE 10.96.x.y

Won't a netmask of 255.255.255.255 be better than not specifying any? 
Otherwise it falls back to old classful adressing and would assume 
10.0.0.0/8 - which is clearly always wrong.

# ifconfig eth2 10.96.3.4
# route -n |grep eth2
10.0.0.0        0.0.0.0         255.0.0.0       U     0   0   0 eth2

Or are tun devices different in this regard?

> Then, assuming you run tinc in router Mode (the default), you should
> create a script named "subnet-up" in the same directory as tinc-up, and
> put this in it:
> 
> #!/bin/sh
> ip addr add $SUBNET dev $INTERFACE
> 
> And a "subnet-down" script:
> 
> #!/bin/sh
> ip addr del $SUBNET dev $INTERFACE

Don't you mean "ip route add/del" here?

> This will cause tinc to automatically add and remove routing entries,
> depending on which nodes are reachable. You will get multiple routing
> entries for the same subnet but to different interfaces. One of them
> will be chosen by the kernel based on the order of addition, but you
> don't care about it so it's fine. If tinc detects that a node goes down,
> the subnet-down script will remove the offending route, and the kernel
> will then use another one. And if you manually stop a tincd its routes
> will be removed as well.
> 
> 

c'ya
sven-haegar

-- 
Three may keep a secret, if two of them are dead.
- Ben F.

More information about the tinc mailing list