Tinc clients behind a NAT, tunnels get unstable
Marcus Schopen
lists at localguru.de
Fri Sep 25 17:46:16 CEST 2015
Hi Guus,
Am Freitag, den 25.09.2015, 17:04 +0200 schrieb Guus Sliepen:
> Ok, that means by default the UDP NAT timeout on the Cisco is extremely
> short.
>
> > I check the manual of the the Cisco NAT for any TCP/UDP
> > timeout settings, but there is no way to modify anything like "keeps
> > TCP/UDP connections alive".
>
> It wouldn't be called something like that, rather a "nat translation
> timeout" or something similar.
Shame on me. Deep in the configuration of the NAT I found that UDP
timeout is set to 30 seconds by default. I increased the value to 120
seconds. And disabled the PingIntervall completely on the clients behind
the NAT. Tunnels got unstable again. Then I put "PingIntervall = 30" to
the client's config back again (before it was set to 10 seconds) and
this seems to works.
> > So should I keep this UDP configuration or would you go back to
> > TCPOnly?
>
> I'd keep the UDP setting. It does generate more background traffic
> though, if you have to pay for bandwidth you could consider going back
> to TCPonly.
Good. Current setup is "PingIntervall = 30" on the clients and 120
seconds timeout on the Cisco NAT's.
> > And another thing which came up since the clients (all in the same
> > subnet) are running behind the NAT: the traffic in-between the clients
> > run through the hosts and not locally/directly anymore, which means
> > higher latency and outgoing traffic. I don't see any blocked packages on
> > the client's firewall. Is there a way to let them talk directly again?
>
> This is probably because the Cisco doesn't support hairpin routing. Add
> LocalDiscovery = yes to tinc.conf on the clients, that way they can
> detect each other's LAN address and do direct traffic again.
Hmmm ... I've tried "LocalDiscovery = yes"
in /etc/tinc/mytunnel/tinc.conf already, but that didn't help. Config on
client A is:
---------------
Name = clienta
AddressFamily = ipv4
Interface = tun0
ConnectTo = host
PingInterval = 30
LocalDiscovery = yes
---------------
Ciao!
More information about the tinc
mailing list