using both ConnectTo and AutoConnect to avoid network partitions

Nirmal Thacker nirmalthacker at gmail.com
Thu Aug 31 19:40:39 CEST 2017 

Hi Guus

Following your suggestion we reconfigured our tinc network as follows.
Here is a new graph and below is our updated configuration:
http://imgur.com/a/n6ksh

- 2 Tinc nodes (yellow labels) have a public external IP and port 655 open.
They both have ConnectTo's to each other and AutoConnect = yes
- The remainder tinc nodes (blue labels) have their tinc.conf set up as
follows:
      ConnectTo = yellow1
      ConnectTo = yellow2
      AutoConnect = yes
- Blue labeled nodes also have their port 655 open, but no node in the
network has a ConnectTo to any blue labeled node
- we are still using tinc1.1pre14
- The configuration was loaded by ensuring:
    - each node has the keys and Address for their ConnectTo targets
    - tinc was reloaded using the command: sudo tinc -n <vpn_name> reload

The main motivation to do this: To avoid the network split bug we hit, that
was addressed earlier in this email and to do this by ensuring deliberate
and redundant connections to yellow1 and yellow2

We are concerned that:
- We still dont see edges in the graph that show connections between every
blue labeled node to both the yellow labeled nodes

Any reason why we dont see these edges?

Is there something missing in our configuration?

Thanks


   -nirmal

On Tue, Aug 22, 2017 at 11:08 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:

> On Tue, Aug 22, 2017 at 03:19:18PM -0700, Nirmal Thacker wrote:
>
> > - How do we patch 1.1pre14 with this fix? Or will there be a 1.1pre15 to
> > upgrade to?
>
> There will be an 1.1pre15, but if you want you can apply the following
> commit:
>
> https://tinc-vpn.org/git/browse?p=tinc;a=commitdiff;h=
> 92fdabc439bdb5e16f64a4bf2ed1deda54f7c544
>
> > - What is the workaround until we patch with this fix? Using a
> combination
> > of AutoConnect and ConnectTo?
>
> Yes.
>
> > - When we use ConnectTo, is it mandatory to have a cert file in the
> hosts/*
> > dir with an IP to ConnectTo ?
>
> Yes. Tinc always needs the public key of a peer and an Address in order
> to be able to connect to it.
>
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170831/365f43ae/attachment.html>

More information about the tinc mailing list