<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=DE link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span lang=EN-US>Hi all,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>I am currently deploying tinc as an
alternative to OpenVPN.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>My setup includes a lot of nodes and some of
them are sitting together behind the same router on the same network segment.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>(E.g. connected to the same switch.)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>I noticed, that those nodes do never talk
directly to each other via their private ip-addresses, but instead use the
NATed address they got from the router.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Furthermore, some talk only over a third
node, that sits outside the LAN.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>====Example ====<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Router1
:<o:p></o:p></span></p>
<p class=MsoNormal style='text-indent:35.4pt'><span lang=EN-US>Public
IP
1.1.1.1<o:p></o:p></span></p>
<p class=MsoNormal style='text-indent:35.4pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Local LAN behind said router<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
Subnet
192.168.0.x/24<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Tinc-VPN
:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
Subnet
172.25.3.0/24<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Node1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
Behind Router1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
NAT-UDP
1.1.1.1:1001<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
LAN-IP
192.168.0.101<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
Tinc-IP
172.25.3.101<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Node2<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
Behind Router1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
NAT-UDP
1.1.1.1:1002<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
LAN-IP
192.168.0.102<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
Tinc-IP
172.25.3.102<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Node3<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
Public
IP
2.2.2.2<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
Tinc-IP
172.25.3.1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Node1 connects to Node3.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Node2 connects to Node3.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Both nodes can ping Node3’s tinc-ip.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>But both nodes (1 & 2) do not get a
direct connection, they only talk via Node3.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>So pinging Node2 from Node1 results in a
packet from Node1 to Node3 and from Node3 to Node2’s NATed UDP-Port at
the router.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sometimes, It results in a
“direct” packet from Node1 to Node2’s public UDP-Port.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>It seems to me as if tinc is unable to see,
that Node1 and Node2 are sitting “right next to each other”, and is
only considering the publicly visible UDP port to send data to.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Can anyone confirm this, or do I have some
misunderstanding regarding tinc?<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Additional information:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Every Node has every other node’s public
key. The host configuration is always the same:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Port
= 1655<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>IndirectData
= no<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>PMTUDiscovery
= yes<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Compression
= 10<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Only Node3 has a Address set. This node
acts kinda like a “server”, where all other nodes connect to.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>I plan to add more
“server-like” nodes in the near future that provide a fixed
address.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>The config file looks like this:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Name
= NodeX<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>ConnectTo
= Node3 (this line is of course missing on Node3)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Device
= {.. Windows UUID.. }<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>DeviceType
= tap<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Mode
= switch<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Node adresses are assigned using a DHCP
server on Node3.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>I’d be happy hearing from you guys.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Best regards<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Daniel Schall<o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>