<div dir="ltr"><div>Something to add. When this happened, it looks like tinc shutdown gracefully(not seg fault ..), because I can tell tinc-down script got implemented.</div><div><br></div><div>Heng</div><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 25, 2015 at 6:00 AM, <span dir="ltr"><<a href="mailto:tinc-request@tinc-vpn.org" target="_blank">tinc-request@tinc-vpn.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send tinc mailing list submissions to<br>
<a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:tinc-request@tinc-vpn.org">tinc-request@tinc-vpn.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:tinc-owner@tinc-vpn.org">tinc-owner@tinc-vpn.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of tinc digest..."<br>
<br>Today's Topics:<br>
<br>
1. Re: Authenticating VPN addresses: a proposal (Sven-Haegar Koch)<br>
2. tinc exit when there is no internet? (Heng Wang)<br>
3. Re: tinc exit when there is no internet? (Guus Sliepen)<br>
<br><br>---------- Forwarded message ----------<br>From: Sven-Haegar Koch <<a href="mailto:haegar@sdinet.de">haegar@sdinet.de</a>><br>To: <a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>Cc: <br>Date: Tue, 24 Nov 2015 17:00:45 +0100 (CET)<br>Subject: Re: Authenticating VPN addresses: a proposal<br>On Mon, 23 Nov 2015, Guus Sliepen wrote:<br>
<br>
> It also works in a situation where a group of people trust a central<br>
> authority which provides them with the configuration for their tinc<br>
> nodes, if StrictSubnets is used. The drawback is that an external tool<br>
> needs to be used (ChaosVPN is one such example, but there are others)<br>
> and it is not very flexible, but I would disagree that it is<br>
> unmanageable.<br>
<br>
In ChaosVPN we use StrictSubnets, and additionally the following patch<br>
on the core-nodes where (nearly) everyone connects to:<br>
<br>
(cut&paste whitespace damaged)<br>
<br>
diff --git a/src/protocol_subnet.c b/src/protocol_subnet.c<br>
index 06dafbc..e2d4bfc 100644<br>
--- a/src/protocol_subnet.c<br>
+++ b/src/protocol_subnet.c<br>
@@ -117,7 +117,9 @@ bool add_subnet_h(connection_t *c, const char *request) {<br>
if(strictsubnets) {<br>
logger(DEBUG_ALWAYS, LOG_WARNING, "Ignoring unauthorized %s from %s (%s): %s",<br>
"ADD_SUBNET", c->name, c->hostname, subnetstr);<br>
+ /* Disabled forwarding of unauthorized subnets!<br>
forward_request(c, request);<br>
+ */<br>
return true;<br>
}<br>
<br>
This was added because after a few years of operation of the network we<br>
had so many no-longer-existing subnet definitions flowing around that<br>
each connect created lots of error messages and a ton of useless<br>
metadata-traffic bouncing around, even when the nodes/subnets have been<br>
deleted from the hosts files for ages - as there was never a time that<br>
all nodes were down whenever one was restarted it learned the bogus<br>
routes again from something else, and spread it later (and tinc purge<br>
never worked for this).<br>
<br>
Since the bogus subnets are not forwarded anymore from the central nodes<br>
they only stay known to the edges until the next restart, so after a<br>
while they are really gone.<br>
<br>
c'ya<br>
sven-haegar<br>
<br>
--<br>
Three may keep a secret, if two of them are dead.<br>
- Ben F.<br>
<br>
<br><br>---------- Forwarded message ----------<br>From: Heng Wang <<a href="mailto:hwang@verifeye.com">hwang@verifeye.com</a>><br>To: <a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>Cc: <br>Date: Tue, 24 Nov 2015 11:53:49 -0500<br>Subject: tinc exit when there is no internet?<br><div dir="ltr">Hi Guys,<div><br></div><div>I have been using tinc in a linux environment, which has always been working fine. Recently I encountered an issue that tinc process exits(or crash?) when internet is down. </div><div>What could be the cause of it? Is there a timeout mechanism inside tinc code that it will exit after failing to bring up tun/tap interface for a long period? The internet has been down for several days.</div><div><br></div><div>I am trying to reproduce this issue by bringing down internet when tinc is working fine. In the meantime can anyone give some idea? I appreciate that.</div><div><br></div><div>Thank you.</div><div><br></div><div>Heng</div><div><br></div><div><br></div><div><br></div><div> </div></div>
<br><br>---------- Forwarded message ----------<br>From: Guus Sliepen <<a href="mailto:guus@tinc-vpn.org">guus@tinc-vpn.org</a>><br>To: <a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>Cc: <br>Date: Tue, 24 Nov 2015 18:54:40 +0100<br>Subject: Re: tinc exit when there is no internet?<br>On Tue, Nov 24, 2015 at 11:53:49AM -0500, Heng Wang wrote:<br>
<br>
> I have been using tinc in a linux environment, which has always been<br>
> working fine. Recently I encountered an issue that tinc process exits(or<br>
> crash?) when internet is down.<br>
> What could be the cause of it? Is there a timeout mechanism inside tinc<br>
> code that it will exit after failing to bring up tun/tap interface for a<br>
> long period? The internet has been down for several days.<br>
<br>
Tinc should never exit automatically, so this is clearly a bug.<br>
<br>
> I am trying to reproduce this issue by bringing down internet when tinc is<br>
> working fine. In the meantime can anyone give some idea? I appreciate that.<br>
<br>
What version of tinc are you using? If it only happens after a long<br>
time, you might be able to speed things up by settings MaxTimeout = 5 in<br>
tinc.conf.<br>
<br>
--<br>
Met vriendelijke groet / with kind regards,<br>
Guus Sliepen <<a href="mailto:guus@tinc-vpn.org">guus@tinc-vpn.org</a>><br>
<br>_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br></blockquote></div><br></div></div>