a few problems/questions with tinc

Fri Feb 17 12:58:22 CET 2012

On Wed, Feb 15, 2012 at 12:29:55PM +0330, Siavash Sameni wrote:

> i have a few questions/problems with tinc , which i need to address ASAP ,
> so i'll make it brief .
> i have 33 sites , connected with each other using wan ,
> in each site , there are two linux firewalls + 3-4 more servers , i
> preferred to have a full mesh within my network ,
> but unfortunately it was not possible , when i wanted every site to be
> connected to every other , as the number of hosts increased there was some
> unexplainable abnormalities , so i decided to connect every site to 3-4
> other firewalls . so with this approach the whole network is unified , of
> course not directly .
> so right now my unsolved problems are as follows :
> 
> 1. SIP/IAX doesn't work over the tinc network , but on tinc edge it works ,
> imagine the following situation:

This sounds indeed like a routing problem, or perhaps a firewall problem. Could
you send us the output of "ifconfig -a", "route -n", "iptables -vxnL" and
"iptables -t nat -vxnL"? The contents of the host config files would also be
useful (you can omit the public keys).

> 2. i want to use 2 firewalls in each site  , as failover tinc routers , so
> what i've basically done is that i've put two tinc nodes in every site ,
> and configured them with the same Subnet in tinc hosts , but the problem
> arises with the fact that , the other nodes in each site , only have one of
> the servers as default gateway and if the request comes from the other it's
> unanswered , i wanted to fix this problem with iptables mangle ,
> *iptables*-A PREROUTING -t
> *mangle* -i tci  -j *MARK* --set-*mark* 1 , but strange enough iptables
> didn't mark it (why?)

I have no idea without the information from above. Having two firewalls running
simultaneously might be challenging. You could also have one active firewall,
and a backup firewall that is an identical clone, and use heartbeat to have the
backup firewall take over the primary one's functionality (including MAC
address), see http://www.linux-ha.org/.

By the way, although Donald was a bit skeptic, writing "-t mangle" after "-A
PREROUTING" works as intended.

> so i thought of another solution which is that i'd use keepalived with tinc
> , like copy the same private key on two servers , bring one up , if the
> server goes down , keepalive would bring tinc down , and *bring the other
> server's tinc up* , is it possible ?

Yes, although again it might be better to do this for the whole firewall
machine instead of just the tinc daemon.

> 3. i have concerns about not having a full mesh , the problem was that ,
> when the number of concurrent connection went above 12 , the network wasn't
> as good as before , am i doing something wrong ? is it possible to fix it
> another how ?

Unless you have a very small upstream bandwidth, there should be no problem
with having lots of concurrent ConnectTo's. But tinc will build a full mesh
even if you have only a few ConnectTo's in tinc.conf.

> 4. should i connect the two firewalls in each provience together , if i
> don't use keepalived ofcourse , like add a connect to from server A1 to A2
> ????

It depends on your situation, especially on what is most likely to fail. Do you
have one connection to the Internet or does each firewall has its own
independent connection?

> 5. i have concerns about tinc routing table , can someone point me to the
> right documentation ??

All the documentation is here: http://tinc-vpn.org/docs/. But what exactly is
your concern?

> 6. in a mesh , is there any utility which would make it easy to identify
> which hosts are directly connected to (hosts from connectto)

In tinc 1.0.x, this is not very easy, but you can send a signal that will dump
a list of all the nodes it knows about to the syslog:

tincd -n <netname> -kUSR2

Then you will see something like this in the syslog:

Feb 17 12:50:11 server tinc.netname[12345]: Nodes:
Feb 17 12:50:11 server tinc.netname[12345]:  foo at 192.0.43.10 port 655 cipher 91 digest 64 maclength 4 compression 0 options c status 001a nexthop bar via foo pmtu 1410 (min 1410 max 1410)

To see whether you are directly connected, look at the name right after "via".
In this case, traffic to node foo goes "via foo", which means they are sent
directly to this node. If it would say "via baz", that means there is no direct
connection, and traffic will instead be sent to node baz, which will in turn
forward it towards foo.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120217/cb9f231a/attachment.pgp>