Automatic configuration of direct routes behind NAT
Benjamin Henrion
bh at udev.org
Wed Feb 22 17:50:32 CET 2012
On Wed, Feb 22, 2012 at 2:40 PM, Pedro Côrte-Real <pedro at pedrocr.net> wrote:
> Hi,
>
> I've followed the guide at:
>
> http://blogs.operationaldynamics.com/andrew/software/research/using-tinc-vpn
>
> and have a working tinc VPN. Here's my topology:
>
> - CentralNode has a fixed public IP address that everyone connects to
> - Leaf1 and Leaf2 may have different IP addresses depending on where
> they are, and usually those will be behind NAT (think, two laptops
> going around and you get the idea).
>
> I setup Leaf1 and Leaf2 to connect to CentralNode and they both do and
> everyone can talk to everyone.
>
> However, when both Leaf's are behind the same NAT it would be nice if
> they were able to figure that out and not have to go through
> CentralNode for everything. Since the IP addresses are always changing
> I can't configure an Address option. Is tinc able to just try and use
> whatever is the current IP address of the two hosts and see if it can
> communicate? If they're behind the same NAT it would work and if not
> it would just continue to go back and forth to CentralNode. In that
> situation it would ideally use something like STUN so it could do away
> with the central node even when both hosts are behind two different
> NATs.
>
> Is anything like this currently possible or planned?
You could run tinc on top of UDP hole puncher, such as pwnat:
http://samy.pl/pwnat/
http://resources.infosecinstitute.com/udp-hole-punching/
But then you need to adapt your tinc config accordingly.
--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403
"In July 2005, after several failed attempts to legalise software
patents in Europe, the patent establishment changed its strategy.
Instead of explicitly seeking to sanction the patentability of
software, they are now seeking to create a central European patent
court, which would establish and enforce patentability rules in their
favor, without any possibility of correction by competing courts or
democratically elected legislators."
More information about the tinc
mailing list