Automatic configuration of direct routes behind NAT
Pedro Côrte-Real
pedro at pedrocr.net
Wed Feb 22 18:49:26 CET 2012
On Wed, Feb 22, 2012 at 4:42 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:
> The automatic connections are happening, however using the IP addresses as seen
> by the peers, not as read from the host config files. In fact, you only need to
> have the host config files of the nodes you have a ConnectTo to. Information
> about all the other nodes is spread around using tinc's protocol. The blog post
> you referred to is correct :)
So right now the peers will try to connect to each other through
whatever IP addresses the central node has seen. If the IPs are public
those are directly routed to the hosts and it works fine. If the IPs
are NATed and the edge router also has portforwarding setup into the
leaf node it works fine as well.
Now if both leaves are behind the same NAT the central node sees the
same address for both and they will both try to connect through the
same (their own) NAT router. If you configure them on different ports
and do individual port forwards it would work but in an inefficient
way because all the packets would be going Leaf1->NATRouter->Leaf2.
The 5 steps I had summarized before would solve this with step 2,
getting to Leaf1->Leaf2 directly and not requiring the port forward at
all.
BTW, a tinc that does this would be a great way to get reliable SIP
service across networks. You'd always have the same addresses but be
routed either directly or forwarded depending on the network. An
android phone doing this would be awesome.
Cheers,
Pedro
More information about the tinc
mailing list