LocalDiscovery detecting nodes through tunnel
Lance Fredrickson
lancethepants at gmail.com
Thu Apr 4 16:57:10 CEST 2013
On 4/4/2013 5:40 AM, Dominik George wrote:
> Hi,
>
> I have tried the LocalDiscovery feature of tinc.
>
> The problem is that it also sends broadcast probes out the CPN interface
> *and* detects nodes on the VPN. A connection is then established through
> the tunnel, which effectively breaks connectivity between the two nodes.
>
> I do not think that discovering hosts on the VPN makes sense in any way.
> How can it be disabled?
>
> I could easily netfilter those packets out on the tunnel interface, but
> this is only feasible on some of my nodes due to platform restrictions
> (ever tried to use iptables in a useful way on Android without going
> nuts?).
>
> Cheers,
> Nik
>
Sounds like from your post you must be using 'tap' mode, since you talk
of broadcasts over the VPN. I would imagine there wouldn't be such
issues if running in 'tun' mode.
I'm not sure if Tinc could be programmed not originate broadcast to the
VPN interface, but that's just one of the drawbacks to running 'tap'
mode I suppose. I recall that patches to block broadcasts using OpenVPN
were ready to go, but were rejected because it was outside of it's basic
functionality and responsibility.
I used to run tap, and had quite an impressive list of ebtables rules to
block DHCP, uPnp, Natpmp and other such broadcast protocols (I run tinc
on a small cluster of routers) . I eventually found my needs didn't
really require a 'tap' connection (or the overhead) and now run with
tun. If it do need a tap connection, I use OpenVPN to VPN into the
specific location (and also have it push my Tinc routes too). Hopefully
I'm not too far off base here :-)
Lance
More information about the tinc
mailing list