Large sites
Mike C
smith.not.western at gmail.com
Fri Feb 22 15:58:09 CET 2013
Hi,
I am looking networking together about 1000-2000 sites across the
country. I've been looking through these mailing lists. Saw the thread
from the person who had 1000+ running on Amazon, and how they
essentially stripped all security out of it. Also know that the
ChaosVPN uses tinc, for at least 130+ sites although I'm a bit fuzzy
on the details for it.
Are there any other cases of very large VPNs? Are there any pitfalls,
tricks or special settings required for such large numbers? I was
thinking of simulating an environment using Amazon, but looks like
Amazon may not be the best to use for a test bed.
I have read elsewhere on this list that tincd isn't multi-threaded and
to get the most out of a multi-core server you should split the VPN
into smaller VPNs. Is this still the case and if so, are there any
reasons that would prevent it being made multi-threaded?
In my case, the majority of the traffic will ultimately reach 1
location/datacentre. So hub-and-spoke model. There's no need for
meshing between sites, except for maybe between the hub(s) themselves.
IPSec doesn't work so well, given problems with NAT (even with NAT-T)
- which is where tinc comes in. The hub itself is unfortunately NAT'd,
and so are most of the remote sites, so I am trying to think of
alternative approaches. Thinking tinc could be used as an intermediary
between the dc and the remote sites. E.g.
Datacentre <--> intermediary tinc server on non-NAT public IP <--> remote sites.
In fact I was thinking of running multiple intermediary tinc servers,
to provide some form of redundancy if one failed (using the Subnet
#weight setting).
Any and all advice much appreciated,
Regards,
Mike
More information about the tinc
mailing list