"HA" ie. two linked tincds on the same ethernet segment

Guus Sliepen guus at tinc-vpn.org
Wed Aug 17 10:39:03 CEST 2016 

On Wed, Aug 17, 2016 at 12:32:35AM +0200, hvjunk wrote:

> Currently using tinc 1.0.24 on Debian 8.x, OVH datacentre, two servers same VRACK (ie. internal ethernet bridge/switched together).
> 
> I’m wanting to get a remote server connected to both the two OVH servers for fail-over reasons, but having access via both to the shared vRack segment as a switch mode. Thereby Essentially I’m creating a ethernet loop…
> 
> 
> -----------------vRack
>    |         |
> Server1   Server2
>    |         |
>   RemoteServer
> 
> tinc create tun/tap on server1 & Server2. this then connects to OpenVSwitch bridge/switch that have on both servers the eth1 interfaces as ports to that bridge/switch.
> 
> Questions:
> 
> 1) Does tinc support some STP to pick up this type of loops and block one interface/link?
>  I guess not, especially after looking at Broadcast = no|direct|mst

No, tinc only guarantees that within the tinc VPN itself there are no
loops. However, if OpenVSwitch supports STP, then you should just enable
that, and then everything should be loop-free. However, I suspect that
in that case, it will let everything be forwarded via tinc instead of
the local network, which is not what you want.

> YEs, I might have a very corner case need which I am doing as a temporary solution while waiting for the right solution, but the question then gets raised:
> 
> 2) Is there anybody that did any type of HA for tinc when the one daemon fails to connect to the other or vice versa?
> (I guess my next stop will be something like the Linux HA if I really want this, else I’ll just have to manually switch between the two servers, or switch one off while the other is on…)

Yes, I've used that kind of setup myself. Normally it works fine, but
then again I never had your situation where there is a potential loop.

What you can try is to set "Forwarding = kernel" in RemoteServer's
tinc.conf. This way, it will not internally forward packets from Server1 to
Server2, but rather lets everything go via the tap device. Then you can
use iptables to deny unwanted traffic.

What you can also do, if there are not more nodes on the network, is to
give Server1 and Server2 an identical tinc setup (same Name and
public/private keypair). Then on RemoteServer, just have ConnectTo =
server, and have both the Addresses from Server1 and Server2 in
hosts/Server. That way, RemoteServer only connects to one of them at a
time.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160817/70a8eb48/attachment.sig>

More information about the tinc mailing list