Advertising a Public IP address

Guus Sliepen guus at tinc-vpn.org
Mon May 22 21:02:17 CEST 2017 

On Mon, May 22, 2017 at 11:03:30AM +0200, Keith Whyte wrote:

> I have two tinc nodes (A and B) behind a firewall
> 
> NodeA and NodeB have 192.168.1.2 and 192.168.1.3 assigned on an internal
> LAN, and they both have different public IP addresses forwarded to them,
> port 655 udp/tcp
> 
> I would like any given node in the C-Z group to be able to find Node B
> on it's public IP and therefore not forward via NodeA, but I would like
> to be able to do this without having to distribute NodeBs host key file
> with an Address = line to every node in the C-Z group.
[...]
> Node B is reachable on the publicIP from the LAN (Nat reflection is in
> operation)

The problem is getting the information about NodeB's public IP address
to the other nodes. Since you have NAT reflection working, the easiest
way is for NodeA and NodeB to connect to each other using their public
IP address. This will cause these address to propagate to the other
nodes.

> Right now, if I ask any node in C-Z for
> 
> info NodeB
> 
> I get:
> 
> Address: 192.168.1.3 port 655
> Reachability: none, forwarded via NodeA

The info command gives the address that is currently selected by the
local node for communication with NodeB. However, tinc might know more
than one address. You can do:

tinc -n <netname> dump edges | grep 'to NodeB'

The "at" addresses are the externally visible addresses for NodeB.
Recent versions of tinc 1.1 however also report there own local address.
You can find the local addresses of NodeB using:

tinc -n <netname> dump edges | grep '^NodeB'

And looking at the address after "local". Since you enabled the
LocalDiscovery in NodeB's tinc.conf, then it will likely pick NodeA's
local address for direct UDP communication with it, which is more
efficient than using NAT reflection.

But you have to make a connection between NodeA and NodeB using their
public IP addresses, otherwise they themselves will not know they have
those, and will only tell the other nodes about their local addresses.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170522/9d63dddb/attachment.sig>

More information about the tinc mailing list