iproute2 problems
Robert Horgan
robert at nsasia.co.th
Thu Jun 14 09:21:51 CEST 2018
Thanks everyone for your help. The VPN is now up and running and whilst I understand the change that enabled it, I do not understand the logic of why.
On my primary server (#db1) that other connections were set to first connect I had the following filters:
1 Anywhere on eth1 ALLOW 10.130.55.248 655/udp #web2
2 Anywhere on eth1 ALLOW 10.130.17.192 655/udp #web3
3 Anywhere on eth1 ALLOW 10.130.36.58 655/udp #web1
4 Anywhere on eth1 ALLOW 10.130.69.123 655/udp #db2
5 Anywhere ALLOW 10.0.0.0/24
(eth1 is the interface to the private network at DigitalOcean having a /16 network)
Three servers could establish a Tinc VPN without issue. No problems with certificates of connections.
After adding a new rule:
6 Anywhere ALLOW 10.130.17.192 (ie a more open rule than Rule 2 above), I was able to immediately connect between the last server on the 10.0.0.0/24 network.
I don't suggest this problem ended up having anything to do with Tinc, and so really appreciate the time and effort of the responses received. If anyone could explain the why of the above I would appreciate adding to my learning.
regards
Robert
>>> Rafael Wolf <rfwolf at gmail.com> 13-Jun-18 11:01 PM >>>
You know I think I've seen this once before.
Got ID from db1 (10.130.39.180 port 655): 0 db1 17
Sending METAKEY to db1
It looks like it's communicating properly but there is a problem with your keys.
Can you rename and regenerate your keys?
On a project I'm working on when we transferred our keys to another client it put Carriage returns so there was a key mismatch.
Try that and see what happens!
Make sure your keys match exactly.
On Wed, Jun 13, 2018, 6:48 AM Robert Horgan <robert at nsasia.co.th> wrote:
Yes, I am sure but added another broader rule:
nsasia at db1:~$ sudo ufw allow from any port 655 proto udp
same result for debug example.
regards
Robert
>>> Rafael Wolf <rfwolf at gmail.com> 13-Jun-18 5:32 PM >>>
Telnet will only do tcp not udp which tinc works on. Are you sure udp 655 is open?
On Wed, Jun 13, 2018, 3:51 AM Robert Horgan <robert at nsasia.co.th> wrote:
Hi,
Are you sure? What happens if you manually telnet/socket 10.130.39.180
nsasia at web3:~$ telnet 10.130.39.180 655
Trying 10.130.39.180...
Connected to 10.130.39.180.
Escape character is '^]'.
0 db1 17
Connection closed by foreign host.
Stopping the service and running debug I get:
nsasia at web3:~$ sudo tincd -n gainplus -d5 -D
tincd 1.0.33 starting, debug level 5
/dev/net/tun is a Linux tun/tap device (tun mode)
Executing script tinc-up
Listening on 10.130.69.123 port 655
Ready
Trying to connect to db1 (10.130.39.180 port 655)
Connected to db1 (10.130.39.180 port 655)
Sending ID to db1 (10.130.39.180 port 655): 0 web3 17
Sending 10 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 10 bytes to db1 (10.130.39.180 port 655)
Got ID from db1 (10.130.39.180 port 655): 0 db1 17
Sending METAKEY to db1 (10.130.39.180 port 655): 1 429 672 0 0 32B632E5E04DD553A58206EDE3F760472B5B1FCFB69319F6E5BD1D9C6B2B3E7D95903DBF0E7EFD0A7377916B5E8381C412E0478F4CAAF61454505327BE49C4462835E6BBA849D9FA4586D8906B730F85632DBFA2B287C77259A264BB51DC57C5258CE7888C81ABBC00BDEC910194A85F7D3FB771CB73644871B0417E2406C02DF82DEC999CF51B3E86ED4C96820D191A60746EAC0D9ED94CAAB6298C746E9283ACCD144C6E4B5A2D2CE5B197CDF8708880A431C9E67DD7DC36EF0B21635F1670503D731C9D44F04CBF90AD1A281935BD5FD62D1B733286A3E6D8110FA65B918BA603C2C17650803418CA135A259EBE14B216B779B5047A8E70D7EDF4C61C4CCEE7439CCE75828973255F6A26BBC09C76FD9687DE78AB46D1634B97B043DE7AEAF97747DC5BCD9F6DBE936816E452FFAE9A746EB4BA41482C3DEA51497741E2E9AF68F964A05F93003544B66A9DA79FD98DC07F1B9797674100AFAF0428B0A9261B4E7A013B6A653783B9E03970BDA3B6A6B0DE27E985430C81097B996E7BA550BD886CDD4FE4C587A4738CC9D2743E03F78C7142E3822C382AD3577AD80C0836DEE21D4140FD5C22F060592B45973E2F6EC664A048E4C73450776E64C6B6A761CD65A68E8C9C8534F9A1F11BBA6D2784550ECE5D80A16D0011233096307EA0AFF24CDC425C10F936483A7C4CA93D901A538CD7FE4434C592C274558456DD5784
Sending 1039 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 1039 bytes to db1 (10.130.39.180 port 655)
Connection closed by db1 (10.130.39.180 port 655)
Closing connection with db1 (10.130.39.180 port 655)
Could not set up a meta connection to db1
Trying to re-establish outgoing connection in 5 seconds
Purging unreachable nodes
Trying to connect to db1 (10.130.39.180 port 655)
Connected to db1 (10.130.39.180 port 655)
Sending ID to db1 (10.130.39.180 port 655): 0 web3 17
Sending 10 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 10 bytes to db1 (10.130.39.180 port 655)
Got ID from db1 (10.130.39.180 port 655): 0 db1 17
Sending METAKEY to db1 (10.130.39.180 port 655): 1 429 672 0 0 501660105B0077E97E5645EC718096950286BF1ECD06180CCE39D8773408E00674DA7CD075102EB6C47406F7B49612BE32CE7C8D1CA7E849C670DD3905726F4DFCB00505E64551C91D1EF6544FDF470E878D915579F795A5A1A343CA370EE1F5D1CD8848630D9E7B6E8A6BDB38168034790CFDE0D3E6DBA6A67158E4548B210208F4CA02EF427585F17FC8F893C0D124E9520AE56A8ACA0EDF9E705F1804AFEF8A4D938D5BBF62DFE33D5DF0A3D9D497718892E2E9E7B1618ED3D1EFE1906732600A5906881A80A7C6C9266F17F8C7B3BD18EC225D259FC1828D96F0715CD1B076B6DBDE2D095681E214E3EAFF7F484C347BBE5BD70C021BBA74CA8EBCB29448EBCA8E4F41982509ACAE4860070CEFB72E58B4C67260EBDCCA2DE0DA2331AA747A44EE035C69090FE4E243B1F7EC03243EDC04448C82FE0D331CB09B4DD0FB35400B6FC201E82F5CAA676EB8276E0AED0BDC42660A1621FE4D6EB81C85CB720608F0C06F8401E1062E6553759BCA42E372212FE973C02D81896E3F9979EB82EAB027514446E7770446527DB7A155C9756C9E56DEDFFDDEE4778AD78E61E75D7D3863AE71488A596EE0E02850767AACD530A6CF7E98F0D8228B9EAA936DF78FC2EB4E774C96699CAF928C0CE061F06ABA8900C32300603983F85ED9ADCFA8D5DD690DDA3EAA1049AAA00D833E9CD0EF111A1906190DD5FEEB047193E04E7F3B16
Sending 1039 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 1039 bytes to db1 (10.130.39.180 port 655)
Connection closed by db1 (10.130.39.180 port 655)
Closing connection with db1 (10.130.39.180 port 655)
Could not set up a meta connection to db1
Trying to re-establish outgoing connection in 10 seconds
Purging unreachable nodes
Trying to connect to db1 (10.130.39.180 port 655)
Connected to db1 (10.130.39.180 port 655)
Sending ID to db1 (10.130.39.180 port 655): 0 web3 17
Sending 10 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 10 bytes to db1 (10.130.39.180 port 655)
Got ID from db1 (10.130.39.180 port 655): 0 db1 17
Sending METAKEY to db1 (10.130.39.180 port 655): 1 429 672 0 0 0D4F9CB202D27D2BBD0E49307D35EE3D591861C4985929EED89EB94B834B515E85914D4F2C831178541DF755AC8F75604F3E3A9DA5947E8CEEF7383DCA870FF082012237B081A44A99F0E4022A2DC1BB6ED315DCEC03101515ACE914F8A35DE3E7B254733DB4F2FE3D8AADB8B4F97C7425733C5405433483182527D41D3646A9862B61E036FF639F88E0B02696D5D04B272CEFC629C22724F30342E88E9BFAB24B115E12EB6E27B9F0566B24447E933A331FF4144BABA5EE97543775BB4C0B0DD6F85F78B3B05A68519D7899F20E2D53A0831ACFCA9D719C34D879DE4E6E035467AC90FF11179936A63AF11681E7B8301D97016EDC9377CBB7ADB2D16B0100426BFE01AAD7D7C77D8C24948ED7F3F292FEC8E437CDE42746FD8A8F9A0524C1AFC3DB2BE04F090C25E9DA3BB8411F9E70DDE9630AAE88E817BC985E72E8314481821157E5F5883A6B105A61D52A9F5BD12907E639AF88E4529A0E2CBD0AEF0163D8ADCD878EA7888BA762DA8D51DE655C9BDE9EB51D5878FD07BD57CEB1A4B96FA4A088D54E90425B3D52E2DBF8BBF91F0BCD684C2861078BFBBF3430C764F246D592486415C7ABEE0E6671CEC6A911A7B0DD97E03CFBE640D4BB3094ED2B799BD2A8B0F8D01A8BACFC103D15AD12AE9B9F45A9CF01C594E4E7428CEAA9446DEADE0933059E27E92EE02E9321C0A9D63D926A8EE29F50FD067168198128B8E82F
Sending 1039 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 1039 bytes to db1 (10.130.39.180 port 655)
Connection closed by db1 (10.130.39.180 port 655)
Closing connection with db1 (10.130.39.180 port 655)
Could not set up a meta connection to db1
Trying to re-establish outgoing connection in 15 seconds
Purging unreachable nodes
Trying to connect to db1 (10.130.39.180 port 655)
Connected to db1 (10.130.39.180 port 655)
Sending ID to db1 (10.130.39.180 port 655): 0 web3 17
Sending 10 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 10 bytes to db1 (10.130.39.180 port 655)
Got ID from db1 (10.130.39.180 port 655): 0 db1 17
Sending METAKEY to db1 (10.130.39.180 port 655): 1 429 672 0 0 7491BE09991C358FD6E09D5D9E75F36322E33D5782FC617715FC07F084E0D1A1352E1A5FAA73853B98D8EE63E85728AB543E2794ABC93A0F9B3F7B1F111825D6C6BBDAABEB4171DAC4C51E32497C346B57D1FE25B1BED877D88E64DB279645C626F7E0701FE1F62247FBA462FB42ABD00D5EC43DDE0604B02A66E5AA9DAA51849E5602892AC642593A5B4451187273DACF7299705FD724EA1A9B272EC0B80E3587E5AE6C701A585294F167B9DDDE744BDC3723840AE007545833989D4569F98BDF28727311AB751AB660BC5286334A5B9E15C971B60621036C625DA198718862C730AF8C32E31FDBB547B2AD92DA24E126507C03F01B862BDEEF48EC9049898855F9450BD7FC68E30615F280F1215442E3B4F49F2FAD6D08BD1D2D0351CBB4C0FAA440FFE3564F96D522198CB50830F9EDF0C38C5BE9888EB5889BFB16818B551DAD8FB7D289369E5539BAD9B1EC4900F389CAB87D51532518FEC2433462B1F6E493BCB2239A4280ADC0DEE4629CF04D083924AE531A3A30EA8236682905597CF20049551F475FB97E09A6240249BA4447316A558B9470F38159143BE2676B3F311FEC216DA9CFEC54660E3E8ED4CB59CC02CF797A97862C5A63E88AC92C75D4EB150A97A72A3C6A2FDD6BDEE10DE652D9A9B18DF7A74B29263CA85977CD7042A7B8E528D813B8A2A10F21BA9E860105931D3863EDED8E255387D7751AAD38E0
Sending 1039 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 1039 bytes to db1 (10.130.39.180 port 655)
Connection closed by db1 (10.130.39.180 port 655)
Closing connection with db1 (10.130.39.180 port 655)
Could not set up a meta connection to db1
Trying to re-establish outgoing connection in 20 seconds
Purging unreachable nodes
Trying to connect to db1 (10.130.39.180 port 655)
Connected to db1 (10.130.39.180 port 655)
Sending ID to db1 (10.130.39.180 port 655): 0 web3 17
Sending 10 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 10 bytes to db1 (10.130.39.180 port 655)
Got ID from db1 (10.130.39.180 port 655): 0 db1 17
Sending METAKEY to db1 (10.130.39.180 port 655): 1 429 672 0 0 AFCDF6958008BD1AB579526A1D7567EADD54EFECA85FB8F9A2F74917A8837D57867DF9DD4FF7B29CAE96C07E50FE8EFBA332FF86777212155558521FE97D4C5DD034AA3546CA73FB22654E4A62D03B68980CA0CC162B5FCD008CBF923C850F40C8A1ACCD56765519744CBF6D767754B2BF5B9216E511C4B78B2DA582847976F406E0A5B0FD764290D11F4D3CEB865DDDE2F379AB8FF37171D8B237CC321C0D5C5F995B2C3B7BF1E3D8846463325A697722C99DB34AD537302D7B6E9F7D0EC37EC0165A726596E83A46731ABAEA18F9A25D72B5D5182B7369BBA904729E2AAE1511FDC0EA2A94CF7738C2FF1A070516681B81E010F0BE546DAFC7C4F218D6D5B5E068B06E67CAD023EFD7AE801FAC7826B4882561B5685114738A4876AD4AD330D452B78188F32D5FFE53621DA70B79CD5822C7BF4BAA87C6E88E05293E1A4DDE6ACB955494C247C34CDB7F875852AFD5DD85BBFD0A48F6A54ED4E863D2297D834B280BE1BD19B3305C50633EB3E2B058CCDF23F17D19C0FCCB882246763DE6A7E77BEE9AF62B0D23CC9E5BC95B5535F6286F4FEBD2FE2F6F88AD647F3BFE5BE45FAEB440FE4B2DA0D5C3CC22D0EFF68CD9AD492844EE67A927F57A5E5284BE2AE2387F5A2E78D3C25A63E0EC3CD064AC2DA6894E657B31CA6F1EFCD0FF41CEFAB1030D0C85A801608A036165659B327AB33003AE7F89DE7DEED2ACC45DDD4293
Sending 1039 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 1039 bytes to db1 (10.130.39.180 port 655)
Connection closed by db1 (10.130.39.180 port 655)
Closing connection with db1 (10.130.39.180 port 655)
Could not set up a meta connection to db1
Trying to re-establish outgoing connection in 25 seconds
Purging unreachable nodes
Trying to connect to db1 (10.130.39.180 port 655)
Connected to db1 (10.130.39.180 port 655)
Sending ID to db1 (10.130.39.180 port 655): 0 web3 17
Sending 10 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 10 bytes to db1 (10.130.39.180 port 655)
Got ID from db1 (10.130.39.180 port 655): 0 db1 17
Sending METAKEY to db1 (10.130.39.180 port 655): 1 429 672 0 0 C4CF012BD6F40D3646144E138D1D7EB274CFB44A3EBE5691FA8817AC056638D6FE7CC31AED57263F11A75A419B5285BCD89A0FA7D3FD4C9BFF74A46615DB64695F9A67FF9A8424B0703CEBA94B9671F0E5DFB5AEE41FE73E9104A573417F99025AAA61F5A1B02F0EE51A8A9EE7B21FEACBF94D631A6033E665972301821EFFE175B114D439B0498D8B400C8FD6141D690BC75DFA94E2DEE6B4AB109C67125616E9FCEEC2AD8156D37321460BB9F5BA29FDAA3446DA37F56516259B42E0F660E9F1186CEC47EE88BD2128F12701C658D93D6A329EC171DE249DE5DDBFF40625A9AC8473B3E187A8EE642CA8A8FF820E1F0704243147A3093EE4D88F374FD864C2E738ECC2DAEA80884573B8BD6C24FF882C3E524F2B459FC4442D072A5E302CCEDF66AA6C5727DF65D8813E3F872DAD70CCFB735B3A0A322D51EACE24C674DCA3B63ABC4F97EB30A1A6988C1D2BF8CB935A64E1E5CD677178C160DF87AF5794F5C003BCFD035D5721BB6CD61A9174018D5FA616DB378301193AF88B5D80E914141D19B6583F36816419917BEA9896A03E7D9FA47D469225170E9D2A4045D46C24658AC341EA9A08DA7A29A4EC22CE3E74D127FE25F0655CC6881F94CB96E9B2C769A6532263E9BAE6EA5C404CE4B1F93755C29DFF7F6CED1187F89C892BC694A0A23E697FC5B8D78568FD8DE081DFF529596B755E7D9A0C674D0959D2D8789D74
Sending 1039 bytes of metadata to db1 (10.130.39.180 port 655)
Flushing 1039 bytes to db1 (10.130.39.180 port 655)
Connection closed by db1 (10.130.39.180 port 655)
Closing connection with db1 (10.130.39.180 port 655)
Could not set up a meta connection to db1
Trying to re-establish outgoing connection in 30 seconds
Purging unreachable nodes
regards
Robert
>>> Guus Sliepen <guus at tinc-vpn.org> 12-Jun-18 10:10 PM >>>
On Tue, Jun 12, 2018 at 05:11:44PM +0700, Robert Horgan wrote:
> Trying to connect to db1 (10.130.39.180 port 655)
> Timeout from db1 (10.130.39.180 port 655) during authentication
> Could not set up a meta connection to db1
That means it tried to connect to db1 but either the TCP connection
itself did not work out, or there was indeed a timeout during
authentication. However, the "timeout during authentication" will also
appear if the initial TCP connection timed out.
> db1 firewall is OK (existing tinc traffic connecting and PF rule for this server in place) and I wonder whether the message
Are you sure? What happens if you manually telnet/socket 10.130.39.180
655 from web3?
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
_______________________________________________
tinc mailing list
tinc at tinc-vpn.org
https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180614/105e1403/attachment-0001.html>
More information about the tinc
mailing list