Node to Node UDP Tunnels HOWTO?

[Keith Whyte]

Hi all!

I still have never managed to fully wrap my head around how UDP data
tunnels can be established between nodes.

Everytime I think I understand it, I see something that confuses me again


Just now I am seeing the following:

I have nodes A, B + C

A has everybody's keys and host configuration files.

B and C only have A's key, and host config with A's public IP address.

B and C DO NOT have each others keys. Likewise B and C both have a
ConnectTo = A configuration directive.

Only A is directly reachable with TCP and UDP on port 655, so there's no
point to adding other ConnectTo Lines as neither B nor C are going to be
directly reachable.

I send some ICMP ping packets from B to C and intially I see as
expected, the encapsulated tinc packets flow from B -> A and A -> C and
back along that path/

But then, suddenly, I am seeing flow of UDP from B to C on port 655.
Now, I'm not asking about the NAT hole punching here, but rather;

How is this possible if B and C do not have each others keys? I thought
I understood this before in that somehow the key data is shared over the
meta connection, but then I read that no, each host much have the key of
the other to establish the direct connection. But I am looking at
tcpdump right now in the terminal and seeing the UDP tunnel packets
flowing from B to C.

I am really trying to understand how I can make this situation more
persistent, but it seems so very random.

Even in a case where I would make node B publicly reachable and add the
keys everywhere, without an Explicit ConnectTo = B directive on node C,
I still see packets routed via A.

I would really like to know if there's some way to more reliably ensure
that the UDP tunnel would be established from B to C and avoid a
(transcontinental) route via A!

Thank you if you can shed any light on this!

k/