Hi, Tinc (1.0.24, GNU/Linux) has proven very unreliable under load. We have several nodes connected, and some of them use another node as default gateway to get a secured internet connection. Both of these nodes work great and have a stable link when nothing but ping probes pass over the link. However, running a full Debian dist-upgrade, downloading a big mailbox, or just typing quickly in a SSH session can make the Tinc connection break for seconds until it is re-established. We first thought that this happens on one node because it is backed by a Wifi link, which is horrible for at least UDP, but the behaviour can also be seen on a new node that has a proper ADSL link. My first idea was to disable UDP between the nodes, but somehow that does not look right. What hints are there on making Tinc more reliable, especially over slow/unreliable links such as Wifi, which often loose VPN packets? Cheers, Nik -- Dominik George (Vorstandsvorsitzender, P?dagogischer Leiter) Teckids e.V. - Erkunden, Entdecken, Erfinden. https://www.teckids.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 888 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141028/6c05e6f3/attachment.sig>
On Tue, Oct 28, 2014 at 06:24:02PM +0100, Dominik George wrote:> Hi, > > Tinc (1.0.24, GNU/Linux) has proven very unreliable under load. > > We have several nodes connected, and some of them use another node as > default gateway to get a secured internet connection. > > Both of these nodes work great and have a stable link when nothing but > ping probes pass over the link. However, running a full Debian > dist-upgrade, downloading a big mailbox, or just typing quickly in a SSH > session can make the Tinc connection break for seconds until it is > re-established.Couldn't this be a PMTU issue? My guess is that Tinc's UDP packets are being silently dropped on the path when they reach a certain size. From my experience, Tinc is generally clever about figuring out the optimal packet size, but you never know.> We first thought that this happens on one node because it is backed by a > Wifi link, which is horrible for at least UDP,TCP packets don't magically escape packet loss. I assume you use TCP inside the tunnel. In that case, if Tinc's UDP packets are dropped by a low-quality wifi link, then TCP *inside* your tunnel will react appriopriately. Baptiste -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141028/d7568be1/attachment.sig>