I have a use case where my tinc.conf ConnectTo can go upto 20 + hosts. I am planning to automate a periodic cleanup of ConnectTo in the tinc.conf file, the issue is I am not able to figure out which ConnectTo is been used and which are stale, say NOT used in last 2 to 3 days. I want to remove those ConnectTo which are no longer actively used. Is it possible to find which ConnectTo are not used. Thanks, Anil -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150112/95b44358/attachment.html>
On Mon, Jan 12, 2015 at 12:37:24PM +0530, Anil Moris wrote:> I have a use case where my tinc.conf ConnectTo can go upto 20 + hosts. > > I am planning to automate a periodic cleanup of ConnectTo in the tinc.conf > file, the issue is I am not able to figure out which ConnectTo is been used > and which are stale, say NOT used in last 2 to 3 days. > > I want to remove those ConnectTo which are no longer actively used. > Is it possible to find which ConnectTo are not used.With tinc 1.0.x, that's hard to say. You could add a host-up script to track when the last time a node was alive. With tinc 1.1, you can use the "tinc info <node>" command to find out what the last time the node went on- or offline is. However, both cases do not distinguish between connections made via ConnectTo or via other means. But most importantly, you don't need to have a ConnectTo line in your tinc.conf for every node in your VPN! Say you have three nodes, A, B and C, and A and B both have ConnectTo C in their tinc.conf, then A and B will learn about each other from C, and will be able to exchange VPN packets directly, without requiring further ConnectTo variables. If you want to keep your configuration static and not have many ConnectTo lines, then the best way is to choose a small number (say 3) of nodes that are most likely to be online, and just have all the nodes ConnectTo those 3 nodes. In tinc 1.1, this can be fully automated: just add "AutoConnect = yes" to tinc.conf, and then tinc will automatically create meta-connections as necessary. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150112/ed2ac589/attachment.sig>
thanks Guus for the quick response. I am using tinc 1.1 if I use AutoConnect = yes then will it automatically remove connections that are no longer in use? What are the security issues with 'AutoConnect = yes' I should be worried? for my use case I might go upto 20 to 30 + tinc hosts connected to single tinc box. as per the doc AutoConnect = yes is experimental, I am using it in our production cloud. It would be helpful if we can have more info about AutoConnect = yes in the documentation. On Mon, Jan 12, 2015 at 5:55 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:> On Mon, Jan 12, 2015 at 12:37:24PM +0530, Anil Moris wrote: > > > I have a use case where my tinc.conf ConnectTo can go upto 20 + hosts. > > > > I am planning to automate a periodic cleanup of ConnectTo in the > tinc.conf > > file, the issue is I am not able to figure out which ConnectTo is been > used > > and which are stale, say NOT used in last 2 to 3 days. > > > > I want to remove those ConnectTo which are no longer actively used. > > Is it possible to find which ConnectTo are not used. > > With tinc 1.0.x, that's hard to say. You could add a host-up script to > track when the last time a node was alive. With tinc 1.1, you can use > the "tinc info <node>" command to find out what the last time the node > went on- or offline is. However, both cases do not distinguish between > connections made via ConnectTo or via other means. > > But most importantly, you don't need to have a ConnectTo line in your > tinc.conf for every node in your VPN! Say you have three nodes, A, B and > C, and A and B both have ConnectTo C in their tinc.conf, then A and B > will learn about each other from C, and will be able to exchange VPN > packets directly, without requiring further ConnectTo variables. If you > want to keep your configuration static and not have many ConnectTo > lines, then the best way is to choose a small number (say 3) of nodes > that are most likely to be online, and just have all the nodes ConnectTo > those 3 nodes. > > In tinc 1.1, this can be fully automated: just add "AutoConnect = yes" > to tinc.conf, and then tinc will automatically create meta-connections > as necessary. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150113/7a99e5c4/attachment-0001.html>
Reasonably Related Threads
- tinc connectTo cleanup
- tinc reload not establishing new connections
- using both ConnectTo and AutoConnect to avoid network partitions
- using both ConnectTo and AutoConnect to avoid network partitions
- using both ConnectTo and AutoConnect to avoid network partitions