tinc - May 2017 - tinc to create VPN between cluster nodes (at different datacenters) for High Availability

I've not really dug into testing tinc yet, but if you all will humor me in
an uneducated blast of questions,
I'd appreciate it.

What can you do to keep tinc going if your high availability comes from cluster
nodes being dispensable?
Can tinc run on the cluster nodes?
That seems like chicken/egg problem though to get tinc server installed and
cluster nodes brought up...
If tinc needs to be providing gateways separately from the cluster nodes, how do
you make tinc high available?
Install tinc on more than one simple VPS nodes?
Would this scenario always require your hosting provider to offer a kind of
private network?

On Tue, May 09, 2017 at 06:24:55PM -0500, John Griessen wrote:
> I've not really dug into testing tinc yet, but if you all will humor me
in an uneducated blast of questions,
> I'd appreciate it.
> 
> What can you do to keep tinc going if your high availability comes from
cluster nodes being dispensable?
> Can tinc run on the cluster nodes?
> That seems like chicken/egg problem though to get tinc server installed and
cluster nodes brought up...
> If tinc needs to be providing gateways separately from the cluster nodes,
how do you make tinc high available?
> Install tinc on more than one simple VPS nodes?
> Would this scenario always require your hosting provider to offer a kind of
private network?
There are two ways to do high-availability with tinc. Assuming you want
to have multiple distinct "exit nodes" on the VPN (that provide a
default gateway for other nodes), then just assign Subnet = 0.0.0.0/0 to
each of the exit nodes. The other nodes will then choose one of those
that is online. So if they are using one that goes offline, they will
switch to another one.

The other way is to set up the exit nodes identically (same Name, same
public/private key), but as I already mentioned in the response to
Bright Zao's question, only one of them should ever be up at the same
time. Depending on your setup, you might be able to use an external
high-availability solution to ensure that. The other nodes then just see
one exit node, but you specify multiple Address statements for it (one
for each physical exit node). Tinc will try each address in turn until
it finds a working one. If the node it's connected to goes down, it will
try another address to reconnect.

So yes, it can be done by just running tinc on your cluster nodes.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20170510/f037d8a1/attachment.sig>

On 05/10/2017 12:54 PM, Guus Sliepen wrote:
> There are two ways to do high-availability with tinc. Assuming you want
> to have multiple distinct "exit nodes" on the VPN (that provide a
> default gateway for other nodes), then just assign Subnet = 0.0.0.0/0 to
> each of the exit nodes. The other nodes will then choose one of those
> that is online. So if they are using one that goes offline, they will
> switch to another one.
Thanks,

I will read more and study how to do that with coreOS.  I suppose the first
thing
a node needs to be doing as it comes up is starting a firewall, since
a usual virtual server is open to the internet.  Then start tinc in a container
with a setup to connect with other nodes that are setup to be in the same VPN.

Or will it be necessary to rent virtual servers that come with an internal
private network
provided by the hosting company, as well as IP addresses for the open internet?