John Griessen
2017-May-09 23:24 UTC
tinc to create VPN between cluster nodes (at different datacenters) for High Availability
I've not really dug into testing tinc yet, but if you all will humor me in an uneducated blast of questions, I'd appreciate it. What can you do to keep tinc going if your high availability comes from cluster nodes being dispensable? Can tinc run on the cluster nodes? That seems like chicken/egg problem though to get tinc server installed and cluster nodes brought up... If tinc needs to be providing gateways separately from the cluster nodes, how do you make tinc high available? Install tinc on more than one simple VPS nodes? Would this scenario always require your hosting provider to offer a kind of private network?
Guus Sliepen
2017-May-10 17:54 UTC
tinc to create VPN between cluster nodes (at different datacenters) for High Availability
On Tue, May 09, 2017 at 06:24:55PM -0500, John Griessen wrote:> I've not really dug into testing tinc yet, but if you all will humor me in an uneducated blast of questions, > I'd appreciate it. > > What can you do to keep tinc going if your high availability comes from cluster nodes being dispensable? > Can tinc run on the cluster nodes? > That seems like chicken/egg problem though to get tinc server installed and cluster nodes brought up... > If tinc needs to be providing gateways separately from the cluster nodes, how do you make tinc high available? > Install tinc on more than one simple VPS nodes? > Would this scenario always require your hosting provider to offer a kind of private network?There are two ways to do high-availability with tinc. Assuming you want to have multiple distinct "exit nodes" on the VPN (that provide a default gateway for other nodes), then just assign Subnet = 0.0.0.0/0 to each of the exit nodes. The other nodes will then choose one of those that is online. So if they are using one that goes offline, they will switch to another one. The other way is to set up the exit nodes identically (same Name, same public/private key), but as I already mentioned in the response to Bright Zao's question, only one of them should ever be up at the same time. Depending on your setup, you might be able to use an external high-availability solution to ensure that. The other nodes then just see one exit node, but you specify multiple Address statements for it (one for each physical exit node). Tinc will try each address in turn until it finds a working one. If the node it's connected to goes down, it will try another address to reconnect. So yes, it can be done by just running tinc on your cluster nodes. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170510/f037d8a1/attachment.sig>
John Griessen
2017-May-11 07:05 UTC
tinc to create VPN between cluster nodes (at different datacenters) for High Availability
On 05/10/2017 12:54 PM, Guus Sliepen wrote:> There are two ways to do high-availability with tinc. Assuming you want > to have multiple distinct "exit nodes" on the VPN (that provide a > default gateway for other nodes), then just assign Subnet = 0.0.0.0/0 to > each of the exit nodes. The other nodes will then choose one of those > that is online. So if they are using one that goes offline, they will > switch to another one.Thanks, I will read more and study how to do that with coreOS. I suppose the first thing a node needs to be doing as it comes up is starting a firewall, since a usual virtual server is open to the internet. Then start tinc in a container with a setup to connect with other nodes that are setup to be in the same VPN. Or will it be necessary to rent virtual servers that come with an internal private network provided by the hosting company, as well as IP addresses for the open internet?