Nirmal Thacker
2017-Aug-31 17:40 UTC
using both ConnectTo and AutoConnect to avoid network partitions
Hi Guus Following your suggestion we reconfigured our tinc network as follows. Here is a new graph and below is our updated configuration: http://imgur.com/a/n6ksh - 2 Tinc nodes (yellow labels) have a public external IP and port 655 open. They both have ConnectTo's to each other and AutoConnect = yes - The remainder tinc nodes (blue labels) have their tinc.conf set up as follows: ConnectTo = yellow1 ConnectTo = yellow2 AutoConnect = yes - Blue labeled nodes also have their port 655 open, but no node in the network has a ConnectTo to any blue labeled node - we are still using tinc1.1pre14 - The configuration was loaded by ensuring: - each node has the keys and Address for their ConnectTo targets - tinc was reloaded using the command: sudo tinc -n <vpn_name> reload The main motivation to do this: To avoid the network split bug we hit, that was addressed earlier in this email and to do this by ensuring deliberate and redundant connections to yellow1 and yellow2 We are concerned that: - We still dont see edges in the graph that show connections between every blue labeled node to both the yellow labeled nodes Any reason why we dont see these edges? Is there something missing in our configuration? Thanks -nirmal On Tue, Aug 22, 2017 at 11:08 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:> On Tue, Aug 22, 2017 at 03:19:18PM -0700, Nirmal Thacker wrote: > > > - How do we patch 1.1pre14 with this fix? Or will there be a 1.1pre15 to > > upgrade to? > > There will be an 1.1pre15, but if you want you can apply the following > commit: > > https://tinc-vpn.org/git/browse?p=tinc;a=commitdiff;h> 92fdabc439bdb5e16f64a4bf2ed1deda54f7c544 > > > - What is the workaround until we patch with this fix? Using a > combination > > of AutoConnect and ConnectTo? > > Yes. > > > - When we use ConnectTo, is it mandatory to have a cert file in the > hosts/* > > dir with an IP to ConnectTo ? > > Yes. Tinc always needs the public key of a peer and an Address in order > to be able to connect to it. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170831/365f43ae/attachment.html>
Guus Sliepen
2017-Aug-31 20:27 UTC
using both ConnectTo and AutoConnect to avoid network partitions
On Thu, Aug 31, 2017 at 10:40:39AM -0700, Nirmal Thacker wrote:> Following your suggestion we reconfigured our tinc network as follows. > Here is a new graph and below is our updated configuration: > http://imgur.com/a/n6ksh[...]> We are concerned that: > - We still dont see edges in the graph that show connections between every > blue labeled node to both the yellow labeled nodes > > Any reason why we dont see these edges?Yes, AutoConnect will still remove outgoing connections that it thinks are redundant. So even if the initial ConnectTo's will cause nodes to connect to the yellow ones, after a while they can remove those.> Is there something missing in our configuration?If you make the yellow nodes ConnectTo all other nodes, and not have AutoConnect = yes, and the other nodes just have AutoConnect = yes but no ConnectTo's, then you will get the desired graph.> > > - What is the workaround until we patch with this fix? Using a > > combination of AutoConnect and ConnectTo? > > > > Yes.I should've elaborated here. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170831/867a7c4d/attachment.sig>
Nirmal Thacker
2017-Aug-31 20:37 UTC
using both ConnectTo and AutoConnect to avoid network partitions
Thanks Guss, some comments and questions: If you make the yellow nodes ConnectTo all other nodes, and not have> AutoConnect = yes, and the other nodes just have AutoConnect = yes but > no ConnectTo's, then you will get the desired graph.The reason this approach is not desirable is because it fails at automation. It requires us to add a new line of AutoConnect = <new node that joined tinc> to both yellow nodes everytime a new node node joins, while in the current setup as long as the keys of every new node are exchanged between the new nodes and the yellow nodes, the ConnectTo's can stay constant> Yes, AutoConnect will still remove outgoing connections that it thinks > are redundant. So even if the initial ConnectTo's will cause nodes to > connect to the yellow ones, after a while they can remove those. >Is this optimization also vulnerable to the bug we saw earlier with regard to the network split? Or given that the ConnectTo's exist, peer nodes, will fall back onto these, thereby 'recovering' in some sense if a network split were to occur due to the the AutoConnect bug? -nirmal On Thu, Aug 31, 2017 at 1:27 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:> On Thu, Aug 31, 2017 at 10:40:39AM -0700, Nirmal Thacker wrote: > > > Following your suggestion we reconfigured our tinc network as follows. > > Here is a new graph and below is our updated configuration: > > http://imgur.com/a/n6ksh > [...] > > We are concerned that: > > - We still dont see edges in the graph that show connections between > every > > blue labeled node to both the yellow labeled nodes > > > > Any reason why we dont see these edges? > > Yes, AutoConnect will still remove outgoing connections that it thinks > are redundant. So even if the initial ConnectTo's will cause nodes to > connect to the yellow ones, after a while they can remove those. > > > Is there something missing in our configuration? > > If you make the yellow nodes ConnectTo all other nodes, and not have > AutoConnect = yes, and the other nodes just have AutoConnect = yes but > no ConnectTo's, then you will get the desired graph. > > > > > - What is the workaround until we patch with this fix? Using a > > > combination of AutoConnect and ConnectTo? > > > > > > Yes. > > I should've elaborated here. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170831/4fa00c09/attachment.html>
Maybe Matching Threads
- using both ConnectTo and AutoConnect to avoid network partitions
- using both ConnectTo and AutoConnect to avoid network partitions
- using both ConnectTo and AutoConnect to avoid network partitions
- using both ConnectTo and AutoConnect to avoid network partitions
- using both ConnectTo and AutoConnect to avoid network partitions