similar to: Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs

On Sat, Mar 21, 2015 at 01:01:47PM +0100, Raimund Sacherer wrote: > This is our setup which we are trying in a couple of our remote offices: [...] > FW-01 and FW-02 are Master/Slave firewalls (pfSense with Carp failover). We have currently 3 "remote offices" connected which have all basically the same setup, one office has more internet lines. > > Currently I have it

Hello Guus, thank you very much for your suggestions, I could not dive into it further because I was traveling, but now I have time to reconfigure the network. At first I really like the idea of having 3 Daemons on the headquarter, one for each ISP. The firewall should forward the port 655 from each ISP's public IP Address to my internal server and to the ports 655, 656, 657 respectively,

Comments below On Fri, 24 Apr 2015, Guus Sliepen wrote: > On Thu, Apr 16, 2015 at 10:09:05PM +0200, Raimund Sacherer wrote: > > > At first I really like the idea of having 3 Daemons on the headquarter, one for each ISP. The firewall should forward the port 655 from each ISP's public IP Address to my internal server and to the ports 655, 656, 657 respectively > [...] > >

On Thu, Apr 16, 2015 at 10:09:05PM +0200, Raimund Sacherer wrote: > At first I really like the idea of having 3 Daemons on the headquarter, one for each ISP. The firewall should forward the port 655 from each ISP's public IP Address to my internal server and to the ports 655, 656, 657 respectively [...] > My question now is, for every tinc daemon I need a tun or tap device, so how

On 30.08.2016 17:37, Guus Sliepen wrote: > On Tue, Aug 30, 2016 at 02:38:16PM +0200, Armin Schindler wrote: > >> we use a meshed VPN with TINC to connect 7 offices. >> Some office are in other countries and use other ISPs. The connection >> between some ISPs (peering partners) are not that good. This means we >> have packet loss between those direct connections.

Hi, I´m using Tinc for several years, but I didn´t fix a performance problem. There a about 20 nodes in this network. Master: 10.0.0.12 (dedicated host in a datacenter, debian, 100mBit port) tinc.conf: Name = TincKnoten12 AddressFamily = ipv4 Interface = tun ProcessPriority=high mode = router #DirectOnly = no Compression=0 PMTUDiscovery = yes #IndirectData = yes #ReplayWindow = 64 #ConnectTo

Hello Guus, > This will cause tinc to automatically add and remove routing entries, > depending on which nodes are reachable. You will get multiple routing > entries for the same subnet but to different interfaces. One of them > will be chosen by the kernel based on the order of addition, but you > don't care about it so it's fine. If tinc detects that a node goes down,

Hello all, we use a meshed VPN with TINC to connect 7 offices. Some office are in other countries and use other ISPs. The connection between some ISPs (peering partners) are not that good. This means we have packet loss between those direct connections. To avoid this direct connection, I would like to tell TINC to use a defined other host to route the packets to. E.g. instead of doing direct

Hello, We're suffering from sporadic network blockage(read: unable to ping other nodes) with 1.1-pre17. Before upgrading to the 1.1-pre release, the same network blockage also manifested itself in a pure 1.0.33 network. The log shows that there are a lot of "Got ADD_EDGE from nodeX (192.168.0.1 port 655) which does not match existing entry" and it turns out that the mismatches

pc1(LANa) ----poor connection ----> VPS <--------- PC2(LANb) pc1 and pc2 used to connected directly with tinc, since pc1 used to have WAN IP(pppoe), but the pppoe IP is not WAN IP anymore (ISP changed to let all ADSL user in a LAN). if I let the two pc connect to a VPS with tinc, can later connections between pc1 and pc2 be directly ? for example, ssh from pc1 to pc2 but not proxyed by

Hi Team, I admit that I am not familiar with Tinc very well, but have Tinc running at approximately 20 sites and functioning as a mesh vpn/network. I am having issues adding an additional site as it will not communicate with the rest. I have taken the firmware of one and flashed it on another router to make it duplicate and then tested it working but when I change the hostname, and IP to what we

On Fri, Apr 24, 2015 at 10:26:18PM +0200, Sven-Haegar Koch wrote: > > #!/bin/sh > > ifconfig $INTERFACE 10.96.x.y > > Won't a netmask of 255.255.255.255 be better than not specifying any? > Otherwise it falls back to old classful adressing and would assume > 10.0.0.0/8 - which is clearly always wrong. [...] Or are tun devices > different in this regard? Hm, it

We run tinc in a linux environment in which it sits there waiting for connections from the clients. All clients are configured to only have one ConnectTo which points to this server. We're seeing in the server log that as soon as a client's connection is activated, a whole bunch of "Flushing x bytes to that host would block" is logged and the whole vpn is bogged down and has

I have a use case where my tinc.conf ConnectTo can go upto 20 + hosts. I am planning to automate a periodic cleanup of ConnectTo in the tinc.conf file, the issue is I am not able to figure out which ConnectTo is been used and which are stale, say NOT used in last 2 to 3 days. I want to remove those ConnectTo which are no longer actively used. Is it possible to find which ConnectTo are not used.

I have a centos 4 i386 machine that works like a router (iptables filter, NAT) with two NIC''s. One NIC is connected to my ISP (100 Mbit FTTH), I get a DHCP assigned public IP that changes "sometimes". Most incoming ports are blocked by my ISP. In order to get a fixed IP and open ports, I have to set up a PPTP tunnel to the ISP. The default gw and the NAT''ing goes to

Hi Guus Thanks for clarifying. Some follow up questions: - How do we patch 1.1pre14 with this fix? Or will there be a 1.1pre15 to upgrade to? - What is the workaround until we patch with this fix? Using a combination of AutoConnect and ConnectTo? - When we use ConnectTo, is it mandatory to have a cert file in the hosts/* dir with an IP to ConnectTo ? -nirmal On Tue, Aug 22, 2017 at 12:10

Hi, Etienne Thanks for your clarification, and this helped a lot. And in order to get a better understanding for the mechanism of Tinc and the purpose of ConnectTo statement, can I think the ConnectTo is the way to get the node into the Tinc VPN domain, instead of establish VPN connection between nodes. Once any node ConnectTo the Tinc VPN domain, it learns all other nodes, subnets, and

Hi, we use a tinc network of about 400 nodes, all of them linux servers, partly in different datacenters (but generally low latency). Usually this is working very well (for weeks without a problem). >From time to time the whole network goes down though. This happened when we restarted a larger number of servers or when there was a connectivity issue between datacenters or some (short)

Hi Guus Following your suggestion we reconfigured our tinc network as follows. Here is a new graph and below is our updated configuration: http://imgur.com/a/n6ksh - 2 Tinc nodes (yellow labels) have a public external IP and port 655 open. They both have ConnectTo's to each other and AutoConnect = yes - The remainder tinc nodes (blue labels) have their tinc.conf set up as follows:

Hi, Tinc Expert in my tinc.conf, the ConnectTo to host X is commented, like below: #ConnectTo = X and there is a script: /etc/tinc/netname/hosts/X-up, I thought commented the ConnectTo X wouldn’t trigger the X-up, but it did. Why? What’s the logic behind to trigger host-up? How can I avoid this except remove the host-up file? Bright Zhao