similar to: Disallow binding via tinc

That would probably work, too; it's harder to configure though and easier to get wrong. If I could avoid having the tun0, that would trivially solve the problem. On 27/01/17 09:41, Azul wrote: > Why not just firewall incoming traffic on the clients? > > > On 27 Jan 2017 8:37 am, "Niklas Hambüchen" <mail at nh2.me > <mailto:mail at nh2.me>> wrote: >

Why not just firewall incoming traffic on the clients? On 27 Jan 2017 8:37 am, "Niklas Hambüchen" <mail at nh2.me> wrote: > I'm looking for a way to add some (Linux) participants into my tinc > network, but I want to protect them from accidentally binding a port so > that it's accessible via tinc. > > For example, `nc -l` by default listens to all

Niklas - Thanks! Yeah, your Github issue was very useful for me to understand what is probably causing our issue (the syscall chain done on every UDP packet). Very interesting that you're able to see around 90% of a Gig line on bare metal. Were you ever able to make any further progress on adjusting Tinc based on the investigation in https://github.com/gsliepen/tinc/issues/110 ? Martin -

I noticed a large performance boost both on bare metal and in vps instances by turning on kernel routing in the tinc config, and using full host declerations for routs rather than dumping things to the tun interface ambiguously. "Forwarding = kernel" ip route add 1.2.3.4 via 4.3.2.1 dev tun -instead of- ip route add 1.2.3.4 dev tun On May 17, 2017 3:10 PM, "Niklas Hambüchen"

On Fri, Jan 27, 2017 at 01:24:37AM +0100, Niklas Hambüchen wrote: > I'm looking for a way to add some (Linux) participants into my tinc > network, but I want to protect them from accidentally binding a port so > that it's accessible via tinc. [...] > I imagine the easiest way would be to make it so that tinc creates no > tun device. Is the `DeviceType = raw_socket` option

Hi, I have a host name defined in /etc/hosts (say "1.2.3.4 host1") that resolves via that but not via DNS; consequently pinging and netcatting to it works fine. When I try to use that in a tinc host definition like "Address = host1", tinc 1.1 tells me Error looking up host1 port 655: Name or service not known Why is that? Does getaddrinfo() tinc uses not consider

Hello, I've managed to create a tinc build for IPhone and IPod touch. Since the device does not support TUN interface, TUNEMU was used: http://code.gerade.org/tunemu/ Please find the patch in the attachment (to be used with tinc-1.0.9). The patch does the following: - updates src/Makefile.in & src/Makefile.am so required libraries are attached and tunemu.c is compiled - updates

Tinc replaces non-alphanumeric characters in the `Name` field of tinc.conf by '_' (see [1] and [2]). This includes hyphens ('-'), which are often used in host names. That is quite surprising, and can easily lead to misconfigurations, especially because there doesn't seem to be a warning if you configure `Name = node-1`, and on the other machines the host file

Hi Jared, I've seen the same while testing on digital ocean, I think it's the context switching that happens when sending a packet. I've done some testing with wireguard and that has a lot better performance but it's still changing quite a lot and only does a subset of what tinc does so probably not a stable solution. Martin On Wed, 17 May 2017 at 18:05 Jared Ledvina <jared at

On 17/09/17 18:03, Niklas Hamb?chen wrote: > So far the only difference between `ls` and `bup index` I could observe > is that `bup index` chdir()s into the directory to index, ls doesn't. > > But when I `cd` into the dir and run `ls` without directory argument, it > is still much faster than bup index for each stat(). Hmm, bup uses the fchdir() syscall to go into the target

Hi thank you for looking in to this. I haven't tried it before now. I cant get it to work. after running the commands you suggest I get this when I run ip6tables --list-rules root at JOTVPN:~# ip6tables --list-rules -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -i vpn -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP -A FORWARD -o vpn -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j

Hi, I have a gluster 3.10 volume with a dir with ~1 million small files in them, say mounted at /mnt/dir with FUSE, and I'm observing something weird: When I list and stat them all using rsync, then the lstat() calls that rsync does are incredibly fast (23 microseconds per call on average, definitely faster than a network roundtrip between my 3-machine bricks connected via Ethernet). But

Hi Ben, do you know if the smallfile benchmark also does interleaved getdents() and lstat, which is what I found as being the key difference that creates the performance gap (further down this thread)? Also, wouldn't `--threads 8` change the performance numbers by factor 8 versus the plain `ls` and `rsync` that I did? Would you mind running those commands directly/plainly on your cluster to

I found the reason now, at least for this set of lstat()s I was looking at. bup first does all getdents(), obtaining all file names in the directory, and then stat()s them. Apparently this destroys some of gluster's caching, making stat()s ~100x slower. What caching could this be, and how could I convince gluster to serve these stat()s as fast as if a getdents() had been done just before

hi It was not working when i applied the rules on the vpn card. But I wondered if maybe bridging of vpn and eth0 was messing this up. I thought it was enough to only apply it to the vpn card root at JOTVPN:~# brctl show bridge name bridge id STP enabled    interfaces bridge 8000.000c29638a7e no           eth0                                                                   vpn so I tried the

Hi, I'm trying to run tinc 1.0.9 on freebsd 7.1-RELEASE-p4. I tried: Device=/dev/net/tun0 DeviceType=tun I tried it without the device-line, i tried the other devicetype-options, none of them work. With all of them I get the following error: 30311: open("/dev/net/tun0",O_RDWR|O_NONBLOCK,05024360414) = 3 (0x3) 30311: ioctl(3,TUNSIFHEAD,0xbfbfec58) ERR#45 'Operation not

On 18/09/17 17:23, Ben Turner wrote: > Do you want tuned or untuned? If tuned I'd like to try one of my tunings for metadata, but I will use yours if you want. (Re-CC'd list) I would be interested in both, if possible: To confirm that it's not only my machines that exhibit this behaviour given my settings, and to see what can be achieved with your tuned settings. Thank you!

Hi Im using tinc to bridge networks together. And im using ebtables to block dhcp traffic for ipv4 on each node in tinc. One of my nodes have recently began using ipv6. The isp is using auto configuration to give out ipv6 addresses. The problem is that every computer in my bridged network is getting ipv6 addresses from that node. The other computers behind the other nodes have no use for ipv6

Hi Folks, Does anyone have a set of config files handy, using tinc in routed/tun mode (preferably DeviceType=utun) I'm particularly interested to see what the tinc-up and tinc-down files should look like when the vpn is not using tap mode. I have this, from my tap (switch mode tinc) , but it doesn't work for tun devices.    ifconfig $INTERFACE inet 10.10.101.2/24 up If I run my

Aloha! I am new to tinc and I like to figure out my own issues before asking but I am not sure of my next step here. I am not sure if the problem is the VPN configuration or in my network. I will try to be as through as possible. I have two computers that are CentOS with the latest tinc from their respective repositories. Server A is behind a Sophos XG and Server B is behind a Ubiquiti Edge