On Mon, Dec 08, 2014 at 11:02:24PM -0500, md at rpzdesign.com wrote:> The self contained example is tricky because I created 4 ip-address on > the eth0 device (192.168.1.30/31/32/33) so I could test a 4 node VPN > that lives entirely within a single server.That's quite hard to do, it's far easier to run four instances of tinc on four different ports on the same machine.> But the tinc command line utility is written assuming a single host with > a single reference instead of 4 hosts stuffed into a single > /etc/tinc/netname directory.The "netname" does not have to be the same on all nodes of a VPN. It is merely a quick way to tell tinc where its configuration data lives and how to name the VPN interface. So in your self-contained example, use four different netnames. If you don't like this, then you should properly simulate four different machines on a single one, either using containers (like LXC) or full virtualisation (like KVM). -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20141209/bf2cabf3/attachment.sig>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guus: Thanks for the reply. Did you like the PDF examples? Do you want to help me build more examples for the web site so people can download the PDF network diagrams and have sample config files to match them? What changes should I make to allow for easier setup/config/config files of the 2 use cases? For the production example, would it be better to run each data center on its own class C (Netmask 255.255.0.0) and then the routing commands to allow the local tincd daemon to just send the packets On the self contained example, I planned to run 4 instances of TINC. I could run them in 4 different directories with netnames /tinc1/conf/netname/ /tinc2/conf/netname/ /tinc3/conf/netname/ /tinc4/conf/netname/ Is there a way to run tinc without regard to netnames? /tinc1/tincd --config=/tinc1/conf /tinc2/tincd --config=/tinc2/conf /tinc3/tincd --config=/tinc3/conf /tinc4/tincd --config=/tinc4/conf /tinc1/conf/ /tinc1/conf/hosts /tinc2/conf/ /tinc2/conf/hosts /tinc3/conf/ /tinc3/conf/hosts /tinc4/conf/ /tinc4/conf/hosts I am having some difficulty understanding how the device=/dev/net/tun relates to the ConnectTo= and the binding address since I want tincd to bind to the VPN ipaddress and not bind to 0.0.0.0 My software can communicate with tincd via the bound VPN address. Your answers appreciated, marco On 12/9/2014 3:32 AM, Guus Sliepen wrote:> On Mon, Dec 08, 2014 at 11:02:24PM -0500, md at rpzdesign.com wrote: > >> The self contained example is tricky because I created 4 >> ip-address on the eth0 device (192.168.1.30/31/32/33) so I could >> test a 4 node VPN that lives entirely within a single server. > > That's quite hard to do, it's far easier to run four instances of > tinc on four different ports on the same machine. > >> But the tinc command line utility is written assuming a single >> host with a single reference instead of 4 hosts stuffed into a >> single /etc/tinc/netname directory. > > The "netname" does not have to be the same on all nodes of a VPN. > It is merely a quick way to tell tinc where its configuration data > lives and how to name the VPN interface. So in your self-contained > example, use four different netnames. > > If you don't like this, then you should properly simulate four > different machines on a single one, either using containers (like > LXC) or full virtualisation (like KVM). > > > > _______________________________________________ tinc-devel mailing > list tinc-devel at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc-devel >-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUhuanAAoJEPo4S5nQw5H/LjUH/3VEOG2n4AZ7UvDSfhCddJeZ r2NlKgU4z7DgcPTnhFcd5qIQP8YRe5x9Ymfqx5jfZl3D6P3f3eIuUuLrU2qEdqMB 8v1fYsOQNXxgg2fo0VpnxekIoQukecOmiuqh3S2t0mW5nJTvOn8qoPNFvePT4TyB 72rDymuO3znFvG/Gjxlfokkxl4Dv1Ka/P3WhqRO9hJ6205hO7gb/vGcsFhJlwN78 UixqMQD8bSNSk8eLrsHV2O0GVZlNrRgs/hFDLqIQ4kFpGiM6ty/a+cXXU7kofZ0m oZ7ka9T1B9O7msjQyjrVaKn0GCLNkhuzaWb4m+SEkk6c3q6tbr8aut8NJhQIyKA=QM6i -----END PGP SIGNATURE-----
On Tue, Dec 09, 2014 at 07:10:15AM -0500, md at rpzdesign.com wrote:> Did you like the PDF examples?They are OK. But I have learned long ago that what is clear and intuitive to some is incomprehensible to others, and vice versa.> Do you want to help me build more examples for the web site so people > can download the PDF network diagrams and have sample config files to > match them?No, sorry. I don't have much time to spend on this, I'd rather focus on getting tinc 1.1 out.> What changes should I make to allow for easier setup/config/config > files of the 2 use cases?The test server is not a real use case. Focus on the data center setup. I haven't seen any configuration files for the setups, only the diagrams are in the PDF file.> For the production example, would it be better to run each data center > on its own class C (Netmask 255.255.0.0) and then the routing > commands to allow the local tincd daemon to just send the packetsThe problem is that everyone's network is different. What seems a logical setup to you might not fit another person's setup. So it doesn't really matter much what netmask you choose I think.> I could run them in 4 different directories with netnames > > /tinc1/conf/netname/[...]> > Is there a way to run tinc without regard to netnames? > > /tinc1/tincd --config=/tinc1/confEither use --config or --net. The following are equivalent (assuming tinc is installed in /usr/sbin and expects configuration files in /etc): tincd --net foo tincd --config /etc/tinc/foo --option Interface=foo> I am having some difficulty understanding how the device=/dev/net/tun > relates to the ConnectTo= and the binding address since I want tincd > to bind to the VPN ipaddress and not bind to 0.0.0.0The Device option has no relation to ConnectTo or BindToAddress. Furthermore, don't let tinc bind to a VPN IP address, otherwise it might not be able to communicate with other tinc daemons, which are themselves not in the VPN. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20141209/cb61f2f1/attachment.sig>