tinc devel - Dec 2014 - VPN Single Daemon For LAN/WAN

On Fri, Dec 12, 2014 at 02:21:08AM -0500, md at rpzdesign.com wrote:
> Oops, I got it to work only after putting the WAN on port 656 so it
> did not interfere with port 655 for the LAN.
You should not need to have two tinc daemons just because you have a WAN
and a LAN interface. By default (ie, if you don't specify BindToAddress
and/or BindToInterface), tinc listens on all interfaces, and the
kernel should normally take care of selecting which outgoing interface
to use for tinc's packets.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20141214/8e4dfea5/attachment.sig>

Guus:

Ok, I accept your challenge.

But I am clueless in terms of getting the routing table correct.

So each server has a dual identity, both a LAN private identity with a
PRIVATE IP address and a WAN public identify with a PUBLIC ip address.

And how to have 2 different tun devices show up in the ifconfig -a so
that LAN IP address can be assigned to the tun0 and a WAN IP address can
be assigned to the tun1

When I run 2 tincd daemons, I keep both "networks" separate.

You expert judgement needed here to realize your statement about only
needing a single tincd daemon.


md

On 12/14/2014 7:14 AM, Guus Sliepen wrote:
> On Fri, Dec 12, 2014 at 02:21:08AM -0500, md at rpzdesign.com wrote:
> 
>> Oops, I got it to work only after putting the WAN on port 656 so it
>> did not interfere with port 655 for the LAN.
> 
> You should not need to have two tinc daemons just because you have a WAN
> and a LAN interface. By default (ie, if you don't specify BindToAddress
> and/or BindToInterface), tinc listens on all interfaces, and the
> kernel should normally take care of selecting which outgoing interface
> to use for tinc's packets.
> 
> 
> 
> _______________________________________________
> tinc-devel mailing list
> tinc-devel at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc-devel
>

Gus:

I guess my primary point of confusion is that the non-vpn LAN ip
addresses are duplicated in each cluster.  So within a cluster, the LAN
addresses are unique.

But when you look at 2 clusters, 2 different servers share the
10.99.0.11 address.

So that is why I created a VPN for inside the cluster on the LAN
interfaces using the private 10.0.1.xx range.  THen, I created a
separate VPN on the WAN interfaces using publicly visible IP Addresses.
 This VPN solely exists to process cross cluster traffic.

So at the end of the day, every server has a Real IP on eth0, a Private
IP on eth1, and then a TINC VPN LAN IP on 10.0.1.x and a TINC VPN WAN on
10.1.x.x.

I would love to understand how to make the next jump and get a single
TINCD to keep all of this working.

I think the key is the ifconfig and ip commands issued in tinc-up that
allow for another tunx interface to be created and given a WAN VPN ip
address

The TINC VPN LAN address was assigned in tinc-up: ifconfig $INTERFACE
10.0.1.11 netmask 255.255.255.0

md





On 12/15/2014 5:12 PM, md at rpzdesign.com wrote:
> Guus:
> 
> Ok, I accept your challenge.
> 
> But I am clueless in terms of getting the routing table correct.
> 
> So each server has a dual identity, both a LAN private identity with a
> PRIVATE IP address and a WAN public identify with a PUBLIC ip address.
> 
> And how to have 2 different tun devices show up in the ifconfig -a so
> that LAN IP address can be assigned to the tun0 and a WAN IP address can
> be assigned to the tun1
> 
> When I run 2 tincd daemons, I keep both "networks" separate.
> 
> You expert judgement needed here to realize your statement about only
> needing a single tincd daemon.
> 
> 
> md
> 
> On 12/14/2014 7:14 AM, Guus Sliepen wrote:
>> On Fri, Dec 12, 2014 at 02:21:08AM -0500, md at rpzdesign.com wrote:
>>
>>> Oops, I got it to work only after putting the WAN on port 656 so it
>>> did not interfere with port 655 for the LAN.
>>
>> You should not need to have two tinc daemons just because you have a
WAN
>> and a LAN interface. By default (ie, if you don't specify
BindToAddress
>> and/or BindToInterface), tinc listens on all interfaces, and the
>> kernel should normally take care of selecting which outgoing interface
>> to use for tinc's packets.
>>
>>
>>
>> _______________________________________________
>> tinc-devel mailing list
>> tinc-devel at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc-devel
>>
>