tinc - Aug 2012 - KVM VM traffic over host's Tinc VPN

Hello Tinc list!

I'm trying to set up a Tinc VPN between two KVM host machines so that a 
VM on one host can communicate with a VM on the other host. While I do 
have a good bit of experience with virtualization, I'm not a 
particularly savvy network guy, so this is proving to be a pretty big 
challenge.

Requirements:

* ALL VM network traffic must be secure.
* VMs on one host must be able to communicate with VMs on other hosts.
* As I'm using another group's images for the VMs and will have no 
control over the VMs once they're up and running, all configuration 
needs to happen on the hosts and be invisible to the VMs.

My test setup:

* Two RHEL6.2 hosts, each running KVM with one VM set up on each host.
* Tinc set up on both hosts.

Configurations for each host:

=====Host1====
tinc.conf:

         Name = host1
         ConnectTo = host2

tinc-up:

         #!/bin/sh
         ifconfig $INTERFACE 10.90.41.241 netmask 255.255.252.0

hosts/host1:

         Address = host1.my.domain
         Subnet = 10.90.41.241
         Port = 655

         -----BEGIN RSA PUBLIC KEY-----
                     keygibberrish
         -----END RSA PUBLIC KEY-----

hosts/host2:

         Address = host2.my.domain
         Subnet = 10.90.42.242/32
         Port = 655

         -----BEGIN RSA PUBLIC KEY-----
                     keygibberrish
         -----END RSA PUBLIC KEY-----

ifconfig results for VPN:

test    Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:10.90.41.241  P-t-P:10.90.41.241  Mask:255.255.252.0
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
           RX packets:5 errors:0 dropped:0 overruns:0 frame:0
           TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:500
           RX bytes:420 (420.0 b)  TX bytes:420 (420.0 b)



=====Host2====
tinc.conf:

         Name = host1

tinc-up:

         #!/bin/sh
         ifconfig $INTERFACE 10.90.42.242 netmask 255.255.252.0

hosts/host1:

         Address = host1.my.domain
         Subnet = 10.90.41.241
         Port = 655

         -----BEGIN RSA PUBLIC KEY-----
                     keygibberish
         -----END RSA PUBLIC KEY-----


hosts/host2:

         Address = host2.my.domain
         Subnet = 10.90.42.242/32
         Port = 655

         -----BEGIN RSA PUBLIC KEY-----
                     keygibberrish
         -----END RSA PUBLIC KEY-----

ifconfig results for VPN:

test    Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:10.90.42.242  P-t-P:10.90.42.242  Mask:255.255.252.0
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
           RX packets:5 errors:0 dropped:0 overruns:0 frame:0
           TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:500
           RX bytes:420 (420.0 b)  TX bytes:420 (420.0 b)


At this point, Tinc seems to work. Pings from host1 to 10.90.42.242 are 
replied to, and pings from host2 to 10.90.41.241 are replied to.

Now to set up networking for the VMs...

My first thought was to simply bridge the VM connection to the VPN 
interface. So, in virt-manager, I went into the details tab of my VM on 
host1, selected the NIC, and chose "Host device test : macvtap" as the
source device and "bridge" for the source mode. Cranked up the vm and 
got: "Error starting domain: error creating macvtap type of interface: 
Invalid argument."

So I tried to manually create the bridge and add the "test" device to
it.

         [root at host1 test]# brctl addbr br0
         [root at host1 test]# brctl addif br0 test
         can't add test to bridge br0: Invalid argument

I did some more research on bridges, and decided that maybe I needed to 
specify the deviceType and interface in tinc.conf. So I changed my 
tinc.confs:

host1 tinc.conf:

         Name = host1
         DeviceType = tun
         Interface = tun0
         ConnectTo = host2

host2 tinc.conf:

         Name = host2
         DeviceType = tun
         Interface = tun0

Restarted Tincd on both hosts and tried my pings again. They worked, so 
I tried to bridge the new tun0 device.

         [root at host1 test]# brctl addif br0 tun0
         can't add tun0 to bridge br0: Invalid argument

No dice, again. So I tried to specify as a tap device in tinc.conf:

host1 tinc.conf:

         Name = host1
         DeviceType = tap
         Interface = tap0
         ConnectTo = host2

host2 tinc.conf:

         Name = host2
         DeviceType = tap
         Interface = tap0

Restarted tincd and it cried about /dev/tap0 not existing. So I made it:

         mknod /dev/tap0 c 36 16

Restarted tincd and tried my pings again. They went unanswered. =\ Ran a 
tracepath on the IP and got:

         [root at host1 test]# tracepath 10.90.42.242
          1:  10.90.41.241 (10.90.41.241)                            
0.123ms pmtu 1500
          1:  10.90.42.242 (10.90.42.242)                            
0.524ms pmtu 1445
          1:  no reply
          2:  no reply
          3:  no reply

So it looks like the ping is actually getting from host1 to host2, but 
host2 doesn't realize it's there. WTH?

Just for fun I tried to bridge the tap0 interface, and it worked:

         [root at host1 test]# brctl addif br0 tap0
         [root at host1 test]# brctl show
         bridge name    bridge id                        STP enabled    
interfaces
         br0                   8000.120ab67c44bd     no                
     tap0

I found that curious, so checked the ifconfig for tap0 and noticed that 
the Link encap was now defined as "Ethernet" where it was
"UNSPEC"
before. I can only assume that's why I wasn't able to bridge the VPN 
earlier.

tap0   Link encap:Ethernet  HWaddr 12:0A:B6:7C:44:BD
           inet addr:10.90.41.241  Bcast:10.90.43.255  Mask:255.255.252.0
           inet6 addr: fe80::100a:b6ff:fe7c:44bd/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:17 errors:0 dropped:0 overruns:0 frame:0
           TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:500
           RX bytes:10905 (10.6 KiB)  TX bytes:1224 (1.1 KiB)

So that's where I'm at now. It seems that using a tap is getting me 95% 
of the way there. Google is not providing me with any more useful 
suggestions, so I come to you, the members of this list, with the 
following question:

Is there a way to configure Tinc to accomplish what I'm trying to do, or 
do I need to try to find some other solution?

Thanks for your time,

Eric

On Wed, Aug 15, 2012 at 03:12:37PM -0500, Eric Wiggins wrote:
> I'm trying to set up a Tinc VPN between two KVM host machines so
> that a VM on one host can communicate with a VM on the other host.
[...]
> At this point, Tinc seems to work. Pings from host1 to 10.90.42.242
> are replied to, and pings from host2 to 10.90.41.241 are replied to.
> 
> Now to set up networking for the VMs...
> 
> My first thought was to simply bridge the VM connection to the VPN
> interface.
[...]
> Restarted Tincd on both hosts and tried my pings again. They worked,
> so I tried to bridge the new tun0 device.
> 
>         [root at host1 test]# brctl addif br0 tun0
>         can't add tun0 to bridge br0: Invalid argument
The reason for this is indeed that tinc creates a tun interface, which does not
work in a bridge.
> No dice, again. So I tried to specify as a tap device in tinc.conf:
> 
> host1 tinc.conf:
> 
>         Name = host1
>         DeviceType = tap
>         Interface = tap0
>         ConnectTo = host2
[...]
> So it looks like the ping is actually getting from host1 to host2,
> but host2 doesn't realize it's there. WTH?
The reason is that tinc is still in router mode. You should not use the
DeviceType option, but rather use "Mode = switch". This will
automatically
create a tap interface and will let tinc act like a network switch. That should
resolve your problems.

However, depending on what you want exactly, you can also do without tap
devices at all. Since version 1.0.17, tinc has the ability to connect to a VDE
switch. KVM can do so as well. So you can set up a VDE switch and have both
tinc and KVM use that. You still want to run tinc in switch mode in that case.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20120815/85e77153/attachment.pgp>

On Wed, Aug 15, 2012 at 3:12 PM, Eric Wiggins <ewiggi2 at lsu.edu>
wrote:
>
> Hello Tinc list!
>
> I'm trying to set up a Tinc VPN between two KVM host machines so that a
VM on one host can communicate with a VM on the other host. While I do have a
good bit of experience with virtualization, I'm not a particularly savvy
network guy, so this is proving to be a pretty big challenge.
>
> Requirements:
>
> * ALL VM network traffic must be secure.
> * VMs on one host must be able to communicate with VMs on other hosts.
> * As I'm using another group's images for the VMs and will have no
control over the VMs once they're up and running, all configuration needs to
happen on the hosts and be invisible to the VMs.
>
> My test setup:
>
> * Two RHEL6.2 hosts, each running KVM with one VM set up on each host.
> * Tinc set up on both hosts.
Forgive me for kinda taking this offtopic.
i love tinc.  It would be great to have it incorporated directly into
many enterprise scenarios, especially cloud computing
What you are trying to do is built into most if not all cloud platforms.
Consider a cloud platform such as Eucalyptus, OpenStack, nebula, .....
   Look at screenshots of HybridFox to manage your VMs running on your
own private cloud.
Since your hosts are redhat,
http://www.redhat.com/about/events-webinars/webinars/2012-07-11-building-an-open-hybrid-cloud-technical-review