I'm running Tinc on a Linux machine inside my home network, connecting through a NATing router to a Tinc server out on the Internet. I've noticed that fairly frequently the SSH sessions I leave open (but unused) get aborted with a "Connection reset by peer" message. When I investigated closely, I found that after a period of inactivity my router times out the UDP "session" between the remote and local Tinc nodes, and thus any VPN traffic that then attempts to come in from the remote side toward my SSH client gets dropped by the router (because it no longer has a record of where forward the incoming Tinc packets). When this condition lasts long enough, the remote SSH server times out and closes the login session. (During this period, of course, other inbound traffic is also lost, e.g. syslog messages send toward my local machine, etc.) As soon as something on the local side needs to sent traffic to the office side, the local Tinc node sends new outbound UDP packets, the router re-establishes the virtual session between the two nodes, and all traffic resumes passing normally (at least until the next period of inactivity). I see that the PingInterval setting allows me to set a minimum inactivity period on the metadata connection, and that seems to be enough to prevent the TCP session from timing out in the router... but I haven't found any way cause Tinc to ensure the data/UDP "session" also stays active. (I'm currently using v1.0.x, but I checked the v1.1 documentation on the web site as well and didn't see any new features that appeared to apply to this situation.) So, I'm wondering if I've missed some aspect of the Tinc configuration that would address this issue, and (assuming I haven't) what other people have done when facing this situation? For now I can use a "ping" command or something running locally to make sure that I have some traffic sent out over the VPN toward to the office side once a minute or so -- but is seems cleaner to have Tinc itself monitor for "long" stretches of inactivity on the data link. Would it make sense to add functionality to Tinc to accomplish that (i.e. an option named something like "DataPingInterval" or "DataKeepaliveInterval")? Thanks. Nathan ---------------------------------------------------------------------------- Nathan Stratton Treadway - nathanst at ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239
That's strange. You do have a rule to NAT the UDP traffic from outside to your Tinc host inside right? On Tue, Oct 23, 2012 at 3:55 PM, Nathan Stratton Treadway < nathanst at ontko.com> wrote:> I'm running Tinc on a Linux machine inside my home network, connecting > through a NATing router to a Tinc server out on the Internet. > > I've noticed that fairly frequently the SSH sessions I leave open (but > unused) get aborted with a "Connection reset by peer" message. When I > investigated closely, I found that after a period of inactivity my > router times out the UDP "session" between the remote and local Tinc > nodes, and thus any VPN traffic that then attempts to come in from the > remote side toward my SSH client gets dropped by the router (because it > no longer has a record of where forward the incoming Tinc packets). > When this condition lasts long enough, the remote SSH server times out > and closes the login session. (During this period, of course, other > inbound traffic is also lost, e.g. syslog messages send toward my local > machine, etc.) > > As soon as something on the local side needs to sent traffic to the > office side, the local Tinc node sends new outbound UDP packets, the > router re-establishes the virtual session between the two nodes, and all > traffic resumes passing normally (at least until the next period of > inactivity). > > > I see that the PingInterval setting allows me to set a minimum inactivity > period on the metadata connection, and that seems to be enough to > prevent the TCP session from timing out in the router... but I haven't > found any way cause Tinc to ensure the data/UDP "session" also stays > active. > > (I'm currently using v1.0.x, but I checked the v1.1 documentation on the > web site as well and didn't see any new features that appeared to apply > to this situation.) > > > So, I'm wondering if I've missed some aspect of the Tinc configuration > that would address this issue, and (assuming I haven't) what other > people have done when facing this situation? > > For now I can use a "ping" command or something running locally to make > sure that I have some traffic sent out over the VPN toward to the office > side once a minute or so -- but is seems cleaner to have Tinc itself > monitor for "long" stretches of inactivity on the data link. Would it > make sense to add functionality to Tinc to accomplish that (i.e. an > option named something like "DataPingInterval" or > "DataKeepaliveInterval")? > > Thanks. > Nathan > > > > ---------------------------------------------------------------------------- > Nathan Stratton Treadway - nathanst at ontko.com - Mid-Atlantic region > Ray Ontko & Co. - Software consulting services - > http://www.ontko.com/ > GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 > Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20121023/b1020206/attachment.html>
On Tue, Oct 23, 2012 at 03:55:15PM -0400, Nathan Stratton Treadway wrote:> I see that the PingInterval setting allows me to set a minimum inactivity > period on the metadata connection, and that seems to be enough to > prevent the TCP session from timing out in the router... but I haven't > found any way cause Tinc to ensure the data/UDP "session" also stays > active. > > (I'm currently using v1.0.x, but I checked the v1.1 documentation on the > web site as well and didn't see any new features that appeared to apply > to this situation.)Which version are you using exactly? Recent versions also send UDP packets at the PingInterval, this is part of the PMTUDiscovery feature which is enabled by default. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20121023/d72851f7/attachment.pgp>