Hi, I have tried the LocalDiscovery feature of tinc. The problem is that it also sends broadcast probes out the CPN interface *and* detects nodes on the VPN. A connection is then established through the tunnel, which effectively breaks connectivity between the two nodes. I do not think that discovering hosts on the VPN makes sense in any way. How can it be disabled? I could easily netfilter those packets out on the tunnel interface, but this is only feasible on some of my nodes due to platform restrictions (ever tried to use iptables in a useful way on Android without going nuts?). Cheers, Nik -- * mirabilos is handling my post-1990 smartphone * <mirabilos> Aaah, it vibrates! Wherefore art thou, demonic device?? PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 905 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130404/a4b992e6/attachment.pgp>
On 4/4/2013 5:40 AM, Dominik George wrote:> Hi, > > I have tried the LocalDiscovery feature of tinc. > > The problem is that it also sends broadcast probes out the CPN interface > *and* detects nodes on the VPN. A connection is then established through > the tunnel, which effectively breaks connectivity between the two nodes. > > I do not think that discovering hosts on the VPN makes sense in any way. > How can it be disabled? > > I could easily netfilter those packets out on the tunnel interface, but > this is only feasible on some of my nodes due to platform restrictions > (ever tried to use iptables in a useful way on Android without going > nuts?). > > Cheers, > Nik >Sounds like from your post you must be using 'tap' mode, since you talk of broadcasts over the VPN. I would imagine there wouldn't be such issues if running in 'tun' mode. I'm not sure if Tinc could be programmed not originate broadcast to the VPN interface, but that's just one of the drawbacks to running 'tap' mode I suppose. I recall that patches to block broadcasts using OpenVPN were ready to go, but were rejected because it was outside of it's basic functionality and responsibility. I used to run tap, and had quite an impressive list of ebtables rules to block DHCP, uPnp, Natpmp and other such broadcast protocols (I run tinc on a small cluster of routers) . I eventually found my needs didn't really require a 'tap' connection (or the overhead) and now run with tun. If it do need a tap connection, I use OpenVPN to VPN into the specific location (and also have it push my Tinc routes too). Hopefully I'm not too far off base here :-) Lance
Looking at the docs, it appears LocalDiscovery should be off by default. You could also try explicitly placing 'LocalDiscovery = no' in your configs. Lance On 4/4/2013 5:40 AM, Dominik George wrote:> Hi, > > I have tried the LocalDiscovery feature of tinc. > > The problem is that it also sends broadcast probes out the CPN interface > *and* detects nodes on the VPN. A connection is then established through > the tunnel, which effectively breaks connectivity between the two nodes. > > I do not think that discovering hosts on the VPN makes sense in any way. > How can it be disabled? > > I could easily netfilter those packets out on the tunnel interface, but > this is only feasible on some of my nodes due to platform restrictions > (ever tried to use iptables in a useful way on Android without going > nuts?). > > Cheers, > Nik > > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130404/d9b9c5b9/attachment.html>