tinc - May 2013 - Routing control within one tinc network

Hi,

I have a question around whether there is any way to control tinc routing if you
have multiple routes to the same destination.

I have a three node configuration, let's call them:

home -> connects to both other nodes
vps1 -> a VPS, providing connection to the internet
vps2 -> another VPS, also providing a connection to the internet

Both vps nodes provide their own 192.168.x.0 subnet as well as 0.0.0.0/0 to
allow any traffic to go that way and out to the internet (via SNAT.)

My original plan was to have different weightings on the 0.0.0.0/0 networks so
that I got a preferred vps node, but in the event of a problem it would
effectively fail over to the other one. This config all works perfectly ... tinc
is absolutely superb!

BUT ... my preferred vps node has a slight issue from a geographic standpoint
that means some services don't work as well as they should ... I'd still
like it to be the primary since it has a much bigger bandwidth allowance, but
I'd like to route specific services over the other vps (obviously should
this second node fail, I'd lose those things that don't work well on the
primary ... I'm ok with this.)

So basically I have a single tinc VPN with two nodes providing 0.0.0.0/0 and
I'd still like a way to force specific traffic over one or the other.

I tried using the 192.168.x.x address in the routing table, but that seems to be
ignored, traffic still goes down the primary route.

I can't find a way to do this, which means I'm going to have to resort
to two different tinc networks, which isn't as nice.

Any ideas would be really appreciated.

Regards,

Lee.

On Wed, May 15, 2013 at 07:39:29PM +0400, Lee Essen wrote:
> I have a question around whether there is any way to control tinc routing
if you have multiple routes to the same destination.
> 
> I have a three node configuration, let's call them:
> 
> home -> connects to both other nodes
> vps1 -> a VPS, providing connection to the internet
> vps2 -> another VPS, also providing a connection to the internet
> 
> Both vps nodes provide their own 192.168.x.0 subnet as well as 0.0.0.0/0 to
allow any traffic to go that way and out to the internet (via SNAT.)
> 
> My original plan was to have different weightings on the 0.0.0.0/0 networks
so that I got a preferred vps node, but in the event of a problem it would
effectively fail over to the other one. This config all works perfectly ... tinc
is absolutely superb!
> 
> BUT ... my preferred vps node has a slight issue from a geographic
standpoint that means some services don't work as well as they should ...
I'd still like it to be the primary since it has a much bigger bandwidth
allowance, but I'd like to route specific services over the other vps
(obviously should this second node fail, I'd lose those things that
don't work well on the primary ... I'm ok with this.)
> 
> So basically I have a single tinc VPN with two nodes providing 0.0.0.0/0
and I'd still like a way to force specific traffic over one or the other.
> 
> I tried using the 192.168.x.x address in the routing table, but that seems
to be ignored, traffic still goes down the primary route.
In router mode, a gateway route does nothing, that only has effect on Ethernet
networks. If you want traffic to specific IP addresses go via the normally
unpreferred node, that is easy: just add Subnets for those IP addresses (or
whole ranges if you want) to the host config file of the unpreferred node. You
can have overlapping Subnets, and smaller Subnets always are preferred over
larger ones (just like the Linux routing table works).

If that is not enough, you could run tinc in switch mode, but then you'd
have
to use some other tool to handle failover between the two nodes. You can use
host-up/down scripts to change your routing table depending on which one(s) are
online, or run a routing daemon on top of your VPN.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20130515/86447138/attachment.pgp>