Hi all, I'm using a tinc 1.0.19 (from Debian Squeeze) setup with some nodes connecting to a "server" node which has "StrictSubnets = yes". Whenever a new node is added to the mesh, a process generates and drops its host file in the server's host directory before the node is booted and tries to connect. For instance, I create a node "node_2" and a host file with the following subnet is created: Subnet = fd65:fc41:c50f:2:0:0:0:0/64 When the node boots I see the following messages in tinc's log: 1369133834 tinc.confine[2550]: Connection from 10.241.0.2 port 50858 ... 1369133834 tinc.confine[2550]: Connection with node_2 (10.241.0.2 port 50858) activated ... 1369133834 tinc.confine[2550]: Got ADD_SUBNET from node_2 (10.241.0.2 port 50858): 10 3fba6e6f node_2 fd65:fc41:c50f:2:0:0:0:0/64#10 1369133834 tinc.confine[2550]: Ignoring unauthorized ADD_SUBNET from node_2 (10.241.0.2 port 50858): fd65:fc41:c50f:2:0:0:0:0/64#10 ... 1369133834 tinc.confine[2550]: Node node_2 (10.241.0.2 port 655) became reachable The node publishes that subnet and the server knows it beforehand from the existing node host file, but as you can see it still ignores it as unauthorized so the node is unreachable. Killing the server daemon with HUP makes everything work, but I expected this not to be necessary. Surprisingly, replacing the node's public key first in the server then in the node and restarting the daemon in the node (without touching that of the server) results in the node getting back online. Any ideas on why the server needs the HUP? Thank you very much, -- Ivan Vilata i Balaguer -- elvil.net
Ivan Vilata i Balaguer (2013-05-21 17:23:40 +0200) wrote:> I'm using a tinc 1.0.19 (from Debian Squeeze) setup with some nodes > connecting to a "server" node which has "StrictSubnets = yes". > Whenever a new node is added to the mesh, a process generates and > drops its host file in the server's host directory before the node is > booted and tries to connect. [?] > > The node publishes that subnet and the server knows it beforehand from > the existing node host file, but as you can see it still ignores it as > unauthorized so the node is unreachable. Killing the server daemon > with HUP makes everything work, but I expected this not to be > necessary. Surprisingly, replacing the node's public key first in the > server then in the node and restarting the daemon in the node (without > touching that of the server) results in the node getting back online. > > Any ideas on why the server needs the HUP? > > Thank you very much,Moreover, although it doesn't accept the subnet itself, the server forwards the ADD_SUBNET to other nodes (in the tests they are on the same network link and only know the server to which they ConnectTo) so other nodes can ping the newly added node but the server cannot. The problem is that I need to contact services running in the server from the node. :-/ There's also the question whether forwarding such an untrusted network makes sense (can it be disabled?), but that's another topic... Thanks! -- Ivan Vilata i Balaguer -- elvil.net