tinc - Aug 2014 - State graph of UDP data-connections

Hi,

I'm using Tinc in a scenario where round-trip time matters.
I've multiple nodes behind firewalls (with and without NAT) and a single
public server node.

How do I can get the current state of UDP data-connections between my
firewall'd nodes?

According to the docs: 

- 'dump connections' give me all TCP meta-connections of the current
node

- 'dump edges' give me all connections between all nodes of the VPN.
    The meta-protocol has a command called ADD_EDGE which is used to
inform other nodes about existing UDP data-connections.
    This leads to the conclusion that 'dump edges' is used to show UDP
data-connections.
    But as far as I can tell from my tests, these are only the TCP
meta-connections.

I've tried to trace the actual UDP data-connections by using:

   'tcpdump -i eth0 udp port tinc'

This shows me that the UDP data path is actually fully-meshed.
So Tinc succeeds using STUN and UDP hole punching for my firewalls.

So I'm wondering why these fully meshed UDP connections (created by
STUN) arn't shown by 'dump edges' ?!

Regards,

Steffen

[1] http://tinc-vpn.org/documentation-1.1/The-meta_002dconnection.html
[2] http://tinc-vpn.org/documentation-1.1/The-meta_002dprotocol.html
[3] http://www.tinc-vpn.org/pipermail/tinc/2009-April/001901.html

-- 
Steffen Vogel
Robensstra?e 69
52070 Aachen

Mail: post at steffenvogel.de
Mobil: +49 1575 7180927
Web: http://www.steffenvogel.de
Jabber: steffen.vogel at jabber.rwth-aachen.de
-------------- n?chster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde abgetrennt...
Dateiname   : signature.asc
Dateityp    : application/pgp-signature
Dateigr??e  : 819 bytes
Beschreibung: This is a digitally signed message part
URL         :
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20140806/5da21761/attachment.sig>

On Wed, Aug 06, 2014 at 11:09:05AM +0200, Steffen Vogel wrote:
> How do I can get the current state of UDP data-connections between my
> firewall'd nodes?
> 
> - 'dump edges' give me all connections between all nodes of the
VPN.
>     The meta-protocol has a command called ADD_EDGE which is used to
> inform other nodes about existing UDP data-connections.
>     This leads to the conclusion that 'dump edges' is used to show
UDP
> data-connections.
>     But as far as I can tell from my tests, these are only the TCP
> meta-connections.
The ADD_EDGE messages are only sent for meta-connections, not for direct
UDP connections. The state of UDP connections is not communicated
amongst nodes. You can find out if the local node has a UDP connection
with another node (say, "foo") by using the command:

tinc info foo

This should give some information about node foo. There is one line
starting with "Reachability:" that will tell you about how tinc will
send packets to that node. It can either be:

- unreachable: the node cannot be reached in any way currently.

- unknown: the node is reachable but the local node has not (yet) tried
  to communicate with it directly.

- indirectly via ...: the node cannot be reached directly, packets will
  be forwarded by an intermediate node.

- directly with UDP: packets will be sent directly using UDP.

- directly with TCP: the local node has a meta connection with foo, but
  UDP doesn't work, so it will send the packets via the TCP connection.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20140806/b41ddd34/attachment.sig>