Hi all, I am new to Tinc VPN and really would like to make full benefit of this implementation if possible. I would like to know whether I will be able to use Tinc to its full potential. My current setup is as follows, IPfire router/firewall(openvpn client) --->ISP(Internet)--->Amazon VPS(openvpn server). The ipfire router is behind a CARRIER-GRADE NAT, I am able to reach the network behind the IPfire router (which acts as an openvpn client and publish its internal network over the openvpn) through openvpn from anywhere (using an open vpn client connecting to Amazon VPS which is the openvpn server) but since the traffic need to traverse through openvpn server(Amazon VPS) there is a lot of delay/overhead and its consuming VPS network bandwidth, I have come to know that Tinc VPN supports spoke to spoke(full mesh) direct connection bypassing hub (so clients can reach other clients without going through a server) , can this be possible in my scenario? I am really looking out for a solution. Your help is appreciated. Thank you, Regards, Bobby Thomas. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20151018/e1ccebf5/attachment.html>
On Sun, Oct 18, 2015 at 02:00:36PM -0500, Bobby Thomas wrote:> IPfire router/firewall(openvpn client) --->ISP(Internet)--->Amazon > VPS(openvpn server). > > The ipfire router is behind a CARRIER-GRADE NAT [...] I have come to > know that Tinc VPN supports spoke to spoke(full mesh) direct > connection bypassing hub (so clients can reach other clients without > going through a server) , can this be possible in my scenario? I am > really looking out for a solution.Tinc needs at least one node that is not behind NAT to assist with the hole punching of other nodes' NATs. As long as either of two nodes that want to connect to each other is behind cone NAT, this will work. It is likely that your carrier-grade NAT is cone NAT. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20151018/d4325af0/attachment.sig>
Thanks for the reply Guss, So in my case the Amazon VPS server is behind a FULL CONE NAT(static NAT), so is that enough to hole punch other nodes. what all ports will should be opened up on the NAT device? Most of the other nodes are behind cg-nat, so I wont have any control over its nat. Thank you, Regards, Bobby Thomas. On Oct 19, 2015 1:45 AM, "Guus Sliepen" <guus at tinc-vpn.org> wrote:> On Sun, Oct 18, 2015 at 02:00:36PM -0500, Bobby Thomas wrote: > > > IPfire router/firewall(openvpn client) --->ISP(Internet)--->Amazon > > VPS(openvpn server). > > > > The ipfire router is behind a CARRIER-GRADE NAT [...] I have come to > > know that Tinc VPN supports spoke to spoke(full mesh) direct > > connection bypassing hub (so clients can reach other clients without > > going through a server) , can this be possible in my scenario? I am > > really looking out for a solution. > > Tinc needs at least one node that is not behind NAT to assist with the > hole punching of other nodes' NATs. As long as either of two nodes that > want to connect to each other is behind cone NAT, this will work. It is > likely that your carrier-grade NAT is cone NAT. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20151019/f1fc2851/attachment.html>