Goodday, Currently using tinc 1.0.24 on Debian 8.x, OVH datacentre, two servers same VRACK (ie. internal ethernet bridge/switched together). I’m wanting to get a remote server connected to both the two OVH servers for fail-over reasons, but having access via both to the shared vRack segment as a switch mode. Thereby Essentially I’m creating a ethernet loop… ----------------------vRack | | Server1 Server2 | | RemoteServer tinc create tun/tap on server1 & Server2. this then connects to OpenVSwitch bridge/switch that have on both servers the eth1 interfaces as ports to that bridge/switch. Questions: 1) Does tinc support some STP to pick up this type of loops and block one interface/link? I guess not, especially after looking at Broadcast = no|direct|mst YEs, I might have a very corner case need which I am doing as a temporary solution while waiting for the right solution, but the question then gets raised: 2) Is there anybody that did any type of HA for tinc when the one daemon fails to connect to the other or vice versa? (I guess my next stop will be something like the Linux HA if I really want this, else I’ll just have to manually switch between the two servers, or switch one off while the other is on…) 3) ANything else I might’ve missed this late in the evening? Hendrik
Guus Sliepen
2016-Aug-17 08:39 UTC
"HA" ie. two linked tincds on the same ethernet segment
On Wed, Aug 17, 2016 at 12:32:35AM +0200, hvjunk wrote:> Currently using tinc 1.0.24 on Debian 8.x, OVH datacentre, two servers same VRACK (ie. internal ethernet bridge/switched together). > > I’m wanting to get a remote server connected to both the two OVH servers for fail-over reasons, but having access via both to the shared vRack segment as a switch mode. Thereby Essentially I’m creating a ethernet loop… > > > -----------------vRack > | | > Server1 Server2 > | | > RemoteServer > > tinc create tun/tap on server1 & Server2. this then connects to OpenVSwitch bridge/switch that have on both servers the eth1 interfaces as ports to that bridge/switch. > > Questions: > > 1) Does tinc support some STP to pick up this type of loops and block one interface/link? > I guess not, especially after looking at Broadcast = no|direct|mstNo, tinc only guarantees that within the tinc VPN itself there are no loops. However, if OpenVSwitch supports STP, then you should just enable that, and then everything should be loop-free. However, I suspect that in that case, it will let everything be forwarded via tinc instead of the local network, which is not what you want.> YEs, I might have a very corner case need which I am doing as a temporary solution while waiting for the right solution, but the question then gets raised: > > 2) Is there anybody that did any type of HA for tinc when the one daemon fails to connect to the other or vice versa? > (I guess my next stop will be something like the Linux HA if I really want this, else I’ll just have to manually switch between the two servers, or switch one off while the other is on…)Yes, I've used that kind of setup myself. Normally it works fine, but then again I never had your situation where there is a potential loop. What you can try is to set "Forwarding = kernel" in RemoteServer's tinc.conf. This way, it will not internally forward packets from Server1 to Server2, but rather lets everything go via the tap device. Then you can use iptables to deny unwanted traffic. What you can also do, if there are not more nodes on the network, is to give Server1 and Server2 an identical tinc setup (same Name and public/private keypair). Then on RemoteServer, just have ConnectTo server, and have both the Addresses from Server1 and Server2 in hosts/Server. That way, RemoteServer only connects to one of them at a time. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160817/70a8eb48/attachment.sig>