Bright Zhao
2017-Apr-29 23:53 UTC
Concept clarification between multiple ConnecTo and multiple netname
Hi, Tinc experts I’m on-boarding for Tinc for just quite a few days, and trying to setup the connection between one client to multiple server, where multiple vpn tunnels from the client to different server. From the documentation, it indicate the tinc.conf can support multiple ConnecTo, also the tinc can support multiple netname, like /etc/tinc/net1, /etc/tinc/net2. My question is, for my above use case, I should go with multiple netname instead of multiple ConnectTo, right? I did some tests, and I found no matter how many ConnectTos I placed in the tinc.conf(on the client side), only one connection can made to the server, and only one tun0 bring up with is the p2p connection can only go with one server, even though from debug message, I saw to connections all established, but only one connection is pingable. If this is the case, then can I assume the ConnectTo in the tinc.conf is connection by sequence which is a failover machoism, instead of "connect them all"? But multiple netname can do the “connect them all" -- Bright Zhao sent from Gmail -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170430/bb2bf1a1/attachment.html>
Etienne Dechamps
2017-May-01 10:39 UTC
Concept clarification between multiple ConnecTo and multiple netname
If you have multiple ConnectTo statements in your tinc.conf, then tinc will attempt to establish connections with *all* of them. It is not a fallback, though it is a good idea for every node to have at least two direct connections for improved resiliency and fault tolerance. As to whether you should have just one tinc network or multiple networks, well, that depends on what you're trying to accomplish and whether you want isolation between these networks. If all your nodes are meant to be part of the same VPN (i.e. same address space) and are part of the same trust domain (i.e. they all trust each other equally), then it's simpler to have them be in the same tinc network - that will simplify configuration and it will result in smarter routing decisions. If you are setting up individual tinc networks that only have two nodes in them, then tinc is overkill - you might as well use something simpler like IP/IP, GRE, OpenVPN or other "point-to-point" VPN solutions. tinc's purpose is to build a reliable, self-routing VPN out of a large mesh network of nodes; it makes little sense to use it for simple point-to-point connections. On 30 April 2017 at 00:53, Bright Zhao <startryst at gmail.com> wrote:> Hi, Tinc experts > > I’m on-boarding for Tinc for just quite a few days, and trying to setup > the connection between one client to multiple server, where multiple vpn > tunnels from the client to different server. From the documentation, it > indicate the tinc.conf can support multiple ConnecTo, also the tinc can > support multiple netname, like /etc/tinc/net1, /etc/tinc/net2. > > My question is, for my above use case, I should go with multiple netname > instead of multiple ConnectTo, right? I did some tests, and I found no > matter how many ConnectTos I placed in the tinc.conf(on the client side), > only one connection can made to the server, and only one tun0 bring up with > is the p2p connection can only go with one server, even though from debug > message, I saw to connections all established, but only one connection is > pingable. > > If this is the case, then can I assume the ConnectTo in the tinc.conf is > connection by sequence which is a failover machoism, instead of "connect > them all"? But multiple netname can do the “connect them all" > > > -- > Bright Zhao sent from Gmail > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170501/7eba0db3/attachment.html>
Bright Zhao
2017-May-01 12:16 UTC
Concept clarification between multiple ConnecTo and multiple netname
Hi, Etienne Thanks for your clarification, and this helped a lot. And in order to get a better understanding for the mechanism of Tinc and the purpose of ConnectTo statement, can I think the ConnectTo is the way to get the node into the Tinc VPN domain, instead of establish VPN connection between nodes. Once any node ConnectTo the Tinc VPN domain, it learns all other nodes, subnets, and corresponding public or private(but UDP reachable), and establish full mesh VPN among them on-demand. So technically speaking, only one ConnectTo would be enough for the node to join the full mesh VPN, but in order to provide resilience, add a second ConnectTo will be beneficial.> On 1 May 2017, at 6:39 PM, Etienne Dechamps <etienne at edechamps.fr> wrote: > > If you have multiple ConnectTo statements in your tinc.conf, then tinc will attempt to establish connections with *all* of them. It is not a fallback, though it is a good idea for every node to have at least two direct connections for improved resiliency and fault tolerance. > > As to whether you should have just one tinc network or multiple networks, well, that depends on what you're trying to accomplish and whether you want isolation between these networks. If all your nodes are meant to be part of the same VPN (i.e. same address space) and are part of the same trust domain (i.e. they all trust each other equally), then it's simpler to have them be in the same tinc network - that will simplify configuration and it will result in smarter routing decisions. > > If you are setting up individual tinc networks that only have two nodes in them, then tinc is overkill - you might as well use something simpler like IP/IP, GRE, OpenVPN or other "point-to-point" VPN solutions. tinc's purpose is to build a reliable, self-routing VPN out of a large mesh network of nodes; it makes little sense to use it for simple point-to-point connections. > > On 30 April 2017 at 00:53, Bright Zhao <startryst at gmail.com <mailto:startryst at gmail.com>> wrote: > Hi, Tinc experts > > I’m on-boarding for Tinc for just quite a few days, and trying to setup the connection between one client to multiple server, where multiple vpn tunnels from the client to different server. From the documentation, it indicate the tinc.conf can support multiple ConnecTo, also the tinc can support multiple netname, like /etc/tinc/net1, /etc/tinc/net2. > > My question is, for my above use case, I should go with multiple netname instead of multiple ConnectTo, right? I did some tests, and I found no matter how many ConnectTos I placed in the tinc.conf(on the client side), only one connection can made to the server, and only one tun0 bring up with is the p2p connection can only go with one server, even though from debug message, I saw to connections all established, but only one connection is pingable. > > If this is the case, then can I assume the ConnectTo in the tinc.conf is connection by sequence which is a failover machoism, instead of "connect them all"? But multiple netname can do the “connect them all" > > > -- > Bright Zhao sent from Gmail > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org> > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc> > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170501/52a0b7d9/attachment.html>
Apparently Analagous Threads
- Concept clarification between multiple ConnecTo and multiple netname
- Concept clarification between multiple ConnecTo and multiple netname
- Concept clarification between multiple ConnecTo and multiple netname
- Why host-up script triggered even not ConnectTo?
- Why host-up script triggered even not ConnectTo?