Hi, Lars Thanks for your suggestion, will give it a try later to see how it performs. But, yesterday, I did a below test: A ConnectTo B and C, B ConnectTo D, C ConnectTo D; All nodes turned "IndirectData" on in its host configuration, so the tunnel only follow metacomnection instead of direct connect. D announced default route by having the Subnet = 0.0.0.0/0 statement in its host config The tunnel next hop for A set to C(for Mac, to config the tunnel interface, you have to specify the next hop) And I point A's default route next hop to C as well. In this case, A's traffic route to Internet is go through C to D to internet, but If I add Subnet =0.0.0.0/0 on B, the traffic seems go directly from A to B to internet. Since A have both ConnectTo to B and C(To D through C), and the default gateway set to C, why A chose B instead of D's default route? At this moment, if I shutdown B's tinc daemon, the traffic path for A to Internet return back to: to C and the to D During the whole process, A's default gateway point to C. Sent from iPhone> 在 2017年5月2日,上午4:37,Lars Kruse <lists at sumpfralle.de> 写道: > > Hello, > > > Am Mon, 1 May 2017 23:35:53 +0800 > schrieb Bright Zhao <startryst at gmail.com>: > >> If there’re multiple tinc nodes announce default route in their host >> configuration of Subnet = 0.0.0.0/0, how for the remaining nodes to select >> which is the best route to get out? > > it is important to understand that tinc only takes care for exchanging metadata > (e.g. "subnet" definitions of available hosts). > Thus it is up to you (and probably your "subnet-up" script) to turn these > information into a routing setup. > Probably the following subnet-up script is suitable for many use-cases: > > #!/bin/sh > ip route add "$SUBNET" dev "$INTERFACE" metric "$WEIGHT" 2>/dev/null || true > > Please note the "$WEIGHT" variable (see "man tinc.conf") - it will take care for > the "priority" of the default gateways. > > Cheers, > Lars > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
On Tue, May 02, 2017 at 09:16:53AM +0800, Bright Zhao wrote:> In this case, A's traffic route to Internet is go through C to D to internet, but If I add Subnet =0.0.0.0/0 on B, the traffic seems go directly from A to B to internet.[...]> During the whole process, A's default gateway point to C.It might look that way, but it doesn't. I assume you did something like this on A: ip route add default via <C's VPN IP address> dev $INTERFACE However, the "via <some address>" part is only something that has any effect on Ethernet networks. If tinc is in router mode, your VPN is a pure layer 3 network. There are no Ethernet headers, only IP headers. IP headers only have a source and destination IP address, they don't contain any information about a gateway. So when tinc gets a packet, it can only route based on the final destination. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170502/0c22758d/attachment.sig>
Hi, Guus I don’t quite understand what you describe below, to me, no matter tinc or any other router/PC get an IP packet, it will go to check with its route table, to match the destination IP against the route table for the next hop, if I put "ip route add default via <C’s VPN IP address> dev $INTERFACE", I thought tinc will match the packet’s destination IP to the “default”, and then send the traffic through $INTERFACE to the next hop <C’s VPN IP address>. And when it found the next hop is an virtual interface (instead of ethernet where arp can handle the layer 2), it will then maps to the physical tinc connection where how A to C’s tunnel been built, and put the packet inside that connection to forward. Those understanding is my knowledge from traditional IPSec VPN, let me know if there’s anything wrong for tinc, and BTW, do we have any training / technical intro for the tinc besides the documentation part from tinc-von.org?> On 2 May 2017, at 1:43 PM, Guus Sliepen <guus at tinc-vpn.org> wrote: > > On Tue, May 02, 2017 at 09:16:53AM +0800, Bright Zhao wrote: > >> In this case, A's traffic route to Internet is go through C to D to internet, but If I add Subnet =0.0.0.0/0 on B, the traffic seems go directly from A to B to internet. > [...] >> During the whole process, A's default gateway point to C. > > It might look that way, but it doesn't. I assume you did something like > this on A: > > ip route add default via <C's VPN IP address> dev $INTERFACE > > However, the "via <some address>" part is only something that has any > effect on Ethernet networks. If tinc is in router mode, your VPN is a > pure layer 3 network. There are no Ethernet headers, only IP headers. IP > headers only have a source and destination IP address, they don't > contain any information about a gateway. So when tinc gets a packet, it > can only route based on the final destination. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Hello, Am Tue, 2 May 2017 09:16:53 +0800 schrieb Bright Zhao <startryst at gmail.com>:> [..] > Since A have both ConnectTo to B and C(To D through C), and the default > gateway set to C, why A chose B instead of D's default route?this is starting to become a little bit confusing. Let us clear this up with facts :) Could you please share your routing table with us? Additionally the subnet definitions of each relevant tinc node would be helpful. You surely sync all node files on all hosts, right? (thus all hosts share the same perspective regarding the other node's subnets) Cheers, Lars PS: I think you are making your life harder by mixing two problems: 1) "does the traffic reach the intended node?" 2) "does the traffic to a node pass through the right order of other nodes?" I think you should solve (1) first and only afterwards approach (2).
Sure, let me reply all here for my finding. @Lars @Guus A’s tinc.conf: Name = bright AddressFamily = ipv4 ConnectTo = aly_hk A’s tinc-up: #!/bin/sh ifconfig $INTERFACE 10.0.0.110 netmask 255.255.255.0 A’s host config: Subnet = 10.0.0.110/32 (VPN address) Subnet = 192.168.31.0/24 (LAN address) IndirectData = yes (enabled for every tinc nodes) The node aly_hk (vpn address 10.0.0.3) connects with other Tinc nodes: B, C, D; and Subnet = 8.8.8.8 been added to aly_hk, B, C, D’s host config: When tinc daemon get up on A(together with some manual scripts for destination to 8.8.8.8), the route table looks like below: 10.0.0.0/24 dev tun0 10.0.0.3 dev tun0 8.8.8.8 via 10.0.0.3 dev tun0 The key point to understand here is how the route happens for traffic head for 8.8.8.8, earlier I thought it can ONLY send to 10.0.0.3 where aly_hk(10.0.0.3) delivery to 8.8.8.8 locally(because aly_hk has the default route for 8.8.8.8, no need to forward to other tinc nodes), but now, I found A will learn multiple 8.8.8.8 subnets from aly_hk, and for example, if I set B’s Subnet =8.8.8.8#9, then A ping 8.8.8.8 will send to aly_hk, and aly_hk will foward to B for final delivery. In summary, the ip route add default via <X> dev $INTERFACE, the X here may or may not be the final exit for VPN, it depends on the Subnet on X is whether preferred(even though the routing table has the entry for exit), it just indicate as the next hop(if only ConnectTo = X and IndirectData =yes). But if I remove the IndirectData, default to no; then I guess for the above use case, maybe A will send traffic directly to B, and B do the final delivery, and in this case, the Tinc packet forwarding totally not follow the route table, where the traffic looks will send to 10.0.0.3 for the next hop, but it isn’t. Is above right?> On 2 May 2017, at 6:33 PM, Lars Kruse <lists at sumpfralle.de> wrote: > > Hello, > > > Am Tue, 2 May 2017 09:16:53 +0800 > schrieb Bright Zhao <startryst at gmail.com>: > >> [..] >> Since A have both ConnectTo to B and C(To D through C), and the default >> gateway set to C, why A chose B instead of D's default route? > > this is starting to become a little bit confusing. Let us clear this up with > facts :) > > Could you please share your routing table with us? > Additionally the subnet definitions of each relevant tinc node would be helpful. > > You surely sync all node files on all hosts, right? > (thus all hosts share the same perspective regarding the other node's subnets) > > Cheers, > Lars > > > PS: I think you are making your life harder by mixing two problems: > 1) "does the traffic reach the intended node?" > 2) "does the traffic to a node pass through the right order of other nodes?" > I think you should solve (1) first and only afterwards approach (2). > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc