tinc - May 2018 - Issue using tinc-vpn on Windows Server 1709 with Docker Overlay Network

I've not had success with using tinc and docker together. I came up against
similar problems. Docker iptables in Linux seem quite complicated as well,
messing with the network stack.

I've seen a few tinc docker images that run tinc as a container - I
haven't tried this.

Please let us know if you do actually get it working - im very interested to
know.

Mike

On 20 May 2018 12:55 am, Marc Hoersken <info at marc-hoersken.de> wrote:
Hello everyone,

I am running into the following error messages everytime I try to use a
docker overlay network on top of tinc-vpn:

Error getting read result from Windows tap device
{F30C422F-4524-435F-A15B-71A7E08C260D}: (995) The I/O operation has been
aborted because of either a thread exit or an application request.
Received packet of 106 bytes from ... (... port 655)
Writing packet of 106 bytes to Windows tap device
Error while writing to Windows tap device
{F30C422F-4524-435F-A15B-71A7E08C260D}: (995) The I/O operation has been
aborted because of either a thread exit or an application request.
Received packet of 74 bytes from ... (... port 655)
Clamping MSS of packet from ... to ... to 1335
Writing packet of 74 bytes to Windows tap device
Error while checking previous write to Windows tap device
{F30C422F-4524-435F-A15B-71A7E08C260D}: (996) Overlapped I/O event is
not in a signaled state.
Received packet of 106 bytes from ... (... port 655)
Writing packet of 106 bytes to Windows tap device
Error while checking previous write to Windows tap device
{F30C422F-4524-435F-A15B-71A7E08C260D}: (996) Overlapped I/O event is
not in a signaled state.
Received packet of 106 bytes from ... (... port 655)
Writing packet of 106 bytes to Windows tap device
Error while checking previous write to Windows tap device
{F30C422F-4524-435F-A15B-71A7E08C260D}: (996) Overlapped I/O event is
not in a signaled state.
Received packet of 106 bytes from ... (... port 655)
Writing packet of 106 bytes to Windows tap device
Error while checking previous write to Windows tap device
{F30C422F-4524-435F-A15B-71A7E08C260D}: (996) Overlapped I/O event is
not in a signaled state.

It seems like this errors appear as soon as a VMSwitch is assigned or
removed from the TAP device.

Does anyone have any experience with running a docker overlay network
(using a Windows VMSwitch) on top of a tinc-vpn device.

I am using the following versions on top of tap-windows-9.21.2.exe:

tinc.exe --version
tinc version 1.1pre15 (built Sep  2 2017 21:59:06, protocol 17.7)
Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen and others.
See the AUTHORS file for a complete list.

docker version
Client:
 Version:      17.10.0-ee-preview-3
 API version:  1.33
 Go version:   go1.8.4
 Git commit:   1649af8
 Built:        Fri Oct  6 17:52:28 2017
 OS/Arch:      windows/amd64

Server:
 Version:      17.10.0-ee-preview-3
 API version:  1.34 (minimum version 1.24)
 Go version:   go1.8.4
 Git commit:   b8571fd
 Built:        Fri Oct  6 18:01:48 2017
 OS/Arch:      windows/amd64
 Experimental: true


Best regards,
Marc

_______________________________________________
tinc mailing list
tinc at tinc-vpn.org
https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20180519/58281482/attachment-0001.html>

Am 20.05.2018 um 01:15 schrieb Mike Bentzen:
> I've not had success with using tinc and docker together. I came up
> against similar problems. Docker iptables in Linux seem quite
> complicated as well, messing with the network stack.
Just to be clear, I am talking about running tinc on the host system and
using docker containers attached to the tinc interface on the host.
> I've seen a few tinc docker images that run tinc as a container - I
> haven't tried this.
Yes, at the moment it is not possible to install/run tinc with a TAP
device inside a Windows container, see:
https://github.com/docker/for-win/issues/1909

I guess that is because a container with process isolation cannot
create/manage devices like the TAP device.
> Please let us know if you do actually get it working - im very
> interested to know.
But it is possible to run tinc in a Linux container on a Linux host
using the network mode "host", see for example:
https://github.com/mback2k/docker-tinc

You just need to put the tinc configuration into a mounted volume under
/etc/tinc and make sure the container uses network mode "host".