tinc - May 2019 - very high traffic without any load

<html><head></head><body><div
style="font-family: Verdana;font-size: 12.0px;"><div>
<div>Hi everyone,</div>

<div> </div>

<div> </div>

<div>>> I did some digging, and thus far I could not find any other
culprit other<br/>
>> than tinc itself. The packages that are being sent are addressed
directly to<br/>
>> the other tinc hosts on their vpn addresses. During my latest tests,
within<br/>
>> about 12 seconds 100MB of data were transmitted this way.<br/>
><br/>
> Just in order to avoid any misunderstandings:<br/>
> * you took a look at the traffic *through* the tinc network
interface<br/>
> (this should be the payload that you expect to see floating through your
VPN)<br/>
> * this traffic uses the internal VPN addresses of your VPN<br/>
> (we expect this)<br/>
> * you are surprised by the amount of traffic<br/>
><br/>
> This sounds like a routing issue.<br/>
> (traffic passing through the VPN that should take a different
path)</div>
<div> </div>

<div>1. Yes, I ran wireshark on the interface vpn0, which is the set up by
tinc.</div>

<div> </div>

<div>2. and 3. Yes.</div>

<div> </div>

<div> </div>

<div>>> At the very beginning, normal connections are being set up
and a few ICMP<br/>
>> neighbor advertisements/solicitations are being exchanged. Next a short
TCP<br/>
>> session was created between the public IP addresses of two of my
hosts,<br/>
>> through the VPN.<br/>
><br/>
> What do you mean with "session"? Some http-requests that you are
sending<br/>
> through the VPN? Or something special?</div>
<div>
<div> </div>

<div>Just like before, there should not have been any payload traffic
involved. I was referring to the TCP connection you attribute to tinc
itself.</div>

<div> </div>

<div> </div>

<div>>> Thus you may want to verify, that the routes on the tinc
peers (while the<br/>
>> VPN is established) meet your expectations. Maybe you want to share
these<br/>
>> (obfuscated) routes with us?</div>
<div> </div>

<div>I think I understand the problem now. My node-up files look like
this:</div>

<div> </div>

<div># node01-up</div>

<div>
<div>ip -6 route del 1111:1:1::/64 via 1111:1::1<br/>
ip -6 route del <node01's public ipv6>/64 via 1111:1::1</div>

<div> </div>

<div>I just tested whether the second rule causes the issue and it does.
When I remove this line from all node-ups on all but one of my hosts, everything
is fine as long as that "faulty" host is not up. As soon as I run tinc
on the host with the additional configuration line, things start going haywire.
<div>My intention was to make my nodes route traffic to their respective
public interfaces through the VPN as well. The goal was that all connections
between my nodes, regardless of whether they are destined for internal or
external ipv6 addresses, end up using the VPN.</div>

<div> </div>
</div>

<div>Kind regards and thank you very much for your help</div>

<div>Christopher</div>
</div>
</div>
</div></div></body></html>

Hello Christoph,

I am glad, that you discovered the source of the problem!


Am Sat, 4 May 2019 08:30:28 +0200
schrieb "Christopher Klinge" <Christ.Klinge at web.de>:
  
> The goal was that all connections between my nodes, regardless of whether
> they are destined for internal or external ipv6 addresses, end up using the
> VPN.
This is indeed a bit tricky.
I use a setup with a similar goal based on IPv4. I solved it there by using DNAT
rules for the traffic to be routed through the VPN (based on destination ports).
But DNAT is probably not appropriate in a modern IPv6 world :)

In an IPv6 world you may want to use policy routing.
Simply add specific rules based on the incoming interface ("iif"), the
source
address ("from") or ports ("sport" / "dport"). The
routes in the target
routing table can be filled by your "node-up" scripts.

Cheers,
Lars

Lars, interesting - do you have an example of what that might look like in
the config file?

Thanks!


On Sun, May 5, 2019 at 6:00 PM Lars Kruse <lists at sumpfralle.de> wrote:
> Hello Christoph,
>
> I am glad, that you discovered the source of the problem!
>
>
> Am Sat, 4 May 2019 08:30:28 +0200
> schrieb "Christopher Klinge" <Christ.Klinge at web.de>:
>
> > The goal was that all connections between my nodes, regardless of
whether
> > they are destined for internal or external ipv6 addresses, end up
using
> the
> > VPN.
>
> This is indeed a bit tricky.
> I use a setup with a similar goal based on IPv4. I solved it there by
> using DNAT
> rules for the traffic to be routed through the VPN (based on destination
> ports).
> But DNAT is probably not appropriate in a modern IPv6 world :)
>
> In an IPv6 world you may want to use policy routing.
> Simply add specific rules based on the incoming interface
("iif"), the
> source
> address ("from") or ports ("sport" /
"dport"). The routes in the target
> routing table can be filled by your "node-up" scripts.
>
> Cheers,
> Lars
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>

--
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20190506/32b25810/attachment.html>