keeping UDP "session" alive when using NAT
Nathan Stratton Treadway
nathanst at ontko.com
Tue Oct 23 21:55:15 CEST 2012
I'm running Tinc on a Linux machine inside my home network, connecting
through a NATing router to a Tinc server out on the Internet.
I've noticed that fairly frequently the SSH sessions I leave open (but
unused) get aborted with a "Connection reset by peer" message. When I
investigated closely, I found that after a period of inactivity my
router times out the UDP "session" between the remote and local Tinc
nodes, and thus any VPN traffic that then attempts to come in from the
remote side toward my SSH client gets dropped by the router (because it
no longer has a record of where forward the incoming Tinc packets).
When this condition lasts long enough, the remote SSH server times out
and closes the login session. (During this period, of course, other
inbound traffic is also lost, e.g. syslog messages send toward my local
machine, etc.)
As soon as something on the local side needs to sent traffic to the
office side, the local Tinc node sends new outbound UDP packets, the
router re-establishes the virtual session between the two nodes, and all
traffic resumes passing normally (at least until the next period of
inactivity).
I see that the PingInterval setting allows me to set a minimum inactivity
period on the metadata connection, and that seems to be enough to
prevent the TCP session from timing out in the router... but I haven't
found any way cause Tinc to ensure the data/UDP "session" also stays
active.
(I'm currently using v1.0.x, but I checked the v1.1 documentation on the
web site as well and didn't see any new features that appeared to apply
to this situation.)
So, I'm wondering if I've missed some aspect of the Tinc configuration
that would address this issue, and (assuming I haven't) what other
people have done when facing this situation?
For now I can use a "ping" command or something running locally to make
sure that I have some traffic sent out over the VPN toward to the office
side once a minute or so -- but is seems cleaner to have Tinc itself
monitor for "long" stretches of inactivity on the data link. Would it
make sense to add functionality to Tinc to accomplish that (i.e. an
option named something like "DataPingInterval" or
"DataKeepaliveInterval")?
Thanks.
Nathan
----------------------------------------------------------------------------
Nathan Stratton Treadway - nathanst at ontko.com - Mid-Atlantic region
Ray Ontko & Co. - Software consulting services - http://www.ontko.com/
GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239
Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239
More information about the tinc
mailing list