Intermittent TCP connect issues when using tinc 1.0.23 and IPv6

tomp at tomp.co.uk tomp at tomp.co.uk
Fri Dec 27 13:07:48 CET 2013


Thanks Guus.

I forgot to say I also tried disabling the ReplayWindow setting in case 
our ISP was delivering packets out of order, but that did not resolve it 
either.

I have been chatting with Tobias Volk, the author of PeerVPN, and I did 
ask about the fragmentation support in PeerVPN.

He replied:

"this is not necessary since PeerVPN fragments/reassembles packets
itself."

Perhaps this is a more recent development, or I have misunderstood.

We are using CentOS 6.4/6.5 x86_64.

If Tinc is not doing key regeneration every hour, what else is the TCP 
connection used for, if not exchange keys. Does it send data over 
regularly to keep firewall state active?

Thanks
Tom

On 2013-12-27 11:55, Guus Sliepen wrote:
> On Mon, Dec 23, 2013 at 12:21:28AM +0000, Tom Parrott wrote:
> 
>> Unfortunately the TCPOnly option did not work out as reliable 
>> aferall.
> [...]
>> I am surprised no-one else has experienced these issues, which leads
>> me to think perhaps tunneling IPv6 inside IPv4 is unusual and I may
>> have stumbled on a rare bug.
> 
> Tunneling IPv6 inside IPv4 is not unusual, I am using this daily. 
> However, it
> might indeed be a bug that is only triggered in rare circumstances.
> 
>> Suffice to say I am now confident that it is not the ISP dropping or
>> de-prioritising UDP packets.
>> 
>> Hopefully this info will prove useful to improving Tinc, if you need
>> more info I would be happy to supply it if I can.
> 
> It is not much but it is a datapoint. You say you do have success with 
> PeerVPN.
> One difference is that PeerVPN uses UDP exclusively, while tinc uses 
> both TCP
> and UDP. Problems with its TCP connections could also cause 
> interruptions of
> the tunneled traffic. Another difference is that PeerVPN does not deal 
> with MTU
> issues at all, but instead sends UDP packets that are larger than the 
> MTU,
> relying on the kernel or routers on the Internet to properly fragment 
> those
> packets. That might be more reliable in your case.
> 
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc


More information about the tinc mailing list