Fwd: Configure HA VPN using tinc at AWS

Guus Sliepen guus at tinc-vpn.org
Fri Sep 16 15:15:24 CEST 2016


On Fri, Sep 16, 2016 at 02:35:01PM +0300, Stanislav Krasnoyarov wrote:

> Tinc 1 ip: 172.22.0.101, 21.0.0.1
> Tinc 2 ip: 172.22.0.102, 21.0.0.2
> 
> I've setup a VPC route table to route all requests to 21.0.0/24 to tinc 1
> and had configured tinc nodes to use masquerading. It works perfectly when
> a traffic flows like this:
> 
> source -> tinc1 -> tinc3 -> tinc1 -> source
> 
> But if tinc3 replies to a different node there is a problem since there's
> no masquerading record for that request
> 
> source -> tinc1 -> tinc3 -> tinc2 -> xx

How would this happen? If tinc1 masquerades the source address to
21.0.0.1, then the return packet from tinc3 should end up back at tinc1,
not tinc2.

In your scenario, you might not need masquerading: just add Subnet =
172.31.0.0/16 to hosts/tinc1 and hosts/tinc2, and the following line to
the tinc-up file of the tinc daemon on the LAN:

ip route add 172.31.0.0/16 dev $INTERFACE

This should allow traffic between your EC2 instances and 21.0.0.11
without any masquerading. It then also doesn't matter what route the
(return) packets use.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160916/393ca5f9/attachment.sig>


More information about the tinc mailing list