Node to Node UDP Tunnels HOWTO?
Keith Whyte
keith at rhizomatica.org
Mon May 14 13:44:54 CEST 2018
Hi all!
I still have never managed to fully wrap my head around how UDP data
tunnels can be established between nodes.
Everytime I think I understand it, I see something that confuses me again
Just now I am seeing the following:
I have nodes A, B + C
A has everybody's keys and host configuration files.
B and C only have A's key, and host config with A's public IP address.
B and C DO NOT have each others keys. Likewise B and C both have a
ConnectTo = A configuration directive.
Only A is directly reachable with TCP and UDP on port 655, so there's no
point to adding other ConnectTo Lines as neither B nor C are going to be
directly reachable.
I send some ICMP ping packets from B to C and intially I see as
expected, the encapsulated tinc packets flow from B -> A and A -> C and
back along that path/
But then, suddenly, I am seeing flow of UDP from B to C on port 655.
Now, I'm not asking about the NAT hole punching here, but rather;
How is this possible if B and C do not have each others keys? I thought
I understood this before in that somehow the key data is shared over the
meta connection, but then I read that no, each host much have the key of
the other to establish the direct connection. But I am looking at
tcpdump right now in the terminal and seeing the UDP tunnel packets
flowing from B to C.
I am really trying to understand how I can make this situation more
persistent, but it seems so very random.
Even in a case where I would make node B publicly reachable and add the
keys everywhere, without an Explicit ConnectTo = B directive on node C,
I still see packets routed via A.
I would really like to know if there's some way to more reliably ensure
that the UDP tunnel would be established from B to C and avoid a
(transcontinental) route via A!
Thank you if you can shed any light on this!
k/
More information about the tinc
mailing list