<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi, Etienne<div class=""><br class=""></div><div class="">In addition, is there any option or switch can turn of the automatic direct connection? For the example below, even A has the route to C and can establish UDP connection directly, but I need the traffic to go through B, how can I achieve that easily? (instead of remove something from A’s routing table, or manually block the connection between A and C)</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 1 May 2017, at 6:28 PM, Bright Zhao <<a href="mailto:startryst@gmail.com" class="">startryst@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi, Etienne<div class=""><br class=""></div><div class="">Exactly, I just did the test, remove the Subnet = X/32 from B, so I understood that the Subnet on host configuration is indicate local attached network, or let’s call it when going outside of the VPN domain.</div><div class=""><br class=""></div><div class="">And yes, A will try to establish UDP connection direct to C (if it has the route), so the first time, I can ping from A to X, and I found the traffic didn’t go through B, but second time, I remove the C route from A’s routing table, then the traffic sent to B, and B sent to C; which exactly the same as you indicate below.</div><div class=""><br class=""></div><div class="">Thank you very much, this makes me much better understanding on Tinc.</div><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On 1 May 2017, at 6:23 PM, Etienne Dechamps <<a href="mailto:etienne@edechamps.fr" class="">etienne@edechamps.fr</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="">There is no concept of "client" or "server" in tinc. tinc is purely peer-to-peer. "ConnectTo" statements only indicate which node will attempt to establish the initial connection, but once the connection is established, direction does not matter.<br class=""><br class=""></div>It is unclear from your message which node is responsible for which subnet. If X/32 truly belongs to C, then simply set Subnet = X/32 in C's local host file. If you do that, then C will advertise this subnet to the rest of the network, including B and A. There is no need to change anything in B's configuration. tinc will take care of the routing for you, and A will be informed (through the tinc protocol) that the subnet belongs to C, and that any packets meant for X should therefore be sent to C.<br class=""><br class="">These packets will then be sent directly to C using UDP (tinc is clever and will try various NAT traversal techniques). If that's not possible for any reason, tinc will automatically fall back to relaying packets through B.<br class=""></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On 1 May 2017 at 11:00, Bright Zhao <span dir="ltr" class=""><<a href="mailto:startryst@gmail.com" target="_blank" class="">startryst@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, Tinc experts<br class="">
<br class="">
Diagram as below, A is trying to access host X behind C:<br class="">
<br class="">
A >> B >> C — “host X"<br class="">
<br class="">
B is the tinc server for A, but also B is the tinc client to connect to C.<br class="">
<br class="">
My question is, if I only use one VPN (/etc/tinc/myvpn), then the host configuration for B will be tricky.<br class="">
<br class="">
As the tinc server to A, B’s host config (/etc/tinc/myvpn/hosts/B) needs have the Subnet = X/32, which indicate the VPN serve for this host.<br class="">
But as the tinc client to C, B’s host config shouldn’t include Subnet = X/32, because X/32 is behind C.<br class="">
<br class="">
If not direct connection available from A to C, the only way I can figure it out is to setup two VPNs, /etc/tinc/vpn1 and /etc/tinc/vpn2:<br class="">
<br class="">
A >> vpn1 >> B >> vpn2 >> C — “host X”<br class="">
<br class="">
If so, the /etc/tinc/vpn1/hosts/B can have Subnet =X/32; but the /etc/tinc/vpn2/hosts/B can exclude Subnet =X/32 since it’s the client side for C.<br class="">
<br class="">
Let me know if there’s any other simple way to achieve this.<br class="">
______________________________<wbr class="">_________________<br class="">
tinc mailing list<br class="">
<a href="mailto:tinc@tinc-vpn.org" class="">tinc@tinc-vpn.org</a><br class="">
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank" class="">https://www.tinc-vpn.org/cgi-<wbr class="">bin/mailman/listinfo/tinc</a><br class="">
</blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></body></html>