<div dir="ltr"><div><div><div><div>That's not quite correct, you got some of it backwards. Be aware that in tinc there are "metaconnections", which are the TCP connections you establish using ConnectTo and are mainly used for routing and control messages, and "tunnels", which are established on the fly, do not require explicit configuration, and do not necessarily follow the topology of your metaconnections.<br><br></div>In the default configuration, if tinc needs to send a packet to a node it doesn't have a direct metaconnection to, it will try to send the packet *directly* anyway. It will only fall back to relaying through other nodes if that direct tunnel fails (e.g. because the node is not accessible, it's behind a strict firewall, it's behind a NAT that tinc is unable to bypass, etc.).<br><br></div>If you use IndirectData everywhere, then tinc will always send packets along your metaconnections, and will never directly send packets to nodes that it doesn't have any metaconnection to - it will use its "neighbors" as relays instead.<br><br></div>If you use DirectOnly, then tinc won't even attempt to relay: packets that can't be send directly will be dropped.<br><br></div>So, to summarize:<br><br>A ConnectTo B, B ConnectTo C:<br><div>If DirectOnly = no(default), and IndirectData = no(default): A will send packets directly to C if possible. If it's not possible, it will automatically fall back to relaying through B.</div><div>If
DirectOnly = no(default), and IndirectData = yes: A will always use B as a relay to send packets to C. It will not try to reach C directly.<br></div><div>If DirectOnly = yes, and IndirectData = no(default): A will send packets directly to C if possible. If it's not possible, the packets will be dropped.<br></div><div>If
DirectOnly = yes, and IndirectData = yes: A won't be able to reach C. It will only be able to reach B.<br></div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On 1 May 2017 at 13:49, Bright Zhao <span dir="ltr"><<a href="mailto:startryst@gmail.com" target="_blank">startryst@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Hi, Etienne<div><br></div><div>I took a look for the below host configuration parameter (IndirectData), the default is no. For the below example:</div><div><br></div><div>A ConnectTo B, B ConnectTo C:</div><div><br></div><div>If IndirectData = no (default), then A wouldn’t establish direct connection with C, but will be forwarded by B.</div><div>If IndirectData = yes, then A will try to establish direct connection with C, even though A don’t have the statement of ConnectTo = C</div><div><br></div><div><dt style="font-family:-webkit-standard">IndirectData = <yes|no> (no)</dt><dd style="font-family:-webkit-standard"><p>This option specifies whether other tinc daemons besides the one you specified with ConnectTo can make a direct connection to you. This is especially useful if you are behind a firewall and it is impossible to make a connection from the outside to your tinc daemon. Otherwise, it is best to leave this option out or set it to no.</p></dd><div><br></div></div><div><br></div><div>Also in Main configuration there’s another parameter (DirectOnly), the default is no, to continue the above example:</div><div><br></div><div>A ConnectTo B, B ConnectTo C:</div><div><br></div><div>If DirectOnly = no(default), and IndirectData = no(default): A can only sent data to B, and B will forwarded to C.</div><div>If DirectOnly = no(default), and IndirectData = yes: A will try to send data directly to C, but if A can’t send to C directly, then B will help to forward</div><div>If DirectOnly = yes, and IndirectData = no(default): A can’t connect with C</div><div>If DirectOnly = yes, and IndirectData = yes: A will try to send data directly to C, but if A can’t sent to C directly, B wouldn’t help to forward.</div><div><br></div><div><br></div><div>My understanding right?</div><div><br></div><div><dt style="font-family:-webkit-standard">DirectOnly = <yes|no> (no) [experimental]</dt><dd style="font-family:-webkit-standard"><p>When this option is enabled, packets that cannot be sent directly to the destination node, but which would have to be forwarded by an intermediate node, are dropped instead. When combined with the IndirectData option, packets for nodes for which we do not have a meta connection with are also dropped.</p></dd><div><br></div></div><div><div class="h5"><div><br></div><div><br><div><blockquote type="cite"><div>On 1 May 2017, at 6:33 PM, Etienne Dechamps <<a href="mailto:etienne@edechamps.fr" target="_blank">etienne@edechamps.fr</a>> wrote:</div><br class="m_8527864932820751791Apple-interchange-newline"><div><div dir="ltr">Yes. Look up the "IndirectData" configuration option.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 1 May 2017 at 11:30, Bright Zhao <span dir="ltr"><<a href="mailto:startryst@gmail.com" target="_blank">startryst@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Hi, Etienne<div><br></div><div>In addition, is there any option or switch can turn of the automatic direct connection? For the example below, even A has the route to C and can establish UDP connection directly, but I need the traffic to go through B, how can I achieve that easily? (instead of remove something from A’s routing table, or manually block the connection between A and C)</div><div><div class="m_8527864932820751791h5"><div><br><div><blockquote type="cite"><div>On 1 May 2017, at 6:28 PM, Bright Zhao <<a href="mailto:startryst@gmail.com" target="_blank">startryst@gmail.com</a>> wrote:</div><br class="m_8527864932820751791m_-2501518421405339512Apple-interchange-newline"><div><div style="word-wrap:break-word">Hi, Etienne<div><br></div><div>Exactly, I just did the test, remove the Subnet = X/32 from B, so I understood that the Subnet on host configuration is indicate local attached network, or let’s call it when going outside of the VPN domain.</div><div><br></div><div>And yes, A will try to establish UDP connection direct to C (if it has the route), so the first time, I can ping from A to X, and I found the traffic didn’t go through B, but second time, I remove the C route from A’s routing table, then the traffic sent to B, and B sent to C; which exactly the same as you indicate below.</div><div><br></div><div>Thank you very much, this makes me much better understanding on Tinc.</div><div><br><div><blockquote type="cite"><div>On 1 May 2017, at 6:23 PM, Etienne Dechamps <<a href="mailto:etienne@edechamps.fr" target="_blank">etienne@edechamps.fr</a>> wrote:</div><br class="m_8527864932820751791m_-2501518421405339512Apple-interchange-newline"><div><div dir="ltr"><div>There is no concept of "client" or "server" in tinc. tinc is purely peer-to-peer. "ConnectTo" statements only indicate which node will attempt to establish the initial connection, but once the connection is established, direction does not matter.<br><br></div>It is unclear from your message which node is responsible for which subnet. If X/32 truly belongs to C, then simply set Subnet = X/32 in C's local host file. If you do that, then C will advertise this subnet to the rest of the network, including B and A. There is no need to change anything in B's configuration. tinc will take care of the routing for you, and A will be informed (through the tinc protocol) that the subnet belongs to C, and that any packets meant for X should therefore be sent to C.<br><br>These packets will then be sent directly to C using UDP (tinc is clever and will try various NAT traversal techniques). If that's not possible for any reason, tinc will automatically fall back to relaying packets through B.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 1 May 2017 at 11:00, Bright Zhao <span dir="ltr"><<a href="mailto:startryst@gmail.com" target="_blank">startryst@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, Tinc experts<br>
<br>
Diagram as below, A is trying to access host X behind C:<br>
<br>
A >> B >> C — “host X"<br>
<br>
B is the tinc server for A, but also B is the tinc client to connect to C.<br>
<br>
My question is, if I only use one VPN (/etc/tinc/myvpn), then the host configuration for B will be tricky.<br>
<br>
As the tinc server to A, B’s host config (/etc/tinc/myvpn/hosts/B) needs have the Subnet = X/32, which indicate the VPN serve for this host.<br>
But as the tinc client to C, B’s host config shouldn’t include Subnet = X/32, because X/32 is behind C.<br>
<br>
If not direct connection available from A to C, the only way I can figure it out is to setup two VPNs, /etc/tinc/vpn1 and /etc/tinc/vpn2:<br>
<br>
A >> vpn1 >> B >> vpn2 >> C — “host X”<br>
<br>
If so, the /etc/tinc/vpn1/hosts/B can have Subnet =X/32; but the /etc/tinc/vpn2/hosts/B can exclude Subnet =X/32 since it’s the client side for C.<br>
<br>
Let me know if there’s any other simple way to achieve this.<br>
______________________________<wbr>_________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a><br>
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank">https://www.tinc-vpn.org/cgi-b<wbr>in/mailman/listinfo/tinc</a><br>
</blockquote></div><br></div>
</div></blockquote></div><br></div></div></div></blockquote></div><br></div></div></div></div></blockquote></div><br></div>
</div></blockquote></div><br></div></div></div></div></blockquote></div><br></div>