Multiple default gateway from tinc node

Narcissus Emi eminarcissus at gmail.com
Tue May 2 09:03:12 CEST 2017


if you do use `ip route add default via gateway dev interface`, you must
run your vpn on switch layer, there's no default gateway configuration on
router layer vpn. You must specify one of your nodes to 0.0.0.0/0 for
routing, if you do have multiple nodes, it will have a problem.
The only way to handle this is run your vpn on switch layer, I've done
something quite similar before and it works great, but only when you keep
your network private, otherwise you will have a problem here.

On Tue, May 2, 2017 at 2:56 PM, Bright Zhao <startryst at gmail.com> wrote:

> Hi, Guus
>
> I don’t quite understand what you describe below, to me, no matter tinc or
> any other router/PC get an IP packet, it will go to check with its route
> table, to match the destination IP against the route table for the next
> hop, if I put "ip route add default via <C’s VPN IP address> dev
> $INTERFACE", I thought tinc will match the packet’s destination IP to the
> “default”, and then send the traffic through $INTERFACE to the next hop
> <C’s VPN IP address>.
>
> And when it found the next hop is an virtual interface (instead of
> ethernet where arp can handle the layer 2), it will then maps to the
> physical tinc connection where how A to C’s tunnel been built, and put the
> packet inside that connection to forward.
>
> Those understanding is my knowledge from traditional IPSec VPN, let me
> know if there’s anything wrong for tinc, and BTW, do we have any training /
> technical intro for the tinc besides the documentation part from
> tinc-von.org?
>
>
> > On 2 May 2017, at 1:43 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:
> >
> > On Tue, May 02, 2017 at 09:16:53AM +0800, Bright Zhao wrote:
> >
> >> In this case, A's traffic route to Internet is go through C to D to
> internet, but If I add Subnet =0.0.0.0/0 on B, the traffic seems go
> directly from A to B to internet.
> > [...]
> >> During the whole process, A's default gateway point to C.
> >
> > It might look that way, but it doesn't. I assume you did something like
> > this on A:
> >
> > ip route add default via <C's VPN IP address> dev $INTERFACE
> >
> > However, the "via <some address>" part is only something that has any
> > effect on Ethernet networks. If tinc is in router mode, your VPN is a
> > pure layer 3 network. There are no Ethernet headers, only IP headers. IP
> > headers only have a source and destination IP address, they don't
> > contain any information about a gateway. So when tinc gets a packet, it
> > can only route based on the final destination.
> >
> > --
> > Met vriendelijke groet / with kind regards,
> >     Guus Sliepen <guus at tinc-vpn.org>
> > _______________________________________________
> > tinc mailing list
> > tinc at tinc-vpn.org
> > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170502/19985b3f/attachment.html>


More information about the tinc mailing list