Multiple default gateway from tinc node

Bright Zhao startryst at gmail.com
Tue May 2 15:58:49 CEST 2017


And BTW, the reason I’m asking those question is by default Tinc will try to automate all the underlying connection and tunnel directly as much as possible, which is fantastic, but in my use case, I need to manipulate and control the traffic to go through certain path (instead of as direct as possible), that’s why I turned IndirectData = yes to only tunnel formed under ConnectTo statement.

Earlier, my understanding is everything is follow the route table, but according to the case below, sometime it’s not.


> On 2 May 2017, at 9:53 PM, Bright Zhao <startryst at gmail.com> wrote:
> 
> Sure, let me reply all here for my finding. @Lars @Guus
> 
> A’s tinc.conf:
> Name = bright
> AddressFamily = ipv4
> ConnectTo = aly_hk
> 
> A’s tinc-up:
> #!/bin/sh
> ifconfig $INTERFACE 10.0.0.110 netmask 255.255.255.0
> 
> A’s host config:
> Subnet = 10.0.0.110/32 (VPN address)
> Subnet = 192.168.31.0/24 (LAN address)
> IndirectData = yes (enabled for every tinc nodes)
> 
> The node aly_hk (vpn address 10.0.0.3) connects with other Tinc nodes: B, C, D; and Subnet = 8.8.8.8 been added to aly_hk, B, C, D’s host config:
> 
> When tinc daemon get up on A(together with some manual scripts for destination to 8.8.8.8), the route table looks like below:
> 10.0.0.0/24 dev tun0
> 10.0.0.3 dev tun0
> 8.8.8.8 via 10.0.0.3 dev tun0
> 
> The key point to understand here is how the route happens for traffic head for 8.8.8.8, earlier I thought it can ONLY send to 10.0.0.3 where aly_hk(10.0.0.3) delivery to 8.8.8.8 locally(because aly_hk has the default route for 8.8.8.8, no need to forward to other tinc nodes), but now, I found A will learn multiple 8.8.8.8 subnets from aly_hk, and for example, if I set B’s Subnet =8.8.8.8#9, then A ping 8.8.8.8 will send to aly_hk, and aly_hk will foward to B for final delivery.
> 
> In summary, the ip route add default via <X> dev $INTERFACE, the X here may or may not be the final exit for VPN, it depends on the Subnet on X is whether preferred(even though the routing table has the entry for exit), it just indicate as the next hop(if only ConnectTo = X and IndirectData =yes).
> 
> But if I remove the IndirectData, default to no; then I guess for the above use case, maybe A will send traffic directly to B, and B do the final delivery, and in this case, the Tinc packet forwarding totally not follow the route table, where the traffic looks will send to 10.0.0.3 for the next hop, but it isn’t.
> 
> Is above right?
> 
> 
>> On 2 May 2017, at 6:33 PM, Lars Kruse <lists at sumpfralle.de> wrote:
>> 
>> Hello,
>> 
>> 
>> Am Tue, 2 May 2017 09:16:53 +0800
>> schrieb Bright Zhao <startryst at gmail.com>:
>> 
>>> [..]
>>> Since A have both ConnectTo to B and C(To D through C), and the default
>>> gateway set to C, why A chose B instead of D's default route?
>> 
>> this is starting to become a little bit confusing. Let us clear this up with
>> facts :)
>> 
>> Could you please share your routing table with us?
>> Additionally the subnet definitions of each relevant tinc node would be helpful.
>> 
>> You surely sync all node files on all hosts, right?
>> (thus all hosts share the same perspective regarding the other node's subnets)
>> 
>> Cheers,
>> Lars
>> 
>> 
>> PS: I think you are making your life harder by mixing two problems:
>> 1) "does the traffic reach the intended node?"
>> 2) "does the traffic to a node pass through the right order of other nodes?"
>> I think you should solve (1) first and only afterwards approach (2).
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> 



More information about the tinc mailing list