I moved all our service tunnels to tinc. This is to make setup of tunnels easier in future and also it adds a lot more redundancy to the tunnels than was achieved via OpenVPN.
Our OpenVPN setup all went through a single host and if connections to that host failed (or the host failed) all our services became unavailable. I.e. we had a central point of failure as well as mission with setting up configs.
With tinc we have a simpler configuration for this but also amazingly with tinc we simply tell each node (be that a CTWUG service or tunnel end point on the wug) about one or two other nodes and it will automatically establish connecitons to all other nodes creating a mesh network. All these nodes then act as if they are plugged into a switch with all other nodes present. If a node goes down it simply is not available but mesh connections mean all other nodes are available.
Something similar is possible with OpenVPN but we’d need to setup each link in the mesh. It would be far more work to do the same.
tinc also automatically tries to sort out connections through firewalls and NAT and also to find out the IPs of different hosts that may not have static IPs. Again not impossible to navigate with OpenVPN but more work.
On our status page you’d see these new tunnels come up with the name “services”. Older tunnels are still there but marked as down. Will clean them up once we feel this setup is stable.
I then use quagga to route ospf over the the services interfaces.
I also plan to setup peering with other wugs in this manner to make it easy for multiple nodes on our end to connect to other wugs (also potentially in multple places). You may see a few test peers interfaces on the status page.
I’ve also scripted the configuration and this is on gitlab.
Please let me know if you have any issues.
To do:
- Need to move bastion to this too. It’s still on OpenVPN.
- @MDE 's tunnel is not setup correctly yet. I need to still organise something with him to get it up.
- If you operate a tunnel you can improve reliability further by doing the following:
- Forward port 655 tcp & udp to your wugpi or equivalent
- Let me know if you have a dynamic dns or similar setup for your IP.