search

gsliepen / tinc

a VPN daemon
http://tinc-vpn.org/
Other
1.87k stars 280 forks source link

TINC inside HTTPS tunnel #416

Open ptorrent opened 1 year ago

ptorrent commented 1 year ago

Hello there,

Some of our nodes are using HTTPS tunnels to connect to other node.

This is my case:

image

When link between Node A and Node B is down, Node A will try to join Node B through Node C. But as Node C is using a HTTPS Tunnel, his public address is "127.0.0.1". This means that Node A is connecting to himself...

Is there a way to force Node A to connect only on "Address" set in Node B host file ?

Node C version: 1.0.36

ConnectTo = NODE_B
Name = NODE_C
AddressFamily = ipv4
KeyExpire = 3600
Interface = XXXX
Broadcast = no
AutoConnect = no
LocalDiscovery = no
Compression = 0
StrictSubnets = yes
TCPOnly = no
Port = 655

Node B version : 1.1pre16

ConnectTo = NODE_A
Name = NODE_B
AddressFamily = ipv4
Interface = XXXX
StrictSubnets = no
Port = 655
TCPOnly = yes
Broadcast = no
AutoConnect = no
PingTimeout = 30
ProcessPriority = high

Node A version : 1.1pre16

ConnectTo = NODE_B
Name = NODE_A
AddressFamily = ipv4
Interface = XXXX
StrictSubnets = no
Port = 655
TCPOnly = yes
Broadcast = no
AutoConnect = no
PingTimeout = 30
ProcessPriority = high

Thanks for you help !

st31ny commented 1 year ago

Hi ptorrent,

How are you building the HTTPS tunnels?

When link between Node A and Node B is down, Node A will try to join Node B through Node C. But as Node C is using a HTTPS Tunnel, his public address is "127.0.0.1". This means that Node A is connecting to himself...

I am using HTTPS tunnels, too, but to do so, I rely on the Proxy setting in tinc.conf. So, I can use the real addresses of the nodes in the host files and only handle the HTTPS tunnel part in my proxy script.

Best, Max

ptorrent commented 1 year ago

Hello Max,

You're right, I think it's a better solution to use tinc proxy. But in our project we build our own http tunnel for historical reason.

But it's more a general issue, do we have a way to force node acting "as server" to only try to connect to ConnecTo without passing through another node ?

Thanks !

ptorrent commented 1 year ago

Hello,

Here a strange behavior...

2022-10-05 02:52:43 tinc[3142962]: Timeout while connecting to NODE_B([GOOD PUBLIC IP] port 50178)
2022-10-05 02:52:43 tinc[3142962]: Closing connection with NODE_B([GOOD PUBLIC IP] port 50178)
2022-10-05 02:52:43 tinc[3142962]: Trying to connect to NODE_B(127.0.0.3 port 655)
2022-10-05 02:52:43 tinc[3142962]: Connected to NODE_B(127.0.0.3 port 655)
2022-10-05 02:52:43 tinc[3142962]: Peer 127.0.0.3 port 655 is NODE_A instead of NODE_B
2022-10-05 02:52:43 tinc[3142962]: Error while processing ID from NODE_B(127.0.0.3 port 655)
2022-10-05 02:52:43 tinc[3142962]: Closing connection with NODE_B(127.0.0.3 port 655)
2022-10-05 02:52:43 tinc[3142962]: Trying to connect to NODE_B([GOOD PUBLIC IP] port 655)

Look like NODE A is trying to connecto to NODE B by a tunnel... How can I prevent that ? Is there a way to force a tinc node to use ONLY Host address ?

NODE_A tinc conf

Name = NODE_A
ConnecTo = NODE_B

NOBE_B Host file

Address  = [GOOD_PUBLIC_ADDRESS]
.....

In my context, NODE_A connot join NODE_B because of firewall rules... I don't want he try to connecto to NODE_B by other ip address.

st31ny commented 1 year ago

2022-10-05 02:52:43 tinc[3142962]: Peer 127.0.0.3 port 655 is NODE_A instead of NODE_B

If I needed to guess, I'd say that tinc tried to connect to NODE_B using 127.0.0.3 but received the public key from NODE_A there. What exactly is running at 127.0.0.3?

ptorrent commented 1 year ago

nothing, it's the HTTP proxy.