-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
removed (seemingly) unnecessary ip rule for public ip of exit node. r…
…emoval tested on home node: had no impact on functioning. @Juul @max-b @bennlich please review if you are interested
- Loading branch information
jhpoelen
committed
Mar 20, 2018
1 parent
e585fe7
commit f23342d
Showing
2 changed files
with
0 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 0 additions & 1 deletion
1
configs/ar71xx/home_nodes/templates/files/etc/sudomesh/home_node
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f23342d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that will work. The trouble is that you need to specify that connections to the exit server will go over the "main" table (not tunneled) as opposed to through the tunnel itself. Without it I believe that once the tunnel is established, the home node will then attempt to start sending packets to the exit server through the tunnel interface itself, which shouldn't work. Does that make sense?
f23342d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting!
Before making the change, I did a little experiment and found that I was able to ping the public ip of the exit node through the l2tp0 tunnel. Wouldn't the public ip be routed by rules of the exit node itself?
f23342d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean yeah I guess you might be able to ping the exit nodes' public IP address through the tunnel interface, but can you see how the packets which are necessary to establish and maintain the tunnel themselves HAVE to go through the
main
routing table and therefore out through the home node's WAN interface? It's a bad analogy, but can you sort of see how telling someone that you're going to dig your tunnel through the tunnel that you're digging is like an ontological problem?Have you actually tried modifying these files in this manner on a home node that you have in your possession and then rebooting the router and seeing if it will establish and maintain a tunnel connection? If it does indeed work, there is something very strange going on, but I strongly suspect that it will not...
f23342d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, yes. This makes sense. But...
Yes, just did this, and the tunnel does maintain. More weirdness:
Lol, route the tunnel through the tunnel plz!
Manually adding the rule does change the route to be the expected:
I wonder if tunneldigger is working w/o this rule because of the explicit
option bind_to_interface 'eth1'
in /etc/config/tunneldigger.