[Spread-users] Spread confiugration for vpn-tunnels
John Schultz
jschultz at spreadconcepts.com
Tue Sep 7 14:27:23 EDT 2010
Unfortunately, I'm not really following what you are asking and your network diagrams aren't really helping. However, Spread does support multiple interfaces on a single host and allows you to specify which ones to use for daemon-daemon and client-daemon communications. For example,
Spread_Segment 127.0.0.1 {
host1 192.5.36.1 {
C 192.5.36.1
C 192.5.36.2
C 192.5.36.3
... repeat for any other client interfaces
D 192.168.1.1
D 192.5.36.1
}
}
configures a multi homed machine to accept client connections only on the interfaces specified with the "C" in front of them. Daemon-to-daemon traffic will only be received upon the 192.168.1.1 and 192.5.36.1 interfaces. Daemon-to-daemon traffic will be sent on whichever interface your kernel routing dictates to reach the destination address in question. Please note that if you specify the interface bracket after the host's IP then you need to specify at least one C and one D interface. Alternatively, if you omit the C or D then the interface can be used for both kinds of traffic. The most likely to work configurations will have all the daemons in a configuration being able to reach every other daemon interface specified in the configuration (i.e. - no routing holes, etc.).
This is all fairly well documented in the sample configuration file that comes with Spread, sample.spread.conf, in the docs directory.
To answer your other questions, Spread uses the hostname you list in the configuration file to form private client names that connect to that daemon. Clients are given private name strings of the form: "#<client_name>#<hostname>". The "hostname" that you specify, however, can be any arbitrary string. Spread will do a DNS lookup of the name and complain if it doesn't match the listed IP. You can override this safety feature by using the -n option. You can also omit listing the IP, provided that every daemon can do a successful DNS lookup of the hostname that you put there (and return the IP that you want) -- if not your configuration probably won't work right. Similarly, you can omit the hostname so long as you specify the IP -- the "hostname" will then just be a stringified version of the IP address. Generally, we recommend specifying both the names and the IPs, preferably with the name actually being a DNS name that will map to the given IP.
Cheers!
-----
John Lane Schultz
Spread Concepts LLC
Phn: 301 830 8100
Cell: 443 838 2200
On Sep 7, 2010, at 1:40 PM, Goran Hasse wrote:
Thanks! This works and now if I want to add a spread connection on a local interface
GW host Internal host
+------------+ +---------+
| | | |
+- +----+--+ +----+---+
192.5.36.X | | 192.168.1.1 | 192.168.1.2
| +-----------------------------------+
10.8.0.44 ...
+-+ +-+
| | | | vpn clients (a lot).
+-+ +-+
The public interface 192.5.36.X connects a lot of vpn-clients and the GW host is connected to a
local internal host. Maybee I need two configurations? One for the vpn-system and one for the
local (internal) connection. Is it possible to have the internal host comunicate with the
vpn-clients?
I like spread a lot and we use it a lot. But now we are experimenting with some more complicated
configurations and the manual are somewhat thin...
For example i don't understand why the deamon must have a "-n name"? It seems that it listen
on all adresses anyhow...
$netstat -an | grep 4803
tcp 0 0 0.0.0.0:4803 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:4803 0.0.0.0:*
unix 2 [ ACC ] STREAM LYSSNAR 7262 /tmp/4803
And I also think there is some confusion about hostnames and interface name. In my little
world an interface have one (or many ip numbers) and one or many domain names for those
ip numbers
if1.domain.se 192.168.1.1
if2.domain.se 192.168.1.2
This is especially important on multihomed systems. For me what you call "hostname"
is the "system name", what you get if you run the command "hostname". But this has nothing to
do with the interfacename (that should have a domain part). OR an entry in /etc/hosts as an alias.
Can one hope for a more elaborate desciption in the manual?
G Hasse
2010/9/7 John Schultz <jschultz at spreadconcepts.com>
Spread_Segment 127.0.0.1 {
$hostname1 10.8.0.1
}
Spread_Segment 127.0.0.1 {
$hostname2 10.8.0.44
}
This is assuming that you only have two Spread daemons and that you want them to only communicate point-to-point.
Please replace the $hostname variables with the actual hostnames of the associated box.
Cheers!
-----
John Lane Schultz
Spread Concepts LLC
Phn: 301 830 8100
Cell: 443 838 2200
On Sep 7, 2010, at 8:36 AM, Goran Hasse wrote:
Hello!
I have a configuration like this;
+------+
| | Public server with vpn-enpoints (a lot)
+------+
10.8.0.1
Internet
10.8.0.44 ...
+-+ +-+
| | | | vpn clients (a lot).
+-+ +-+
How do I set up a configuration file for spread here? All connections 10.8.0.44-10.8.0.1 is point to point.
GH
--
gorhas at gmail.com
Mob: 070-5530148
_______________________________________________
Spread-users mailing list
Spread-users at lists.spread.org
http://lists.spread.org/mailman/listinfo/spread-users
--
gorhas at gmail.com
Mob: 070-5530148
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3805 bytes
Desc: not available
Url : http://lists.spread.org/pipermail/spread-users/attachments/20100907/387686d8/attachment.bin
More information about the Spread-users
mailing list