Building distributed mesh networks of LXC hosts
5 March, 2021 by
Building distributed mesh networks of LXC hosts
Administrator

 

Tinc is more secure than a GRE tunnel as connections are encrypted. Tinc also gives you the ability to built a distributed mesh network. We are not covering Tinc’s extensive capabilities here, please visit tinc-vpn.org

For the networking gurus Tinc can operate as a router in layer 3 or a switch in layer 2 mode, for this example we are using Tinc in its default router mode.

To avoid container IP clash we are going to change the default lxcbr0 subnet 10.0.3.0/24 on one side, let’s do it on Host A

Change the subnet on Host A
Edit the /etc/init.d/lxc-net script to change the LXC subnet on lxcbr0 NAT network from 10.0.3.0/24 to 10.0.4.0/24. If you are Ubuntu edit the /etc/default/lxc-net file. Before doing this stop containers on Host A, stop the lxc-net service, make the change and then restart the lxc-net service.

service lxc-net stop

Edit the lxc-net script

service lxc-net start

So here is the network map.

Host A has public IP 1.2.3.4
Host B has public IP 2.3.4.5
Containers in Host A are on subnet 10.0.4.0/24 via default lxcbr0 nat bridge
Containers in Host B are on subnet 10.0.3.0/24 via default lxcbr0 nat bridge

We are going to use 10.0.0.1 and 10.0.0.2 as the interface IPs for Tinc.

Install Tinc on both Host A and B

apt-get install tinc

Tinc operates on a concept of network names for the private VPN. Let’s call our network ‘flockport’.

In /etc/tinc/ on both Host A and Host B create a folder called ‘flockport’ and do the following.

mkdir /etc/tinc/flockport

This will hold our configuration for this network.

Create a ‘hosts’ folder in the flockport folder

mkdir /etc/tinc/flockport/hosts

Create the following files in the flockport folder – tinc.conf, tinc-up, tinc-down

touch tinc.conf tinc-up tinc-down

Configure Tinc on Host A

nano /etc/tinc/flockport/tinc.conf

Name = hosta (You can use any name for your hosts)
AddressFamily = ipv4
Interface = tun0

nano tinc-up

#!/bin/bash
ifconfig $interface 10.0.0.1 netmask 255.255.255.0
ip route add 10.0.3.0/24 dev $INTERFACE

nano tinc-down

#!/bin/bash
ifconfig $INTERFACE down
ip route del 10.0.3.0/24 dev $INTERFACE

nano /etc/tinc/flockport/hosts/hosta

Address 1.2.3.4
Subnet 10.0.4.0/24

Configure Tinc on Host B

nano /etc/tinc/flockport/tinc.conf

Name = hostb
AddressFamily = ipv4
Interface = tun0
ConnectTo = hosta

nano tinc-up

#!/bin/bash
ifconfig $interface 10.0.0.2 netmask 255.255.255.0
ip route add 10.0.4.0/24 dev $INTERFACE

nano tinc-down

#!/bin/bash
ifconfig $INTERFACE down
ip route del 10.0.4.0/24 dev $INTERFACE

nano /etc/tinc/flockport/hosts/hostb

Subnet 10.0.3.0/24

Generate keys on both Host A and Host B

tincd -n flockport -K

This will generate private key files in the flockport folder and append public keys to the host files /etc/tinc/flockport/hosts/xxx

Exchange host files on either side
Copy the hosts file with the public keys from /etc/tinc/flockport/hosts/xxx on host A to the hosts folder n Host B and vice versa.

So now your /etc/tinc/flockport/hosts folder on Host A and Host B should have both ‘hosta’ and ‘hostb’ files in them

The moment of truth! Run the tincd command on both Host A and Host B

tincd -n flockport

If you followed the guide accurately your containers on both Host A and B should now be able to ping each other

To ensure the Tinc private network starts on reboot edit the /etc/tinc/nets.boot file on Host A and B and add the network name ie in this case flockport. This ensures that the Tinc network startup on boot and is available.

You can easily add more LXC hosts to the network. Tinc has a number of options on optimizing connectivity – compression etc, and choosing the security cipher. Please visit the Tinc website and go through the documentation for more options.