<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt>On 01/12/2016 06:35 AM, brian mullan wrote:</tt><tt><br>
</tt>
<blockquote
cite="mid:CAFX-c4s7rXHuCvW4XuMiE1wNoztHkStGDLJMeDexGkTHefu6pw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div><tt>Peter</tt><tt><br>
</tt><tt><br>
</tt></div>
<tt>On AWS unless you are using VPC I don't think
you can use secondary addresses because AWS won't
route any of that traffic. Also with your
addresses routing would be affected by the
split-horizon problem with the same network on 2
sides.</tt><tt><br>
</tt><tt><br>
</tt></div>
<tt>You probably know this ... but on AWS each
instance has a Public & a Private IP address.</tt><tt><br>
</tt><tt><br>
</tt></div>
<tt>If ec2-server1 pings ec2-server2's Public IP
address... </tt><tt><br>
</tt><tt><br>
</tt><tt>Inside EC2 AWS redirects your server1 to
server2 pings to the Private IP of server2 not the
Public IP even though that's what you input to the
ping command. EC2 inter-instance traffic is always
to/from the Private IP addresses.</tt><tt><br>
</tt><tt><br>
</tt></div>
<tt>This can be useful & save $$ because traffic
internal to EC2 doesn't get charged to you like
outbound or inbound traffic from the Internet does.</tt><tt><br>
</tt><tt><br>
</tt></div>
<tt>I install PeerVPN (</tt><tt><a moz-do-not-send="true"
href="http://www.peervpn.net">www.peervpn.net</a></tt><tt>)
on my AWS servers to support inter-server LXC
communications. Its dead simple to setup, its
auto-learning & full mesh vpn and you can then
interconnect not only LXC on multiple AWS servers but on
different Clouds like AWS & Digital Ocean and/or your
own servers at home/office.</tt><tt><br>
</tt><tt><br>
</tt></div>
<tt>It also doesn't require firewall changes beyond what you
already use.</tt><tt><br>
</tt><tt><br>
</tt></div>
<tt>Flockport did a </tt><tt><a moz-do-not-send="true"
href="https://www.flockport.com/build-layer2-and-layer-3-overlay-networks-with-peervpn/">nice
writeup on how to install/use PeerVPN</a></tt><tt> also.
Maybe that will help.</tt><tt><br>
</tt><tt><br>
</tt></div>
</blockquote>
<tt><br>
</tt><tt>Brian, thanks for this pointer. It looks like this is what
we'll need to solve our networking issues. However, I followed
through </tt><tt>F</tt><tt>lockport's L2 example and configured
peervpn on my two EC2 hosts but I still cannot ping containers
across hosts. If I could indulge on your expertise I'd appreciate
some pointers.</tt><tt><br>
</tt><tt><br>
</tt><tt>The peervpn config file for </tt><tt>h</tt><tt>ost 1's
config file looks like this:</tt><tt><br>
</tt><tt><br>
</tt><tt> networkname PEERVPN</tt><tt><br>
</tt><tt> psk mypasswd</tt><tt><br>
</tt><tt> enabletunneling yes</tt><tt><br>
</tt><tt> interface peervpn0</tt><tt><br>
</tt><tt> ifconfig4 10.0.0.11/24</tt><tt><br>
</tt><tt> port 7000</tt><tt><br>
</tt><tt> initpeers 10.0.0.108 7000</tt><tt><br>
</tt><tt><br>
</tt><tt>and </tt><tt>h</tt><tt>ost 2's config looks like this:</tt><tt><br>
</tt><tt><br>
</tt><tt> networkname PEERVPN</tt><tt><br>
</tt><tt> psk mypasswd</tt><tt><br>
</tt><tt> enabletunneling yes</tt><tt><br>
</tt><tt> interface peervpn0</tt><tt><br>
</tt><tt> ifconfig4 10.0.0.12/24</tt><tt><br>
</tt><tt> port 7000</tt><tt><br>
</tt><tt><br>
</tt><tt>The IP address 10.0.0.108 is the private IP that is
assigned to eth0 of host 2. Should I use this address the host's
public IP instead? I did try this but I was still not able to ping
containers across my two hosts.</tt><tt><br>
</tt><tt><br>
</tt><tt>From what I can tell peervpn is working correctly. A
peervnp0 interface has been created on host 1 and assigned address
10.0.0.11, and a peervpn0 interface has been created on host 2 and
assigned address 10.0.0.12. The output from peervpn on host 1
shows that it has successfully connected to host 2:</tt><tt><br>
</tt><tt><br>
</tt><tt> opening sockets...</tt><tt><br>
</tt><tt> IPv4/UDP: ok.</tt><tt><br>
</tt><tt> IPv6/UDP: ok.</tt><tt><br>
</tt><tt> opening TAP device...</tt><tt><br>
</tt><tt> device "peervpn0": ok.</tt><tt><br>
</tt><tt> done.</tt><tt><br>
</tt><tt> preparing P2P engine...</tt><tt><br>
</tt><tt> done.</tt><tt><br>
</tt><tt><br>
</tt><tt> Client ID:
7701546D9169C314678310CC92AE22AFDBD0A66F2A39417644C0FC99DF498CB8</tt><tt><br>
</tt><tt> Network ID:
EDE14D183315365CF171564C2BDEDFE3BA51310352EBDBE1CDF49FAF662CF5BB</tt><tt><br>
</tt><tt><br>
</tt><tt> entering main loop...</tt><tt><br>
</tt><tt><br>
</tt><tt> [0] 0 peers connected.</tt><tt><br>
</tt><tt> [0] resolving 10.0.0.108:7000...</tt><tt><br>
</tt><tt> done.</tt><tt><br>
</tt><tt> [12] 1 peers connected.</tt><tt><br>
</tt><tt><br>
</tt><tt>The output from peervpn on host 2 also shows that one peer
has connected, so it appears that my configuration is correct. Is
there something else that's needed on the containers? The
container IPs are all statically assigned and I don't need DHCP/</tt><tt>dnsmasq
support. </tt><tt><br>
</tt><tt><br>
</tt><tt>Any advice would be appreciated.</tt><tt><br>
</tt><tt><br>
</tt><tt>Peter</tt><tt><br>
<br>
</tt>
</body>
</html>