Displaying 20 results from an estimated 54 matches for "strictsubnet".
Did you mean:
strictsubnets
2015 Nov 22
5
Authenticating VPN addresses: a proposal
TL;DR: a proposal for a new tinc feature that allows nodes to filter
ADD_SUBNET messages based on the metaconnection on which they are
received, so that nodes can't impersonate each other's VPN Subnets.
Similar to StrictSubnets in spirit, but way more flexible.
BACKGROUND: THE ISSUE OF TRUST IN A TINC NETWORK
In terms of metaconnections (I'm not discussing data tunnels here),
one of the most interesting properties of tinc is that users are free
to come up with any topology for the node graph; this makes tinc
extrem...
2014 Jan 16
1
Clarification of man page on StrictSubnets
Guus,
I have a question on how to interprete the following fragment of the man page:
StrictSubnets = yes | no (no) [experimental]
When this option is enabled tinc will only use Subnet statements which are present in the host config files in the
local /etc/tinc/NETNAME/hosts/ directory.
Does this mean it will ignore any subnets learnt through ADD_SUBNET? Perhaps this c...
2016 Sep 03
2
One host for forwarding only without keys
...at melware.de>
> > <mailto:armin at melware.de <mailto:armin at melware.de>>> wrote:
> >
> > Hello all,
> >
> > as written in my other posts, I have a setup of about seven
> > hosts. Two of them (A and B) use StrictSubnets and an own routing via
> > a special host (C), because C has better connection to the A and B than a
> > direct A-B connection.
> >
> > Host C is in a place where I need to create special security settings.
> > The VPN encrypted dat...
2016 Sep 03
0
One host for forwarding only without keys
If you're using StrictSubnets, you will still be fine. StrictSubnets means
that A will only use B's key (which C does not know) to send packets to B's
statically configured subnets. C cannot impersonate B (as in, take its node
name) because it would have to know B's private key to do so, and it cannot
impersonate B...
2015 May 04
3
Isolating a subnet on demand
...what you mean by "gateway",
"authentication process" and "IP address" especially when you say it's
part of the "public key" (it's not).
Can you clarify? I am pretty sure tinc doesn't use IP addresses in any
of its security mechanisms, except when StrictSubnets is enabled.
> Dealing with inside threats seems however a good feature for future versions
According to http://tinc-vpn.org/goals/ it's planned for tinc 2.0,
which AFAIK won't arrive anytime soon.
I have some ideas about implementing some crude form of Subnet access
controls for cent...
2015 May 04
2
Isolating a subnet on demand
...always trust all nodes as
long as they are part of the graph. It is not currently designed to
deal with insider threats. Most importantly, that means anyone can
impersonate any Subnet on a tinc network, just by changing the Subnet
declaration in their node file.
The only way around that is to use StrictSubnets, but that requires
every node to be statically configured with the subnet of every other
node.
On 4 May 2015 at 20:42, Anne-Gwenn Kettunen <anwen at asphodelium.eu> wrote:
> And we'll take a look at Pf & IPTables :)
>
> Good evening!
>
>>> There is no centralize...
2019 Mar 15
0
Reload subnet config with HUP signal
Hi,
I need to re-open the thread blow. The situation is still the same.
The HUP signal does not trigger reloading of subnet declarations in own
hosts file (Version 1.0.35).
After a quick view to the source code, file src/net.c shows in line 658
would reload subnets when using StrictSubnets only.
But why? With StrictSubnets it doesn't make sense to me.
I did a quick check and removed the
if (strictsubnets)
to let HUP signal reload sunets and it works.
So why is the update of local subnet declaration with HUP signal possible in
StrictSubnet mode only?

Armin
Am Sa., 5. Dez....
2015 May 04
1
Isolating a subnet on demand
I'm still confused, but in any case, there's nothing stopping "miou"
from impersonating "apeliote"'s subnets in your case, unless you use
StrictSubnets.
Here's the easiest way to do the spoofing:
In miou's own node file (on the miou machine itself), add apeliote's
subnets with a Weight smaller than 10 (which is the default), so that
it overrides them.
For example, if apeliote has a single 1.2.3.0/24 subnet, then add the
following t...
2015 Nov 24
1
Authenticating VPN addresses: a proposal
On Mon, 23 Nov 2015, Guus Sliepen wrote:
> It also works in a situation where a group of people trust a central
> authority which provides them with the configuration for their tinc
> nodes, if StrictSubnets is used. The drawback is that an external tool
> needs to be used (ChaosVPN is one such example, but there are others)
> and it is not very flexible, but I would disagree that it is
> unmanageable.
In ChaosVPN we use StrictSubnets, and additionally the following patch
on the core-nodes...
2016 Mar 13
2
Fwd: How to avoid friends of friends joining the vpn ?
Tinc 1.0
3 control masters
Many service hosts
Laptop (road warrior)
The control masters have the public keys for the service hosts and the
laptop so that they can join the network.
How can I prevent the laptop user to connect additional boxes to the
network?
In my view he can simply add new 'foreign' hosts and specify connectTo to
point to the laptop.
As keys are exchanged automatically
2016 Sep 02
2
One host for forwarding only without keys
Hello all,
as written in my other posts, I have a setup of about seven
hosts. Two of them (A and B) use StrictSubnets and an own routing via
a special host (C), because C has better connection to the A and B than
a direct A-B connection.
Host C is in a place where I need to create special security settings.
The VPN encrypted data shall not be available on host C.
There is no need for host C be in routing of tin...
2017 May 05
2
Subnet authority and trust
Hello,
How does tincd determine the subnet(s) of other remote nodes? Does
tincd read its copies of the hosts file and parse and follow the
subnet information contained in the local files? Or does tincd solely
trust the subnet information dynamically advertised by each remote
node?
In my experimentation, it seems that:
a) tincd reads its own subnet(s) from its copy of its own host file, but
2015 Nov 25
0
tinc exit when there is no internet?
...+0100 (CET)
> Subject: Re: Authenticating VPN addresses: a proposal
> On Mon, 23 Nov 2015, Guus Sliepen wrote:
>
> > It also works in a situation where a group of people trust a central
> > authority which provides them with the configuration for their tinc
> > nodes, if StrictSubnets is used. The drawback is that an external tool
> > needs to be used (ChaosVPN is one such example, but there are others)
> > and it is not very flexible, but I would disagree that it is
> > unmanageable.
>
> In ChaosVPN we use StrictSubnets, and additionally the following p...
2013 Jan 24
3
Conflicting Default Values. A trusts B. B trusts EvilNode. Does that mean A trusts EvilNode?
*You should repeat this for all nodes you ConnectTo, or which ConnectTo
you. However, remember that you do not need to ConnectTo all nodes in the
VPN; it is only necessary to create one or a few meta-connections, after
the connections are made tinc will learn about all the other nodes in the
VPN, and will automatically make other connections as necessary. *
The above is from the docs. Assuming
2015 Nov 25
0
tinc exit when there is no internet?
...+0100 (CET)
> Subject: Re: Authenticating VPN addresses: a proposal
> On Mon, 23 Nov 2015, Guus Sliepen wrote:
>
> > It also works in a situation where a group of people trust a central
> > authority which provides them with the configuration for their tinc
> > nodes, if StrictSubnets is used. The drawback is that an external tool
> > needs to be used (ChaosVPN is one such example, but there are others)
> > and it is not very flexible, but I would disagree that it is
> > unmanageable.
>
> In ChaosVPN we use StrictSubnets, and additionally the following p...
2017 Jul 10
3
Some tinc clatifications
Hi all,
I'm currently happily using tinc in my networks.
I also use OpenVPN based on the customer requirements.
I though have some questions which I could not find a clear answer.
What I'd like to know is:
1. How to revoke a "node", simply removing the host file on the servers
is enough? And one created by invitation?
2. Is there a way to let tinc ask for a username/password
2015 Nov 23
0
Authenticating VPN addresses: a proposal
I am, like you, have the same network: exactly two master servers which
are trusted, and a number of clients that connect to one of them, or to
both (this depends on which physical network they reside, we have
city-wide LANs).
I use StrictSubnets and I happy with them. That was choice from the
beginning. But it also enforced to have all node keys and configuration
data on each node. Up to Sep2015, I employed a central http server for
that, like chaosvpn does. But that central server lost it's key (it was
an embeddish system) and the se...
2012 Mar 10
1
[Announcement] Version 1.0.17 released
...et, UML and
VDE devices without needing to recompile tinc.
* Allow multiple BindToAddress statements.
* Decrement TTL value of IPv4 and IPv6 packets.
* Add LocalDiscovery option allowing tinc to detect peers that are behind the
same NAT.
* Accept Subnets passed with the -o option when StrictSubnets = yes.
* Disabling old RSA keys when generating new ones now also works properly on
Windows.
This version of tinc is compatible with 1.0pre8, 1.0 and later, but not
with earlier version of tinc.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-...
2012 Mar 10
1
[Announcement] Version 1.0.17 released
...et, UML and
VDE devices without needing to recompile tinc.
* Allow multiple BindToAddress statements.
* Decrement TTL value of IPv4 and IPv6 packets.
* Add LocalDiscovery option allowing tinc to detect peers that are behind the
same NAT.
* Accept Subnets passed with the -o option when StrictSubnets = yes.
* Disabling old RSA keys when generating new ones now also works properly on
Windows.
This version of tinc is compatible with 1.0pre8, 1.0 and later, but not
with earlier version of tinc.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-...
2012 Nov 28
1
default gate via tinc
Hi,
I have two tinc nodes which announce default gate to internet.
How does tinc select which node is prefered when I route to the tinc
device and not a special ip?
tinc 1.0.16
ALBI...