search for: strictsubnet

TL;DR: a proposal for a new tinc feature that allows nodes to filter ADD_SUBNET messages based on the metaconnection on which they are received, so that nodes can't impersonate each other's VPN Subnets. Similar to StrictSubnets in spirit, but way more flexible. BACKGROUND: THE ISSUE OF TRUST IN A TINC NETWORK In terms of metaconnections (I'm not discussing data tunnels here), one of the most interesting properties of tinc is that users are free to come up with any topology for the node graph; this makes tinc extrem...

Guus, I have a question on how to interprete the following fragment of the man page: StrictSubnets = yes | no (no) [experimental] When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local /etc/tinc/NETNAME/hosts/ directory. Does this mean it will ignore any subnets learnt through ADD_SUBNET? Perhaps this c...

...at melware.de> > > <mailto:armin at melware.de <mailto:armin at melware.de>>> wrote: > > > > Hello all, > > > > as written in my other posts, I have a setup of about seven > > hosts. Two of them (A and B) use StrictSubnets and an own routing via > > a special host (C), because C has better connection to the A and B than a > > direct A-B connection. > > > > Host C is in a place where I need to create special security settings. > > The VPN encrypted dat...

If you're using StrictSubnets, you will still be fine. StrictSubnets means that A will only use B's key (which C does not know) to send packets to B's statically configured subnets. C cannot impersonate B (as in, take its node name) because it would have to know B's private key to do so, and it cannot impersonate B...

...what you mean by "gateway", "authentication process" and "IP address" especially when you say it's part of the "public key" (it's not). Can you clarify? I am pretty sure tinc doesn't use IP addresses in any of its security mechanisms, except when StrictSubnets is enabled. > Dealing with inside threats seems however a good feature for future versions According to http://tinc-vpn.org/goals/ it's planned for tinc 2.0, which AFAIK won't arrive anytime soon. I have some ideas about implementing some crude form of Subnet access controls for cent...

...always trust all nodes as long as they are part of the graph. It is not currently designed to deal with insider threats. Most importantly, that means anyone can impersonate any Subnet on a tinc network, just by changing the Subnet declaration in their node file. The only way around that is to use StrictSubnets, but that requires every node to be statically configured with the subnet of every other node. On 4 May 2015 at 20:42, Anne-Gwenn Kettunen <anwen at asphodelium.eu> wrote: > And we'll take a look at Pf & IPTables :) > > Good evening! > >>> There is no centralize...

Hi, I need to re-open the thread blow. The situation is still the same. The HUP signal does not trigger reloading of subnet declarations in own hosts file (Version 1.0.35). After a quick view to the source code, file src/net.c shows in line 658 would reload subnets when using StrictSubnets only. But why? With StrictSubnets it doesn't make sense to me. I did a quick check and removed the if (strictsubnets) to let HUP signal reload sunets and it works. So why is the update of local subnet declaration with HUP signal possible in StrictSubnet mode only?  Armin Am Sa., 5. Dez....

I'm still confused, but in any case, there's nothing stopping "miou" from impersonating "apeliote"'s subnets in your case, unless you use StrictSubnets. Here's the easiest way to do the spoofing: In miou's own node file (on the miou machine itself), add apeliote's subnets with a Weight smaller than 10 (which is the default), so that it overrides them. For example, if apeliote has a single 1.2.3.0/24 subnet, then add the following t...

On Mon, 23 Nov 2015, Guus Sliepen wrote: > It also works in a situation where a group of people trust a central > authority which provides them with the configuration for their tinc > nodes, if StrictSubnets is used. The drawback is that an external tool > needs to be used (ChaosVPN is one such example, but there are others) > and it is not very flexible, but I would disagree that it is > unmanageable. In ChaosVPN we use StrictSubnets, and additionally the following patch on the core-nodes...

Tinc 1.0 3 control masters Many service hosts Laptop (road warrior) The control masters have the public keys for the service hosts and the laptop so that they can join the network. How can I prevent the laptop user to connect additional boxes to the network? In my view he can simply add new 'foreign' hosts and specify connectTo to point to the laptop. As keys are exchanged automatically

Hello all, as written in my other posts, I have a setup of about seven hosts. Two of them (A and B) use StrictSubnets and an own routing via a special host (C), because C has better connection to the A and B than a direct A-B connection. Host C is in a place where I need to create special security settings. The VPN encrypted data shall not be available on host C. There is no need for host C be in routing of tin...

Hello, How does tincd determine the subnet(s) of other remote nodes? Does tincd read its copies of the hosts file and parse and follow the subnet information contained in the local files? Or does tincd solely trust the subnet information dynamically advertised by each remote node? In my experimentation, it seems that: a) tincd reads its own subnet(s) from its copy of its own host file, but

...+0100 (CET) > Subject: Re: Authenticating VPN addresses: a proposal > On Mon, 23 Nov 2015, Guus Sliepen wrote: > > > It also works in a situation where a group of people trust a central > > authority which provides them with the configuration for their tinc > > nodes, if StrictSubnets is used. The drawback is that an external tool > > needs to be used (ChaosVPN is one such example, but there are others) > > and it is not very flexible, but I would disagree that it is > > unmanageable. > > In ChaosVPN we use StrictSubnets, and additionally the following p...

*You should repeat this for all nodes you ConnectTo, or which ConnectTo you. However, remember that you do not need to ConnectTo all nodes in the VPN; it is only necessary to create one or a few meta-connections, after the connections are made tinc will learn about all the other nodes in the VPN, and will automatically make other connections as necessary. * The above is from the docs. Assuming

...+0100 (CET) > Subject: Re: Authenticating VPN addresses: a proposal > On Mon, 23 Nov 2015, Guus Sliepen wrote: > > > It also works in a situation where a group of people trust a central > > authority which provides them with the configuration for their tinc > > nodes, if StrictSubnets is used. The drawback is that an external tool > > needs to be used (ChaosVPN is one such example, but there are others) > > and it is not very flexible, but I would disagree that it is > > unmanageable. > > In ChaosVPN we use StrictSubnets, and additionally the following p...

Hi all, I'm currently happily using tinc in my networks. I also use OpenVPN based on the customer requirements. I though have some questions which I could not find a clear answer. What I'd like to know is: 1. How to revoke a "node", simply removing the host file on the servers is enough? And one created by invitation? 2. Is there a way to let tinc ask for a username/password

I am, like you, have the same network: exactly two master servers which are trusted, and a number of clients that connect to one of them, or to both (this depends on which physical network they reside, we have city-wide LANs). I use StrictSubnets and I happy with them. That was choice from the beginning. But it also enforced to have all node keys and configuration data on each node. Up to Sep2015, I employed a central http server for that, like chaosvpn does. But that central server lost it's key (it was an embeddish system) and the se...

...et, UML and VDE devices without needing to recompile tinc. * Allow multiple BindToAddress statements. * Decrement TTL value of IPv4 and IPv6 packets. * Add LocalDiscovery option allowing tinc to detect peers that are behind the same NAT. * Accept Subnets passed with the -o option when StrictSubnets = yes. * Disabling old RSA keys when generating new ones now also works properly on Windows. This version of tinc is compatible with 1.0pre8, 1.0 and later, but not with earlier version of tinc. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -...

...et, UML and VDE devices without needing to recompile tinc. * Allow multiple BindToAddress statements. * Decrement TTL value of IPv4 and IPv6 packets. * Add LocalDiscovery option allowing tinc to detect peers that are behind the same NAT. * Accept Subnets passed with the -o option when StrictSubnets = yes. * Disabling old RSA keys when generating new ones now also works properly on Windows. This version of tinc is compatible with 1.0pre8, 1.0 and later, but not with earlier version of tinc. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -...

Hi, I have two tinc nodes which announce default gate to internet. How does tinc select which node is prefered when I route to the tinc device and not a special ip? tinc 1.0.16 ALBI...