Hi, Thanks for the link :) I guess we'll just end up having 2 separate VPNs, eventually. Have a good evening!> There is no centralized way to remove a subnet or block a user. A user > is authorized to be on the network by other nodes that have his/her > public key. If you delete the offending host config files and let tinc > reload its configuration, you can remove a bad node from the network. > > If you have one or a few central nodes where all other nodes ConnectTo, > then it is easy to do. Another option is to use a tool like ChaosVPN to > centrally manage your tinc configuration and host config files. See: > > https://github.com/ryd/chaosvpn > > You can adapt it for your own VPN. Windows support is lacking though. > > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >
And we'll take a look at Pf & IPTables :) Good evening!>> There is no centralized way to remove a subnet or block a user. A user >> is authorized to be on the network by other nodes that have his/her >> public key. If you delete the offending host config files and let tinc >> reload its configuration, you can remove a bad node from the network. >> >> If you have one or a few central nodes where all other nodes ConnectTo, >> then it is easy to do. Another option is to use a tool like ChaosVPN to >> centrally manage your tinc configuration and host config files. See: >> >> https://github.com/ryd/chaosvpn >> >> You can adapt it for your own VPN. Windows support is lacking though. >> >> >> >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org >> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >> > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Whatever you do, keep in mind that tinc will always trust all nodes as long as they are part of the graph. It is not currently designed to deal with insider threats. Most importantly, that means anyone can impersonate any Subnet on a tinc network, just by changing the Subnet declaration in their node file. The only way around that is to use StrictSubnets, but that requires every node to be statically configured with the subnet of every other node. On 4 May 2015 at 20:42, Anne-Gwenn Kettunen <anwen at asphodelium.eu> wrote:> And we'll take a look at Pf & IPTables :) > > Good evening! > >>> There is no centralized way to remove a subnet or block a user. A user >>> is authorized to be on the network by other nodes that have his/her >>> public key. If you delete the offending host config files and let tinc >>> reload its configuration, you can remove a bad node from the network. >>> >>> If you have one or a few central nodes where all other nodes ConnectTo, >>> then it is easy to do. Another option is to use a tool like ChaosVPN to >>> centrally manage your tinc configuration and host config files. See: >>> >>> https://github.com/ryd/chaosvpn >>> >>> You can adapt it for your own VPN. Windows support is lacking though. >>> >>> >>> >>> _______________________________________________ >>> tinc mailing list >>> tinc at tinc-vpn.org >>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >>> >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org >> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc