Jeffrey Stiles
2015-Aug-27 17:36 UTC
"Switch Mode" with "TunnelServer" and No Communication
Let me start with what I'm trying to accomplish. I use tinc mainly to get to subnets behind the daemons and I don't control those subnets and can't guarantee overlap. I was using routing mode and reconfiguring tinc every time i needed to get to a subnet behind a specific daemon. Then I came across switch mode that allowed me to simply add routes based on the IP address of the tinc daemon and not have to reconfigure tinc to get to a different conflicting subnet (just needed to change the route). However, due to security issues, I want to control which daemons can access other deamons. For the most part, I just want the server to be able to access each daemon and the subnets behind them but not have the daemons access each other or the subnets behind them. Everything currently connects through one central server initially, so TunnelServer seemed like the right configuration option. If I understand this setting correctly, it is meant to only allow traffic between nodes that have eachother's (or at least one has the other's) host file on the local system. However, after enabling TunnelServer, my test daemon can no longer ping the tinc ip address of the server. While trying to figure out what was wrong, I stumbled across this mailing list entry; http://www.tinc-vpn.org/pipermail/tinc/2010-April/002290.html The solution seems to be to use static mac addresses. I'm totally fine with doing this as all config files are generated programmatically. After doing this, the config files look something like this: client-daemon host file: # client1 Subnet = 7a:91:33:09:fc:d3 Subnet = 10.173.232.50/32 Subnet = 0.0.0.0/0 -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- client-daemon tinc-up file: #!/bin/bash # client1 ip link set $INTERFACE address 7a:91:33:09:fc:d3 ip link set $INTERFACE up ip addr add 10.173.232.20/32 dev $INTERFACE ip route add 10.173.232.0/22 dev $INTERFACE I'm mostly looking for guidance on whether it is possible for daemons to only accept traffic from specific daemons in switch mode. If so, what am I doing wrong with my subnet configurations that won't let me even ping from one daemon to the server when TunnelMode is yes? Thanks! -- J -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150827/a72e8365/attachment.html>
Saverio Proto
2015-Sep-07 07:28 UTC
"Switch Mode" with "TunnelServer" and No Communication
> I'm mostly looking for guidance on whether it is possible for daemons to > only accept traffic from specific daemons in switch mode. If so, what am I > doing wrong with my subnet configurations that won't let me even ping from > one daemon to the server when TunnelMode is yes?check if this patch still applies: https://github.com/zioproto/fairvpn/blob/master/tarballs-patches/tinc/tinc-1.0.13-fairvpn.patch it should work. By default tinc will try to have a full mesh of connection between the nodes of the VPN. With this patch and TunnelServer yes you will have the data connections only where you have a explicit ConnectTo statement. regards Saverio
Jeffrey Stiles
2015-Sep-08 16:54 UTC
"Switch Mode" with "TunnelServer" and No Communication
Thank you for the reply. I'll take a look at the patch and see if I can use it. My current solution was to just implement iptables rules on each of the endpoints, which isn't the worst way to go. I'll probably need to use the patch if I want to control the traffic on the service level. Thanks again! J On Mon, Sep 7, 2015 at 12:29 AM Saverio Proto <zioproto at gmail.com> wrote:> > I'm mostly looking for guidance on whether it is possible for daemons to > > only accept traffic from specific daemons in switch mode. If so, what am > I > > doing wrong with my subnet configurations that won't let me even ping > from > > one daemon to the server when TunnelMode is yes? > > check if this patch still applies: > > https://github.com/zioproto/fairvpn/blob/master/tarballs-patches/tinc/tinc-1.0.13-fairvpn.patch > > it should work. > > By default tinc will try to have a full mesh of connection between the > nodes of the VPN. > With this patch and TunnelServer yes you will have the data > connections only where you have a explicit ConnectTo statement. > > regards > > Saverio > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-- J -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150908/ddba9382/attachment.html>