Hello tinc users,
I have been trying to work out how key exchange/hosts file sharing in tinc 1.1
works.
My topology is straightforward, a "super" always-online node A to
which remote nodes B, C, ... (and so on) ConnectTo = A, to discover each other
via AutoConnect (that's on by default in tinc 1.1pre17)
Only super A has host files with Ed25519 keys for every node on the network.
Remote nodes such as B and C were invited with "tinc invite" meaning
B/C and so on create their own ed25519 private/public keypair as well as
exchange pubkeys with A. They do not have host files for other remote nodes.
So far so good, but what exactly determines when node B downloads C's host
file?
When testing on localhost: nodes B and C (both connected to A) refuse to connect
to each other as their host files were never transfered by A.
On my live tinc set up (where A with DHCP server on tinc's interface in
switch mode is configured, and I have both windows/linux machines connecting to
it outside NAT) it appears B/C/... nodes eventually acquire host files through
A, maybe when they need to establish a metaconnection with each other?
It also seems once the host file is transferred, it stays that way. That is, if
I was to change on supernode A the Ed25519PublicKey stored in hosts of B (doing
so as well locally on B) then C and other remote nodes would be stuck with the
old host file and public key rather than transfer the updated file, causing
remote connections to B to be refused.
To summarize it looks like:
1. You need to be on another machine for key exchange to occur (not share same
machine/interface or hostname)
2. Key exchange happens only when necessary (e.g B actively tries to connect to
C on some port)
3. It's not possible to change host configuration files (like
Ed25519PublicKey within it or Compression) after creation, unless you can manage
all remote nodes as well because key exchange does not transfer the updated
hosts file.
Inviting a new node with different name for the new key is required.
tinc.conf of A
AddressFamily = ipv4
DeviceStandby = no
Interface = tap0
Mode = switch
Name = a
ProcessPriority = high
LogLevel = 3
AutoConnect = no
tinc.conf of remote nodes (B/C/...)
AddressFamily = ipv4
LocalDiscovery = yes
Mode = switch
Name = b
ConnectTo = a
LogLevel = 3
