Hi tinc users, I have two Tinc nodes (A, B) running on trusted computers. Between A and B there's no direct internet connection. So I have to set up the third node X to bridge them: [ A ] ======= [ X ] ======= [ B ] trusted untrusted trusted X is on a cloud service like AWS thus it's on an untrusted third party. Once it's is compromised the attacker can access to the entire VPN through it. To prevent such attack, it's possible to deploy firewall rules to drop all the direct packages from X. However when the network scales up, it's inefficient to deploy such rules to all the machines. So my question is: is it possible to set up the tinc node on X as a bridge-only node? "Bridge-only" means X only serves as a bridge between the connected nodes. It forwards the traffic but can't read the traffic or send message to other nodes in the VPN. Any input would be appreciated. Thanks! h4x3rotab -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190520/e0455bb2/attachment.html>
On Sonntag, 19. Mai 2019 18:36:38 CEST cat big wrote:> Hi tinc users, > > I have two Tinc nodes (A, B) running on trusted computers. Between A and B > there's no direct internet connection. So I have to set up the third node X > to bridge them: > > [ A ] ======= [ X ] ======= [ B ] > trusted untrusted trusted > > X is on a cloud service like AWS thus it's on an untrusted third party. > Once it's is compromised the attacker can access to the entire VPN through > it. > > To prevent such attack, it's possible to deploy firewall rules to drop all > the direct packages from X. However when the network scales up, it's > inefficient to deploy such rules to all the machines. > > So my question is: is it possible to set up the tinc node on X as a > bridge-only node? "Bridge-only" means X only serves as a bridge between the > connected nodes. It forwards the traffic but can't read the traffic or send > message to other nodes in the VPN. > > Any input would be appreciated. Thanks! > > > h4x3rotabI just set up a local tinc network for testing with the exact setup you have up there. At the moment A and B connect to X, where as X does not connect to anything by itself. As far as I can tell tinc does not support your use case, as tinc is designed to be run in a trusted environment, similar to how traditional networking works. You could remove the Subnet decleration from all hosts for node X, but that way there is just no way to contact node X from A or B, but still from X to A and B. Then you could remove all Subnet declerations from the configs of node X, which is not at all secure, as the ip addresses could probably be sniffed with tcpdump on node X. Your best bet would probably be, to create seperate tinc networks: [ A ] ======== [ X ] (network AX) [ X ] ======== [ B ] (network BX) Network AX: Operates in 10.0.1.0/24 Subnets: X: 10.0.1.1/32 10.0.2.0/24 A: 10.0.1.10/32 Network BX: Operates in 10.0.2.0/24 X: 10.0.2.1 10.0.1.0/24 B: 10.0.2.10 Node X will forward all traffic between AX and BX with an iptables rule, that basically enables NAT. This solution is rather much for your purpose. I would consider using alternatives like a SOCKS proxy (which tinc supports), that sits on X and forwards traffic from A to the internet or B to the internet. I hope my mail helps you with your problem. Kind regards, Sefa Eyeoglu Free Software Developer scrumplex.net[1] -------- [1] https://scrumplex.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part. URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190520/c6487c37/attachment.sig>
On 20/5/19 2:36 am, cat big wrote:> Hi tinc users, > > I have two Tinc nodes (A, B) running on trusted computers. Between A > and B there's no direct internet connection. So I have to set up the > third node X to bridge them: > > [ A ] ======= [ X ] ======= [ B ] > trusted untrusted trusted > > X is on a cloud service like AWS thus it's on an untrusted third > party. Once it's is compromised the attacker can access to the entire > VPN through it. > > To prevent such attack, it's possible to deploy firewall rules to drop > all the direct packages from X. However when the network scales up, > it's inefficient to deploy such rules to all the machines. > > So my question is: is it possible to set up the tinc node on X as a > bridge-only node? "Bridge-only" means X only serves as a bridge > between the connected nodes. It forwards the traffic but can't read > the traffic or send message to other nodes in the VPN. > > Any input would be appreciated. Thanks!Maybe you can use iptables on X to simply forward traffic arriving from A on to B (and vice-versa) at the packet level, rather than running tinc. Effectively X is a proxy with no knowledge of what it's forwarding and hence no possibility of injecting traffic. I've never tried, but a quick google shows http://gsoc-blog.ecklm.com/iptables-redirect-vs.-dnat-vs.-tproxy/ for example may be helpful. Hamish -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190520/24080fe0/attachment.html>
Apparently Analagous Threads
- [Bug 1338] New: Can't add IPv6 concatenation rule
- GlobalISel: Very limited pattern matching?
- GlobalISel: Very limited pattern matching?
- Dict issue with PostgreSQL for last_login plugin (duplicate key)
- [Bug 110714] New: Xorg crashes randomly because of memory leak