search for: add_subnet

...kpad 17.3 Sending ACK to adamthinkpad (199.212.67.46 port 58877): 4 655 56 300000c Sending 17 bytes of metadata to adamthinkpad (199.212.67.46 port 58877) Got ACK from adamthinkpad (199.212.67.46 port 58877): 4 655 67 300000c Connection with adamthinkpad (199.212.67.46 port 58877) activated Sending ADD_SUBNET to adamthinkpad (199.212.67.46 port 58877): 10 d427356 adamthinkpad 0:ff:7b:c2:dd:57#10 Sending 44 bytes of metadata to adamthinkpad (199.212.67.46 port 58877) Sending ADD_SUBNET to adamthinkpad (199.212.67.46 port 58877): 10 58d82b69 adamthinkpad 10.0.6.0/24#10 Sending 40 bytes of metadata to adam...

...fd65:fc41:c50f:2:0:0:0:0/64 When the node boots I see the following messages in tinc's log: 1369133834 tinc.confine[2550]: Connection from 10.241.0.2 port 50858 ... 1369133834 tinc.confine[2550]: Connection with node_2 (10.241.0.2 port 50858) activated ... 1369133834 tinc.confine[2550]: Got ADD_SUBNET from node_2 (10.241.0.2 port 50858): 10 3fba6e6f node_2 fd65:fc41:c50f:2:0:0:0:0/64#10 1369133834 tinc.confine[2550]: Ignoring unauthorized ADD_SUBNET from node_2 (10.241.0.2 port 50858): fd65:fc41:c50f:2:0:0:0:0/64#10 ... 1369133834 tinc.confine[2550]: Node node_2 (10.241.0.2 port 655) became...

...5.6 port 59718) Dec 13 14:38:09 c tinc.nfp_c_vpn[17944]: Error while processing ADD_EDGE from nfp_c_rt (7.8.9.0 port 36760) Dec 13 14:39:06 c tinc.nfp_c_vpn[17944]: Error while processing ADD_EDGE from nfp_hl_event (9.0.1.2 port 52813) Dec 13 14:39:07 c tinc.nfp_c_vpn[17944]: Error while processing ADD_SUBNET from nfp_c_rt (7.8.9.0 port 36761) Dec 13 14:39:49 c tinc.nfp_c_vpn[17944]: Error while processing ADD_EDGE from nfp_c_luxur (3.4.5.6 port 59722) Dec 13 14:39:54 c tinc.nfp_c_vpn[17944]: Error while processing ADD_EDGE from nfp_hl_event (9.0.1.2 port 52829) Dec 13 14:40:09 c tinc.nfp_c_vpn[17944]:...

...emo TunnelServer = yes Address = 67.219.201.3 Subnet = 192.168.2.2/32 Subnet = 192.168.0.0/24 Mode = router -----BEGIN RSA PUBLIC KEY----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END RSA PUBLIC KEY----- Command: tincd -n demo -d5 -D Server logs of interest: Sending ADD_SUBNET to demo (75.134.104.213 port 54059): 10 1b9f2ab0 devtun 192.168.2.1/32#10 Got ADD_SUBNET from demo (75.134.104.213 port 54059): 10 3d2ef9c2 demo 192.168.2.2/32#10 Ignoring unauthorized ADD_SUBNET from demo (75.134.104.213 port 54059): 192.168.2.2/32#10 Got ADD_SUBNET from demo (75.134.104.213 port...

...1) Got CHALLENGE from client1 (2.2.2.2 port 35031) Sending CHAL_REPLY to client1 (2.2.2.2 port 35031) Got CHAL_REPLY from client1 (2.2.2.2 port 35031) Sending ACK to client1 (2.2.2.2 port 35031) Got ACK from client1 (2.2.2.2 port 35031) Connection with client1 (2.2.2.2 port 35031) activated Sending ADD_SUBNET to client1 (2.2.2.2 port 35031) Sending ADD_EDGE to everyone (BROADCAST) Got ADD_SUBNET from client1 (2.2.2.2 port 35031) Forwarding ADD_SUBNET from client1 (2.2.2.2 port 35031) Got ADD_SUBNET from client1 (2.2.2.2 port 35031) Forwarding ADD_SUBNET from client1 (2.2.2.2 port 35031) Got ADD_EDGE fro...

TL;DR: a proposal for a new tinc feature that allows nodes to filter ADD_SUBNET messages based on the metaconnection on which they are received, so that nodes can't impersonate each other's VPN Subnets. Similar to StrictSubnets in spirit, but way more flexible. BACKGROUND: THE ISSUE OF TRUST IN A TINC NETWORK In terms of metaconnections (I'm not discussing data t...

...me (47.20.123.2 port 655): 3 6B31B74C0CF8033918C28FA2524E9DC6C66AAA8E Sending ACK to home (47.20.123.2 port 655): 4 655 98 c Sending 11 bytes of metadata to home (47.20.123.2 port 655) Got ACK from home (47.20.123.2 port 655): 4 655 78 c Connection with home (47.20.123.2 port 655) activated Sending ADD_SUBNET to home (47.20.123.2 port 655): 10 7cad work 192.168.1.66 Sending 32 bytes of metadata to home (47.20.123.2 port 655) Sending ADD_EDGE to everyone (BROADCAST): 12 4672 work home 47.20.123.2 655 c 88 192.168.1.117 655 Sending 65 bytes of metadata to home (47.20.123.2 port 655) Got ADD_SUBNET from ho...

...n page: StrictSubnets = yes | no (no) [experimental] When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local /etc/tinc/NETNAME/hosts/ directory. Does this mean it will ignore any subnets learnt through ADD_SUBNET? Perhaps this could be added here in some form. Nick -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 243 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://www.tinc-vpn.org/pipermail/tinc/a...

...de which will be connected directly to others. A solution could be TLS (signing public keys), but create a PKI is another issue for us. Instead, we have an idea : would it be possible to have a option in tinc.conf like "TrustedNodes=aaa,bbb,ccc" ? With this option : (a) any ADD_EDGE/ADD_SUBNET/ANS_KEY/... will be cancelled if it comes from a non-trusted connection (b) all REQ_KEY will be sent to trusted nodes only. (a) is easy, but we do not know how to manage (b). In net_packet.c and protocol_key.c we see : send_req_key(n->nexthop->connection, myself, n); The questi...

...from (null) (192.168.192.17 port 32852): 0 crux 17 Sending ACK to crux (192.168.192.17 port 32852): 4 655 0 0 Sending 10 bytes of metadata to crux (192.168.192.17 port 32852) Got ACK from crux (192.168.192.17 port 32852): 4 655 1 0 Connection with crux (192.168.192.17 port 32852) activated Sending ADD_SUBNET to crux (192.168.192.17 port 32852): ..... Sending 35 bytes of metadata to crux (192.168.192.17 port 32852) Sending ADD_EDGE to everyone (BROADCAST): 12 2650c921 helix crux ..... Sending 46 bytes of metadata to crux (192.168.192.17 port 32852) Got ADD_SUBNET from crux (192.168.192.17 port 32852): 1...

...is not needed, right? Currently I have 10 nodes that are targets to ConnectTo for all other nodes, and all they are doing is processing ADD_EDGE requests. So I was thinking: 1. is it possible to start mesh vpn with only hosts file and no ConnectTo directives? 2. is it ok that nodes are sending ADD_SUBNET (it consumes cpu to process) when StrictSubnets=yes? 3. is it possible to switch off sending ADD_EDGE when DirectOnly=yes? 4. is there a way to know why tinc thinks node is unreachable (I see quick changes from reachable to unreachable and back again in debug logs)? My current theory is that...

...3.123.7 port 655) 1101125071 tinc.OFFICES[922]: Sending ACK to BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Got ACK from BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Connection with BranchA (123.123.123.7 port 655) activated 1101125071 tinc.OFFICES[922]: Sending ADD_SUBNET to BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Sending ADD_EDGE to everyone (BROADCAST) 1101125071 tinc.OFFICES[922]: Got ADD_SUBNET from BranchA (123.123.123.7 port 655) 1101125071 tinc.OFFICES[922]: Forwarding ADD_SUBNET from BranchA (123.123.123.7 port 655) 1101125071 tinc....

Hello! I have recently installed tinc on a linux 2.4 machine which has 192.168.0.0/24 private network connected to eth0 and registered ip on eth1. I also installed tinc on Windows 2000 machine on a remote location. for this moment I can establish connection, on Linux machine tincd says: Sep 26 21:10:50 hostname tinc.gscvpn[483]: Node home (y.y.y.y port 655) became reachable But i

Hello, Here is a patch for protocol_subnet.c with two modifications : - in tunnelserver mode, tinc must check subnets in the ".../hosts/owner" config file, not in "c->config_tree" (which is the configuration of the meta-connection from which we receive the ADD_SUBNET message). - this checking can be made before the check of the owner, especially before any "new_node" call. Thanks, -- Thomas NOEL <thomas.noel@auf.org> http://www.auf.org/ Coordinateur des infrastructures techniques Agence universitaire de la Francophonie (AUF) Services centr...

...to office (111.111.111.111 port 655): 4 655 1000 0 Sending 13 bytes of metadata to office (111.111.111.111 port 655) Flushing 56 bytes to office (111.111.111.111 port 655) Got ACK from office (111.111.111.111 port 655): 4 655 289 0 Connection with office (111.111.111.111 port 655) activated Sending ADD_SUBNET to office (111.111.111.111 port 655): 10 faa6cf72 support 192.168.12 Sending 36 bytes of metadata to office (111.111.111.111 port 655) Sending ADD_EDGE to everyone (BROADCAST): 12 9d85b6ad support office 111.111.111.111 65 Sending 47 bytes of metadata to office (111.111.111.111 port 655) Got ADD_SU...

...e routed through this interface), and the destination IP will be the one I pinged, which is 8.8.8.8 d. After above c, then the tinc need to figure out how to encapsulate the original packet (S/10.0.0.100 > D/8.8.8.8) into the tunnel and send to the other Tinc node. Then I guess Tinc will check “ADD_SUBNET” messages it received from the ConnectTo node(learn the whole network), and try to encapsulate the original packet into UDP packets, send to the node where its subnet of 8.8.8.8 is preferred(weight setting on Subnet) e. If Tinc configured by default, then the local host will try to send UDP packet...

...and additionally the following patch on the core-nodes where (nearly) everyone connects to: (cut&paste whitespace damaged) diff --git a/src/protocol_subnet.c b/src/protocol_subnet.c index 06dafbc..e2d4bfc 100644 --- a/src/protocol_subnet.c +++ b/src/protocol_subnet.c @@ -117,7 +117,9 @@ bool add_subnet_h(connection_t *c, const char *request) { if(strictsubnets) { logger(DEBUG_ALWAYS, LOG_WARNING, "Ignoring unauthorized %s from %s (%s): %s", "ADD_SUBNET", c->name, c->hostname, subnetstr); + /* Disabled...

...wanted to add an linux embedded device, which has no ipv6 support at all. Tinc did compile and configuration is fine (tested on other machine), but after connecting the embedded device to other hosts tinc instances, it suddenly crashes. The last things happening before crash are. GOT ADD_EDGE GOT ADD_SUBNET Node A (123.123.123.123 port 655) became reachable Node B ((null)) became reachable Error while translating addresses: ai_family not supported Got unexpected signal 8 (Floating point exception) The difference between the ConnectTo A and B is that A is a reverse lookupable dns and B's rever...

...ted through this interface), and the destination IP will be the one I pinged, which is 8.8.8.8 > d. After above c, then the tinc need to figure out how to encapsulate the original packet (S/10.0.0.100 > D/8.8.8.8) into the tunnel and send to the other Tinc node. Then I guess Tinc will check “ADD_SUBNET” messages it received from the ConnectTo node(learn the whole network), and try to encapsulate the original packet into UDP packets, send to the node where its subnet of 8.8.8.8 is preferred(weight setting on Subnet) Correct. > e. If Tinc configured by default, then the local host will try to...

On 09/03/2016 10:56 AM, Etienne Dechamps wrote: > C will still need keys in order to establish metaconnections with A and B (as > well as a few other things). However there is no need for C to own any > "Subnets" at all. If somebody breaks into C, he could get access to the vpn network, right? Because the keys are there, it will be possible to use them to get access. Even if