search for: connectionsubnetacl

...Balkanization, by selectively blocking Subnets from other nodes. Although it is not my preferred direction for tinc, I do think it might actually be a workable method of limiting trust in a network where you might not trust all nodes equally. But: > /etc/tinc/my_network/hosts/client_node: > ConnectionSubnetACL = +10.42.42.42 # this client's assigned subnet > ConnectionSubnetACL = -ALL # deny everything else > > /etc/tinc/my_network/hosts/other_central_node: > ConnectionSubnetACL = +ALL # trust everything from that node (could be > the default) > > /etc/tinc/my_network/hosts/cen...

...t allow a central node from the "other side" from impersonating my side's subnets. In practice, one would want to introduce some kind of subnet ACL system for full flexibility. Here's how it could look like in practice on my central nodes: /etc/tinc/my_network/hosts/client_node: ConnectionSubnetACL = +10.42.42.42 # this client's assigned subnet ConnectionSubnetACL = -ALL # deny everything else /etc/tinc/my_network/hosts/other_central_node: ConnectionSubnetACL = +ALL # trust everything from that node (could be the default) /etc/tinc/my_network/hosts/central_node_from_other_side: Connecti...