similar to: tinc 1.1pre10 "failed to decrypt record" on Windows client

Hi, I was previously using tinc-1.1pre8 and it worked just fine, but after upgrading to tinc-1.1pre10 my Windows machine is unable to connect to my tinc network, as it fails to complete the handshake. Steps to reproduce: - Set up a Linux node with tinc-1.1pre10 using "tinc init" - Set up a Windows node with tinc-1.1pre10 using "tinc init", and try to make it connect to the

I've been using SPTPS (a.k.a ExperimentalProtocol) for a while now, but I've only recently started looking into the details of the protocol itself. I have some questions about the design: - I am not sure what the thread model for SPTPS is when compared with the legacy protocol. SPTPS is vastly more complex than the legacy protocol (it adds a whole new handshake mechanism), and

Hi, I'm currently trying to troubleshoot what appears to be a very subtle bug (most likely a race condition) in SPTPS that causes state to become corrupted during SPTPS key regeneration. The tinc version currently deployed to my production nodes is git 7ac5263, which is somewhat old (2014-09-06), but I think this is still relevant because the affected code paths haven't really changed

Is SPTPS protocol enabled in 1.1 by default? Or we need to manually enable it. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180316/2360e357/attachment.html>

I sent you a pull request that addresses the general issue, at least for the short term: https://github.com/gsliepen/tinc/pull/83 On 16 May 2015 at 19:36, Guus Sliepen <guus at tinc-vpn.org> wrote: > On Sat, May 16, 2015 at 04:53:33PM +0100, Etienne Dechamps wrote: > >> I believe there is a design flaw in the way SPTPS key regeneration >> works, because upon reception of

In the past 24 hours multiple persons have contacted me regarding the use of elliptic curve cryptography in tinc 1.1 in light of the suspicion that the NSA might have weakened algorithms and/or elliptic curves published by NIST. The new protocol in tinc 1.1 (SPTPS) uses ECDH and ECDSA to do session key exchange and authentication, in such a way that it has the perfect forward secrecy (PFS)

In the past 24 hours multiple persons have contacted me regarding the use of elliptic curve cryptography in tinc 1.1 in light of the suspicion that the NSA might have weakened algorithms and/or elliptic curves published by NIST. The new protocol in tinc 1.1 (SPTPS) uses ECDH and ECDSA to do session key exchange and authentication, in such a way that it has the perfect forward secrecy (PFS)

Hi there, we're using tinc to mesh together hosts in a public datacenter (instead of using a private VLAN, sort of). So all hosts are reasonably modern; connections are low latency with an available bandwith of around 500Mbit/s or 1Gbit/s (depending on how close they are to each other). Iperf between two nodes directly reports around 940Mbit/s. The CPUs are Intel(R) Core(TM) i7-4770 CPU @

Hi all, I'm back again with my speed issues. The past issues where dependant of network I used. Now I run my tests in a lab, with 2 configurations linked by a Gigabit switch : node1: Intel Core i5-2400 with Debian 7.2 node2: Intel Core i5-3570 with Debian 7.2 Both have AES and PCLMULQDQ announced in /proc/cpuinfo. I use Tinc 1.1 from Git. When I run an iperf test from node2 (client) to

Is there any indication of when we might see the protocol stabilize in the 1.1pre branch? It seems to be quite an improvement already. Perhaps some configuration could be added to allow for specifying a protocol version, rather than the 'ExperimentalProtocol=yes' flag? What are the roadblocks to stabilizing it and is there any need or desire for help accomplishing this? While I'm

Hello, Linux has a recvmmsg() system call which allows to achieve several recvfrom() at a time. The patch below makes tinc use it (patch against 1.1-pre11). Basically the patch turns the handle_incoming_vpn_data variables into arrays (of size 1 when recvmmsg is not available, and thus compiled the same as before), and makes the code index into the arrays. You may want to use interdiff -w

Hi all, I have two nodes, connected to a switch, using Tinc 1.1 from git. They connect each other with sptps, and to other nodes in the Internet with old protocol because they have Tinc 1.0. There is no problem with remote nodes, but between my 2 local nodes, they see 1518 PMTU. But local network is 1500 MTU !!! So nodes can ping each other but larger data does not go. test1=sllm1 test2=sllm2

Hi everybody. I'm struggling with setting up an SPTPS connection between two of my machines. I attached the patch that I used to analyze this. Apparently different keys are derived depending on the crypto backend. Is this intentional? Linking to openssl results in char key[] = { 0xb2, 0x9d, 0x8d, 0x24, 0x91, 0x04, 0xaf, 0x25, 0x3f, 0x10, 0x34, 0x9d, 0xc7, 0x73, 0x8c, 0xe1, 0x24, 0x32,

Hello, I'm running a tinc network including dozens of nodes in switch mode. Some are running stable branch 1.0, while a small set of nodes are running 1.1 with ed25519 support. I discovered some routing issue between two nodes: (names are hidden) A (1.1): ConnectTo = B ConnectTo = C IndirectData = yes Mode = Switch B (1.0): Mode = Switch C (1.1 but only with RSA key): Mode = Switch

HI, Is there an init script to start stop tinc tinc-1.1pre10 for debian. I am running tinc -n name --pidfile /dir/name start from /etc/rc.local sometimes it's not creating the pid file but I see the process running. It would be great if we can manage it from /etc/init.d/ Thanks Anil -------------- next part -------------- An HTML attachment was scrubbed... URL:

With pleasure we announce the release of tinc version 1.1pre10. Here is a summary of the changes: * Added a benchmark tool (sptps_speed) for the new protocol. * Fixed a crash when using Name = $HOST while $HOST is not set. * Use AES-256-GCM for the new protocol. * Updated support for Solaris. * Allow running tincd without a private ECDSA key present when ExperimentalProtocol is not

With pleasure we announce the release of tinc version 1.1pre10. Here is a summary of the changes: * Added a benchmark tool (sptps_speed) for the new protocol. * Fixed a crash when using Name = $HOST while $HOST is not set. * Use AES-256-GCM for the new protocol. * Updated support for Solaris. * Allow running tincd without a private ECDSA key present when ExperimentalProtocol is not

While working on SPTPS UDP relaying I realized that there is one issue I didn't account for, which is that the sending node only knows the PMTU to the first relay node. It doesn't know the PMTU of the entire relay path beyond the first hop, because the relay nodes don't provide their own PMTU information over the metaprotocol. Now, in the legacy protocol this is not really an issue,

Hello tincers, I run a small tinc mesh using version 1.1pre10 on mostly linux (debian) hosts. In the past, I was able to successfully join my windows machine to the tinc network, when I was running an earlier version of tinc (throughout the mesh). However, with 1.1pre10, I have had no success. Is this a known error, a misconfiguration on my part, or some other issue? I currently have no tinc-up

Can anyone share any links regarding packages to do Call Detail Record (CDR) analysis from the CDR Master file? Login-distance reconciliation, billback, and data presentation are three primary areas of interest. Thanks in advance for your help! --Nick -- Nick Eggleston Consultant Data Communications Consulting, Inc. 6320 Rucker Road, Suite E Indianapolis, IN 46220 317/726-0295 x18