Displaying 20 results from an estimated 900 matches similar to: "Isolating a subnet on demand"
2015 May 04
2
Isolating a subnet on demand
Hi,
Thanks for the link :)
I guess we'll just end up having 2 separate VPNs, eventually.
Have a good evening!
> There is no centralized way to remove a subnet or block a user. A user
> is authorized to be on the network by other nodes that have his/her
> public key. If you delete the offending host config files and let tinc
> reload its configuration, you can remove a bad node
2015 May 04
2
Isolating a subnet on demand
Whatever you do, keep in mind that tinc will always trust all nodes as
long as they are part of the graph. It is not currently designed to
deal with insider threats. Most importantly, that means anyone can
impersonate any Subnet on a tinc network, just by changing the Subnet
declaration in their node file.
The only way around that is to use StrictSubnets, but that requires
every node to be
2015 May 04
3
Isolating a subnet on demand
On 4 May 2015 at 20:53, Anne-Gwenn Kettunen <anwen at asphodelium.eu> wrote:
> We started to take a look about that, and apparently, it seems that the IP
> in the public key is taken into account when a client connects to a gateway.
> Spoofing at that level doesn't seem easy, because the IP address seems to be
> part of the authentication process.
I'm having trouble
2015 May 04
0
Isolating a subnet on demand
On Mon, May 04, 2015 at 08:50:36PM +0200, Anne-Gwenn Kettunen wrote:
> Hi! I'm setting up a VPN with friends of mine, and we are currently
> considering the possibility to opening the subnet to more people.
> Considering that one day or another we may have to isolate a subnet (because
> of bad behaviour, or because it has been compromised), which solution(s)
> would you
2015 May 04
0
Isolating a subnet on demand
On 05/04/2015 10:01 PM, Etienne Dechamps wrote:
> On 4 May 2015 at 20:53, Anne-Gwenn Kettunen <anwen at asphodelium.eu> wrote:
>> We started to take a look about that, and apparently, it seems that the IP
>> in the public key is taken into account when a client connects to a gateway.
>> Spoofing at that level doesn't seem easy, because the IP address seems to be
2015 May 04
1
Isolating a subnet on demand
I'm still confused, but in any case, there's nothing stopping "miou"
from impersonating "apeliote"'s subnets in your case, unless you use
StrictSubnets.
Here's the easiest way to do the spoofing:
In miou's own node file (on the miou machine itself), add apeliote's
subnets with a Weight smaller than 10 (which is the default), so that
it overrides them.
2014 Dec 11
1
A tun/tap driver for an i386 OS X
Le 11/12/2014 03:48, David Nicol a ?crit :
> i'm pretty sure the tinc that builds from macports is 32-bit
If found that in the downloads(1) page:
September 13, 2009:
Change linker options to produce 64 bit kext bundle for Snow Leopard.
Removing the hardcoded arch from the Makefiles breaks the compilation,
so I eventually picked version 20090905. And it works :)
(1)
2014 Dec 10
2
A tun/tap driver for an i386 OS X
Hello everyone!
I have a PowerMac running 10.6.8 and I'd love to get it connected to my
VPN. However, even by compiling tuntaposx by hand on the said MacPro, I
see that the kernel module is apparently built for x86_64 systems:
macintosh MacOS ?? pwd
/Library/Extensions/tun.kext/Contents/MacOS
macintosh MacOS ?? file tun
tun: Mach-O 64-bit kext bundle x86_64
Because YES! The system is
2015 May 04
0
Isolating a subnet on demand
And we'll take a look at Pf & IPTables :)
Good evening!
>> There is no centralized way to remove a subnet or block a user. A user
>> is authorized to be on the network by other nodes that have his/her
>> public key. If you delete the offending host config files and let tinc
>> reload its configuration, you can remove a bad node from the network.
>>
>>
2018 Jan 05
3
Using keyring on tinc
Hi all!
Is there any way to make tinc use keys from a keyring or similar?
I'm trying to find a way to manage multiple server, making it easier to
register a new user to the network.
Thanks!
--
Martin IƱaki Malerba
inakimmalerba at gmail.com
inaki at satellogic.com
2014 Dec 11
0
A tun/tap driver for an i386 OS X
i'm pretty sure the tinc that builds from macports is 32-bit
On Wed, Dec 10, 2014 at 10:37 AM, Anne-Gwenn Kettunen <anwen at asphodelium.eu>
wrote:
> Hello everyone!
>
> I have a PowerMac running 10.6.8 and I'd love to get it connected to my
> VPN. However, even by compiling tuntaposx by hand on the said MacPro, I see
> that the kernel module is apparently built for
2015 Jan 12
3
TINC config files layout not human or script friendly
I would say the weakest part of the TINC design is the configuration
file layout.
There is no way to split out the essentially static configuration for
all nodes in the cluster and isolate the node specific settings to one
configuration file.
So that means I have to keep an inventory of configuration files per
node so I can edit and deliver them and keep everything straight.
The private
2015 May 04
0
Isolating a subnet on demand
We started to take a look about that, and apparently, it seems that the
IP in the public key is taken into account when a client connects to a
gateway. Spoofing at that level doesn't seem easy, because the IP
address seems to be part of the authentication process.
Dealing with inside threats seems however a good feature for future
versions ;)
Le 04/05/2015 21:50, Etienne Dechamps a ?crit
2015 Dec 31
2
Is there any some cases we can see ?
Hi,
We just found the tinc, looks like it is really a better VPN solution than
traditional VPN, I am wondering, is there some cases we can refer, like is
there some big cluster running in the production environment ?
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
2013 Jun 28
3
OHM2013
Hello,
At OHM2013 (https://ohm2013.org/site/), there will be a lightning talk about
tinc, and a workshop setting up tinc VPNs at the Milliways village. An exact
time is not known yet but will follow later.
OHM2013 will take place from July 31 to August 4 at the Geestmerambacht
festival grounds, near Alkmaar, in the Netherlands. If you would like to meet
at OHM2013 with other people using or
2013 Jun 28
3
OHM2013
Hello,
At OHM2013 (https://ohm2013.org/site/), there will be a lightning talk about
tinc, and a workshop setting up tinc VPNs at the Milliways village. An exact
time is not known yet but will follow later.
OHM2013 will take place from July 31 to August 4 at the Geestmerambacht
festival grounds, near Alkmaar, in the Netherlands. If you would like to meet
at OHM2013 with other people using or
2013 Feb 22
1
Large sites
Hi,
I am looking networking together about 1000-2000 sites across the
country. I've been looking through these mailing lists. Saw the thread
from the person who had 1000+ running on Amazon, and how they
essentially stripped all security out of it. Also know that the
ChaosVPN uses tinc, for at least 130+ sites although I'm a bit fuzzy
on the details for it.
Are there any other cases of
2017 Dec 18
3
Create network of untrusted peers (like SocialVPN, ChaosVPN, etc)
For some weeks I've been trying to devise a way to connect multiple users in various parts of the city and state, and I found out that most likely Tinc is the only daemon that does the kind of meshing I want.
I was successful in connecting some servers of mine around in switch mode, but now comes the hard part: How can I authenticate clients on my network? I would also need to direct static
2018 Jan 05
0
Using keyring on tinc
On Fri, Jan 05, 2018 at 02:34:00PM -0300, Inaki Malerba wrote:
> Public keys I mean.
>
> I'd like to manage an easier way to distribute public keys when a new
> user is added to the network.
>
> I'm thinking of mounting hosts/ over ssh on the servers and have it
> centralized.
> Also, distributing server config (host file, ConnectTo, etc) to the
> clients via
2015 Nov 22
5
Authenticating VPN addresses: a proposal
TL;DR: a proposal for a new tinc feature that allows nodes to filter
ADD_SUBNET messages based on the metaconnection on which they are
received, so that nodes can't impersonate each other's VPN Subnets.
Similar to StrictSubnets in spirit, but way more flexible.
BACKGROUND: THE ISSUE OF TRUST IN A TINC NETWORK
In terms of metaconnections (I'm not discussing data tunnels here),
one of