similar to: tinc exit when there is no internet?

Something to add. When this happened, it looks like tinc shutdown gracefully(not seg fault ..), because I can tell tinc-down script got implemented. Heng On Wed, Nov 25, 2015 at 6:00 AM, <tinc-request at tinc-vpn.org> wrote: > Send tinc mailing list submissions to > tinc at tinc-vpn.org > > To subscribe or unsubscribe via the World Wide Web, visit >

On Mon, 23 Nov 2015, Guus Sliepen wrote: > It also works in a situation where a group of people trust a central > authority which provides them with the configuration for their tinc > nodes, if StrictSubnets is used. The drawback is that an external tool > needs to be used (ChaosVPN is one such example, but there are others) > and it is not very flexible, but I would disagree that

TL;DR: a proposal for a new tinc feature that allows nodes to filter ADD_SUBNET messages based on the metaconnection on which they are received, so that nodes can't impersonate each other's VPN Subnets. Similar to StrictSubnets in spirit, but way more flexible. BACKGROUND: THE ISSUE OF TRUST IN A TINC NETWORK In terms of metaconnections (I'm not discussing data tunnels here), one of

Whatever you do, keep in mind that tinc will always trust all nodes as long as they are part of the graph. It is not currently designed to deal with insider threats. Most importantly, that means anyone can impersonate any Subnet on a tinc network, just by changing the Subnet declaration in their node file. The only way around that is to use StrictSubnets, but that requires every node to be

There are many ways to set up and manage a VPN. Tinc's roots are a "friend network", where there is a group of nodes that all trust each other, and there is no central authority. It also works well in situations where all nodes are controlled by the same authority, for example when a sysadmin configures several nodes, like within a company that wants to link together several

I am, like you, have the same network: exactly two master servers which are trusted, and a number of clients that connect to one of them, or to both (this depends on which physical network they reside, we have city-wide LANs). I use StrictSubnets and I happy with them. That was choice from the beginning. But it also enforced to have all node keys and configuration data on each node. Up to

Hi, Thanks for the link :) I guess we'll just end up having 2 separate VPNs, eventually. Have a good evening! > There is no centralized way to remove a subnet or block a user. A user > is authorized to be on the network by other nodes that have his/her > public key. If you delete the offending host config files and let tinc > reload its configuration, you can remove a bad node

Thanks Guus for the quick answer, I will give a try now. Рысь, In my case we don't want to restart tinc "server" at all, therefore what might happen is that the client is still connected to server while its public key was already removed from server. I will try the signal approach. Heng On Mon, Jul 25, 2016 at 12:42 PM, <tinc-request at tinc-vpn.org> wrote: > Send tinc

If you're using StrictSubnets, you will still be fine. StrictSubnets means that A will only use B's key (which C does not know) to send packets to B's statically configured subnets. C cannot impersonate B (as in, take its node name) because it would have to know B's private key to do so, and it cannot impersonate B's subnets because A is using StrictSubnets. The worst that C

Hi, I need to re-open the thread blow. The situation is still the same. The HUP signal does not trigger reloading of subnet declarations in own hosts file (Version 1.0.35). After a quick view to the source code, file src/net.c shows in line 658 would reload subnets when using StrictSubnets only. But why? With StrictSubnets it doesn't make sense to me. I did a quick check and removed the if

On Sat, 16 May 2015, Guus Sliepen wrote: > On Sat, May 16, 2015 at 12:09:52AM +0200, Sven-Haegar Koch wrote: > > > This change is not so good: > > > > Connection with aaa_vpnhub1 (1.2.3.4 port 443) activated > > Error while translating addresses: ai_family not supported > > > > (And then the tinc process exists) > > Hm, I couldn't reproduce

On Mon, May 04, 2015 at 08:50:36PM +0200, Anne-Gwenn Kettunen wrote: > Hi! I'm setting up a VPN with friends of mine, and we are currently > considering the possibility to opening the subnet to more people. > Considering that one day or another we may have to isolate a subnet (because > of bad behaviour, or because it has been compromised), which solution(s) > would you

On Thu, Dec 31, 2015 at 10:02:59AM +0800, ?? wrote: > We just found the tinc, looks like it is really a better VPN solution than > traditional VPN, I am wondering, is there some cases we can refer, like is > there some big cluster running in the production environment ? I know of some large deployments of tinc, but usually people want their Virtual Private Network kept private, so I

On Fri, Jan 05, 2018 at 02:34:00PM -0300, Inaki Malerba wrote: > Public keys I mean. > > I'd like to manage an easier way to distribute public keys when a new > user is added to the network. > > I'm thinking of mounting hosts/ over ssh on the servers and have it > centralized. > Also, distributing server config (host file, ConnectTo, etc) to the > clients via

On Mon, Dec 18, 2017 at 11:37 AM, Glauber Ferreira <glaubermmf at gmcomms.com.br> wrote: > What other kind of attacks should I be aware of? > (Impersonation, Any kinds of malicious broadcasts, etc) Possibly relevant: http://www.tinc-vpn.org/pipermail/tinc/2017-May/004864.html Etienne Dechamps wrote: > In general however, I would advise against trusting other nodes, even with >

Thanks I will look into StrictSubnets, while digging through the mailling list I came across this: https://github.com/siblynx/tinc-1.0.16_hostupd/blob/master/README.hostupd which is pretty close to what I need That looks to be a fork on its own, with no PR raises for addding that functionality to the main tinc, unless I missed it out. Are there any plans to bring that functionality in ? -azul

Yes, the current c implement is not so easy to read, very old style! The good part is that the protocol seems very clear:) 2016年12月13日 09:46，"Sven-Haegar Koch" <haegar at sdinet.de>写道： On Tue, 13 Dec 2016, Cong Monkey wrote: > As title, is that possible to develop a python version of tinc, that will > be interesting:) Possible? Sure. Will it be bigger and slower? Sure.

On Fri, 15 May 2015, Guus Sliepen wrote: > On Fri, May 15, 2015 at 10:26:46PM +0200, Sven-Haegar Koch wrote: > > > Another strange and difficult to understand thing - seems like all the > > easy bugs in 1.1 are gone ;) > [...] > > Got ADD_EDGE from aaa_vpnhub1 (1.2.3.4 port 443) for haegar_tokamak > > -> igor which does not match existing entry (Local

Guus, I have a question on how to interprete the following fragment of the man page: StrictSubnets = yes | no (no) [experimental] When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local /etc/tinc/NETNAME/hosts/ directory. Does this mean it will ignore any subnets learnt through ADD_SUBNET? Perhaps

On Mon, Dec 07, 2015 at 07:32:58PM +0000, Etienne Dechamps wrote: > > When I move (hot move) a VM from a host to another, I have to restart > > Tinc on node from where VM is coming to get access to that VM again. > > I don't use tinc in Switch mode, but looking at the code (especially > the learn_mac() function) it looks like tinc is not really able to > migrate MAC