Displaying 20 results from an estimated 20000 matches similar to: "One host for forwarding only without keys"
2016 Sep 03
2
One host for forwarding only without keys
On 09/03/2016 10:56 AM, Etienne Dechamps wrote:
> C will still need keys in order to establish metaconnections with A and B (as
> well as a few other things). However there is no need for C to own any
> "Subnets" at all.
If somebody breaks into C, he could get access to the vpn network, right?
Because the keys are there, it will be possible to use them to get access.
Even if
2016 Sep 03
2
One host for forwarding only without keys
On 09/02/2016 08:51 PM, Etienne Dechamps wrote:
> What version of tinc are you using? tinc 1.1 already does what you want out of
> the box: packets sent from node A to node B through node C will use a key that
> A and B will negotiate between themselves. C doesn't have the key, and will
> act as a blind relay. C will not be able to decipher the packets flowing
> between A and B.
2016 Sep 02
0
One host for forwarding only without keys
What version of tinc are you using? tinc 1.1 already does what you want out
of the box: packets sent from node A to node B through node C will use a
key that A and B will negotiate between themselves. C doesn't have the key,
and will act as a blind relay. C will not be able to decipher the packets
flowing between A and B.
This is different from tinc 1.0, where C would have to decipher the
2016 Sep 03
0
One host for forwarding only without keys
If you're using StrictSubnets, you will still be fine. StrictSubnets means
that A will only use B's key (which C does not know) to send packets to B's
statically configured subnets. C cannot impersonate B (as in, take its node
name) because it would have to know B's private key to do so, and it cannot
impersonate B's subnets because A is using StrictSubnets. The worst that C
2016 Sep 03
0
One host for forwarding only without keys
C will still need keys in order to establish metaconnections with A and B
(as well as a few other things). However there is no need for C to own any
"Subnets" at all.
On 3 September 2016 at 06:21, Armin <armin at melware.de> wrote:
> On 09/02/2016 08:51 PM, Etienne Dechamps wrote:
> > What version of tinc are you using? tinc 1.1 already does what you want
> out of
2016 Aug 31
4
Define which host to use when direct link not possible?
On 30.08.2016 17:37, Guus Sliepen wrote:
> On Tue, Aug 30, 2016 at 02:38:16PM +0200, Armin Schindler wrote:
>
>> we use a meshed VPN with TINC to connect 7 offices.
>> Some office are in other countries and use other ISPs. The connection
>> between some ISPs (peering partners) are not that good. This means we
>> have packet loss between those direct connections.
2015 Nov 22
5
Authenticating VPN addresses: a proposal
TL;DR: a proposal for a new tinc feature that allows nodes to filter
ADD_SUBNET messages based on the metaconnection on which they are
received, so that nodes can't impersonate each other's VPN Subnets.
Similar to StrictSubnets in spirit, but way more flexible.
BACKGROUND: THE ISSUE OF TRUST IN A TINC NETWORK
In terms of metaconnections (I'm not discussing data tunnels here),
one of
2015 May 04
3
Isolating a subnet on demand
On 4 May 2015 at 20:53, Anne-Gwenn Kettunen <anwen at asphodelium.eu> wrote:
> We started to take a look about that, and apparently, it seems that the IP
> in the public key is taken into account when a client connects to a gateway.
> Spoofing at that level doesn't seem easy, because the IP address seems to be
> part of the authentication process.
I'm having trouble
2005 Aug 15
3
BRI Hunting, using both channels on one msn
Hello All,
Has anyone configured bri to answer for only one msn? In essence, when
the primary is busy I want to have channel 2 ring.
I am using an eicon diva server bri
I know I saw it in the windows interface, but don't see it in the linux
setup.
Regards,
Greg
2015 Nov 15
2
Packet loss when using multiple subnet#weight entries
Hello,
I have two servers (A and B) in separate locations. Both are connected
together via two tinc switches to provide two subnets on both servers.
This works pretty good. I can start my VMs on any server connected
to one of those bridges without changing any routes.
The subnets hosted on both servers (each in a bridge) are
172.16.10.0/24 (mainly on A) and 172.16.11.0/24 (mainly on B)
Now I
2016 Mar 13
2
Fwd: How to avoid friends of friends joining the vpn ?
Tinc 1.0
3 control masters
Many service hosts
Laptop (road warrior)
The control masters have the public keys for the service hosts and the
laptop so that they can join the network.
How can I prevent the laptop user to connect additional boxes to the
network?
In my view he can simply add new 'foreign' hosts and specify connectTo to
point to the laptop.
As keys are exchanged automatically
2017 Jul 10
3
Some tinc clatifications
Hi all,
I'm currently happily using tinc in my networks.
I also use OpenVPN based on the customer requirements.
I though have some questions which I could not find a clear answer.
What I'd like to know is:
1. How to revoke a "node", simply removing the host file on the servers
is enough? And one created by invitation?
2. Is there a way to let tinc ask for a username/password
2013 Jan 24
3
Conflicting Default Values. A trusts B. B trusts EvilNode. Does that mean A trusts EvilNode?
*You should repeat this for all nodes you ConnectTo, or which ConnectTo
you. However, remember that you do not need to ConnectTo all nodes in the
VPN; it is only necessary to create one or a few meta-connections, after
the connections are made tinc will learn about all the other nodes in the
VPN, and will automatically make other connections as necessary. *
The above is from the docs. Assuming
2012 Nov 28
1
default gate via tinc
Hi,
I have two tinc nodes which announce default gate to internet.
How does tinc select which node is prefered when I route to the tinc
device and not a special ip?
tinc 1.0.16
ALBI...
2015 May 04
2
Isolating a subnet on demand
Whatever you do, keep in mind that tinc will always trust all nodes as
long as they are part of the graph. It is not currently designed to
deal with insider threats. Most importantly, that means anyone can
impersonate any Subnet on a tinc network, just by changing the Subnet
declaration in their node file.
The only way around that is to use StrictSubnets, but that requires
every node to be
2017 Sep 12
2
purge doesn't remove dead nodes
Hi
We have several stale nodes in our tinc network and I'd like to remove
these.
These nodes show up in graph dumps as red nodes, indicating they are
unreachable.
We run: tinc -n <vpn-name> purge
Nothing happens. If we tail the logs at /var/log/syslog, we dont see an ack
or message concerning the purge either. The dead nodes still show up in the
graphs and their certs are still
2017 May 05
2
Subnet authority and trust
Hello,
How does tincd determine the subnet(s) of other remote nodes? Does
tincd read its copies of the hosts file and parse and follow the
subnet information contained in the local files? Or does tincd solely
trust the subnet information dynamically advertised by each remote
node?
In my experimentation, it seems that:
a) tincd reads its own subnet(s) from its copy of its own host file, but
2014 Jan 16
1
Clarification of man page on StrictSubnets
Guus,
I have a question on how to interprete the following fragment of the man page:
StrictSubnets = yes | no (no) [experimental]
When this option is enabled tinc will only use Subnet statements which are present in the host config files in the
local /etc/tinc/NETNAME/hosts/ directory.
Does this mean it will ignore any subnets learnt through ADD_SUBNET? Perhaps
2014 Jan 09
1
tinc started from /etc/network/interfaces and not from /etc/tinc/nets.boot
Hello,
are there reasons why all the examples for debian and ubuntu explain how
to setup tinc to start from the init job /etc/init.d/tinc and
/etc/tinc/nets.boot and why there are no examples or tutorials on howto
start tinc from /etc/network/interfaces ?
Using /etc/network/interfaces I have a perfectly running tinc vpn with
an unprivileged user, locked memory and a chroot jail plus converted
2012 Mar 10
1
[Announcement] Version 1.0.17 released
With pleasure we announce the release of version 1.0.17. Here is a
summary of the changes:
* The DeviceType option can now be used to select dummy, raw socket, UML and
VDE devices without needing to recompile tinc.
* Allow multiple BindToAddress statements.
* Decrement TTL value of IPv4 and IPv6 packets.
* Add LocalDiscovery option allowing tinc to detect peers that are behind the