similar to: One host for forwarding only without keys

On 09/03/2016 10:56 AM, Etienne Dechamps wrote: > C will still need keys in order to establish metaconnections with A and B (as > well as a few other things). However there is no need for C to own any > "Subnets" at all. If somebody breaks into C, he could get access to the vpn network, right? Because the keys are there, it will be possible to use them to get access. Even if

On 09/02/2016 08:51 PM, Etienne Dechamps wrote: > What version of tinc are you using? tinc 1.1 already does what you want out of > the box: packets sent from node A to node B through node C will use a key that > A and B will negotiate between themselves. C doesn't have the key, and will > act as a blind relay. C will not be able to decipher the packets flowing > between A and B.

What version of tinc are you using? tinc 1.1 already does what you want out of the box: packets sent from node A to node B through node C will use a key that A and B will negotiate between themselves. C doesn't have the key, and will act as a blind relay. C will not be able to decipher the packets flowing between A and B. This is different from tinc 1.0, where C would have to decipher the

If you're using StrictSubnets, you will still be fine. StrictSubnets means that A will only use B's key (which C does not know) to send packets to B's statically configured subnets. C cannot impersonate B (as in, take its node name) because it would have to know B's private key to do so, and it cannot impersonate B's subnets because A is using StrictSubnets. The worst that C

C will still need keys in order to establish metaconnections with A and B (as well as a few other things). However there is no need for C to own any "Subnets" at all. On 3 September 2016 at 06:21, Armin <armin at melware.de> wrote: > On 09/02/2016 08:51 PM, Etienne Dechamps wrote: > > What version of tinc are you using? tinc 1.1 already does what you want > out of

On 30.08.2016 17:37, Guus Sliepen wrote: > On Tue, Aug 30, 2016 at 02:38:16PM +0200, Armin Schindler wrote: > >> we use a meshed VPN with TINC to connect 7 offices. >> Some office are in other countries and use other ISPs. The connection >> between some ISPs (peering partners) are not that good. This means we >> have packet loss between those direct connections.

TL;DR: a proposal for a new tinc feature that allows nodes to filter ADD_SUBNET messages based on the metaconnection on which they are received, so that nodes can't impersonate each other's VPN Subnets. Similar to StrictSubnets in spirit, but way more flexible. BACKGROUND: THE ISSUE OF TRUST IN A TINC NETWORK In terms of metaconnections (I'm not discussing data tunnels here), one of

On 4 May 2015 at 20:53, Anne-Gwenn Kettunen <anwen at asphodelium.eu> wrote: > We started to take a look about that, and apparently, it seems that the IP > in the public key is taken into account when a client connects to a gateway. > Spoofing at that level doesn't seem easy, because the IP address seems to be > part of the authentication process. I'm having trouble

Hello All, Has anyone configured bri to answer for only one msn? In essence, when the primary is busy I want to have channel 2 ring. I am using an eicon diva server bri I know I saw it in the windows interface, but don't see it in the linux setup. Regards, Greg

Hello, I have two servers (A and B) in separate locations. Both are connected together via two tinc switches to provide two subnets on both servers. This works pretty good. I can start my VMs on any server connected to one of those bridges without changing any routes. The subnets hosted on both servers (each in a bridge) are 172.16.10.0/24 (mainly on A) and 172.16.11.0/24 (mainly on B) Now I

Tinc 1.0 3 control masters Many service hosts Laptop (road warrior) The control masters have the public keys for the service hosts and the laptop so that they can join the network. How can I prevent the laptop user to connect additional boxes to the network? In my view he can simply add new 'foreign' hosts and specify connectTo to point to the laptop. As keys are exchanged automatically

Hi all, I'm currently happily using tinc in my networks. I also use OpenVPN based on the customer requirements. I though have some questions which I could not find a clear answer. What I'd like to know is: 1. How to revoke a "node", simply removing the host file on the servers is enough? And one created by invitation? 2. Is there a way to let tinc ask for a username/password

*You should repeat this for all nodes you ConnectTo, or which ConnectTo you. However, remember that you do not need to ConnectTo all nodes in the VPN; it is only necessary to create one or a few meta-connections, after the connections are made tinc will learn about all the other nodes in the VPN, and will automatically make other connections as necessary. * The above is from the docs. Assuming

Hi, I have two tinc nodes which announce default gate to internet. How does tinc select which node is prefered when I route to the tinc device and not a special ip? tinc 1.0.16 ALBI...

Whatever you do, keep in mind that tinc will always trust all nodes as long as they are part of the graph. It is not currently designed to deal with insider threats. Most importantly, that means anyone can impersonate any Subnet on a tinc network, just by changing the Subnet declaration in their node file. The only way around that is to use StrictSubnets, but that requires every node to be

Hi We have several stale nodes in our tinc network and I'd like to remove these. These nodes show up in graph dumps as red nodes, indicating they are unreachable. We run: tinc -n <vpn-name> purge Nothing happens. If we tail the logs at /var/log/syslog, we dont see an ack or message concerning the purge either. The dead nodes still show up in the graphs and their certs are still

Hello, How does tincd determine the subnet(s) of other remote nodes? Does tincd read its copies of the hosts file and parse and follow the subnet information contained in the local files? Or does tincd solely trust the subnet information dynamically advertised by each remote node? In my experimentation, it seems that: a) tincd reads its own subnet(s) from its copy of its own host file, but

Guus, I have a question on how to interprete the following fragment of the man page: StrictSubnets = yes | no (no) [experimental] When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local /etc/tinc/NETNAME/hosts/ directory. Does this mean it will ignore any subnets learnt through ADD_SUBNET? Perhaps

Hello, are there reasons why all the examples for debian and ubuntu explain how to setup tinc to start from the init job /etc/init.d/tinc and /etc/tinc/nets.boot and why there are no examples or tutorials on howto start tinc from /etc/network/interfaces ? Using /etc/network/interfaces I have a perfectly running tinc vpn with an unprivileged user, locked memory and a chroot jail plus converted

With pleasure we announce the release of version 1.0.17. Here is a summary of the changes: * The DeviceType option can now be used to select dummy, raw socket, UML and VDE devices without needing to recompile tinc. * Allow multiple BindToAddress statements. * Decrement TTL value of IPv4 and IPv6 packets. * Add LocalDiscovery option allowing tinc to detect peers that are behind the