similar to: Subnet authority and trust

On 09/03/2016 10:56 AM, Etienne Dechamps wrote: > C will still need keys in order to establish metaconnections with A and B (as > well as a few other things). However there is no need for C to own any > "Subnets" at all. If somebody breaks into C, he could get access to the vpn network, right? Because the keys are there, it will be possible to use them to get access. Even if

For some weeks I've been trying to devise a way to connect multiple users in various parts of the city and state, and I found out that most likely Tinc is the only daemon that does the kind of meshing I want. I was successful in connecting some servers of mine around in switch mode, but now comes the hard part: How can I authenticate clients on my network? I would also need to direct static

On Sun, Feb 1, 2015 at 11:19 AM, Guus Sliepen <guus at tinc-vpn.org> wrote: > On Sun, Feb 01, 2015 at 04:08:47PM +0900, crocket wrote: > >> If tincd is started before name resolution comes up, it keeps failing >> for ever to resolve domain names in Address= host configuration >> variable after name resolution becomes possible. >> >> I think tincd should

Hello, I am not very good at linux networking. I have read tinc documentation multiple times and I still don't understand what the "Subnet = ..." directive does in /etc/tinc/$NET_NAME/hosts/$HOST_NAME Right now I have a simple virtual lan organized with tinc, and I use the following in every device's config file (replacing the last part of the address): # This computer will

If tincd is started before name resolution comes up, it keeps failing for ever to resolve domain names in Address= host configuration variable after name resolution becomes possible. I think tincd should succeed in resolving domain names after name resolution becomes available.

Hi All, I've been playing around with TINC and like what I've seen so far. I wanted a TINC tunnel like this, where I have a server on the Internet with a public IPv4 address as my TINC server. Then I can have clients connect to it and see each other except that the client at a customer site would allow me to route behind it so I could see hosts on site beyond my device on premise. I do

On Wed, Nov 18, 2015 at 08:25:28AM +0100, Armin Schindler wrote: > But I have a question regarding "Subnet=" possibilities. When I have more than > one Server acting as host for VMs and need to have automatic routing to > all VMs on these servers, can I use tinc to create this routing automatically? > > My idea is to have a script which is started when a VM is

Hello, I have two servers (A and B) in separate locations. Both are connected together via two tinc switches to provide two subnets on both servers. This works pretty good. I can start my VMs on any server connected to one of those bridges without changing any routes. The subnets hosted on both servers (each in a bridge) are 172.16.10.0/24 (mainly on A) and 172.16.11.0/24 (mainly on B) Now I

Hi, Etienne I took a look for the below host configuration parameter (IndirectData), the default is no. For the below example: A ConnectTo B, B ConnectTo C: If IndirectData = no (default), then A wouldn’t establish direct connection with C, but will be forwarded by B. If IndirectData = yes, then A will try to establish direct connection with C, even though A don’t have the statement of

TL;DR: a proposal for a new tinc feature that allows nodes to filter ADD_SUBNET messages based on the metaconnection on which they are received, so that nodes can't impersonate each other's VPN Subnets. Similar to StrictSubnets in spirit, but way more flexible. BACKGROUND: THE ISSUE OF TRUST IN A TINC NETWORK In terms of metaconnections (I'm not discussing data tunnels here), one of

Hello, I have 4 VM's running in Microsoft Azure. They all should have similar configurations except from their tinc ip addresses of course. They run tinc 1.0.24. I have a 5th machine, my development machine. I am able to ping all 4 VM's from my computer when I start tinc from the commandline (tincd -n innomeer -D -d 2). 3 of the computers also work ok when running tinc as a service

On 4 May 2015 at 20:53, Anne-Gwenn Kettunen <anwen at asphodelium.eu> wrote: > We started to take a look about that, and apparently, it seems that the IP > in the public key is taken into account when a client connects to a gateway. > Spoofing at that level doesn't seem easy, because the IP address seems to be > part of the authentication process. I'm having trouble

One of my hosts just rebooted for the first time in ages, and now it won't connect to any other nodes. The log just contains continual "error while decrypting metadata" errors. tincd[8324]: Error while decrypting: error:060A7094:digital envelope routines:EVP_EncryptUpdate:invalid operation tincd[8324]: Error while decrypting metadata from fairfield_gw (yy.yy.yy.yy port 655)

I found a tincd crash caused by having two "Port" statements in a host's file. I realize this is a bug in an old version of tinc that may be fixed but I spent the past few hours tracking it down so I'm sharing it in hopes others can make use of this info. I was "cleaning" up my Tinc VPN of a collection of OpenWrt routers and tincd started crashing with "Got fatal

1. Is there any tools/command, we can show the subnet where a certain tinc nodes learnt? So that I can know the weight for certain subnet(in real time), instead of go back to the node’s (who advertise the subnet) configuration file to check. 2. So far in order to change the weight of a subnet, or something else, I have to reset the tinc daemon( tincd -k -n myvpn and then tincd -n myvpn) in

Hi, I have been messing arroudn with tinc for a while and now I got a configuration working like the example (4.7) from the manual I have 3 systems, in my case system a is the only one that can be accessed directly. B and C connect to A I have 3 subnets A 5.1.0.0 gw 5.1.0.1 B 5.2.0.0 gw 5.2.0.1 C 5.3.0.0 gw 5.3.0.1 This work fine and the gateways are ip number son t he interfaces of the 3

Hello, We're suffering from sporadic network blockage(read: unable to ping other nodes) with 1.1-pre17. Before upgrading to the 1.1-pre release, the same network blockage also manifested itself in a pure 1.0.33 network. The log shows that there are a lot of "Got ADD_EDGE from nodeX (192.168.0.1 port 655) which does not match existing entry" and it turns out that the mismatches

Whatever you do, keep in mind that tinc will always trust all nodes as long as they are part of the graph. It is not currently designed to deal with insider threats. Most importantly, that means anyone can impersonate any Subnet on a tinc network, just by changing the Subnet declaration in their node file. The only way around that is to use StrictSubnets, but that requires every node to be

Dear all, I am trying to configure a basic TINC vpn between two sites using OpenWRT routers. The link seems to work, the ping between the two routers is ok, but I can't ping hosts between the subnets behind the routers. This is the configuration: ======== SITE 1 (CLIENT) - polimnia (subnet 192.168.4.0/24, gw 192.168.4.1) tinc.conf ------------- Name = polimnia ConnectTo = calliope

William Kennington <william at wkennington.com> writes: > Agreed. > On Feb 1, 2015 4:21 AM, "Etienne Dechamps" <etienne at edechamps.fr> wrote: > >> Considering how cheap that operation seems to be, would it make sense >> to call res_init() every time tinc retries a metaconnection? It's not >> doing that very often anyway... and it would solve