similar to: Some tinc clatifications

Il 2017-07-10 18:32 Matthew Nichols ha scritto: > 1. That entirely depends on how you have it set up (look at > StrictSubnets and TunnelServer). It might also be recommended to have > every node re-key itself (http://tinc-vpn.org/security/). I've used StrictSubnets and TunnelServer (and probably will keep using this so roadwarriors don't see eachother, though looking at the logs

1. That entirely depends on how you have it set up (look at StrictSubnets and TunnelServer). It might also be recommended to have every node re-key itself (http://tinc-vpn.org/security/). 2. No, tinc cannot do this itself. 3. That is not a bad approach. -----Original Message----- From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Alessandro Briosi Sent: Monday, July 10, 2017 1:43 AM

Hi all, I'm experiencing a strange problem. I have setup 2 gateways which are behind a NAT router. They are configured in Route mode and have the ips 10.0.0.1/32 and 10.0.0.2/32 on the tinc interface The also have subnets (192.168.1.0/24 and 192.168.2.0/24 respectively). Now the odd thing is that when the VPN comes up they both also add the local subnet to their routes on the tinc

Il 2015-05-05 13:29 Guus Sliepen ha scritto: > On Tue, May 05, 2015 at 01:18:15PM +0200, Alessandro Briosi wrote: > >> Now the odd thing is that when the VPN comes up they both also add the >> local >> subnet to their routes on the tinc interface: > [...] >> the subnet-up script runs this command: >> ip route add $SUBNET dev $INTERFACE metric $WEIGHT

Hi all, I need a suggestion or just to know if it's even possible to achieve the following. There is a "central" vpn server which is my main network. I have a few other gateways (customers) which should connect to this central server (there's a firewall on this machine too) which have behind the customer network. Then I have a few single servers which still connect to my

*You should repeat this for all nodes you ConnectTo, or which ConnectTo you. However, remember that you do not need to ConnectTo all nodes in the VPN; it is only necessary to create one or a few meta-connections, after the connections are made tinc will learn about all the other nodes in the VPN, and will automatically make other connections as necessary. * The above is from the docs. Assuming

Hi all. I have the following setup: 1st dc is on CentOS 6 with Sernet samba 4.1.13 2nd dc is on Debian 7 with Sernet samba 4.1.13 The 2 dc work as expected. on CentOS I was able to configure sssd to work on Debian I'm using winbind Now I have a 3rd server which is CentOS 7 with samba 4.1.1 from CentOS repository. This system serves as a file server and works ok with samba, but I have a

Tinc 1.0 3 control masters Many service hosts Laptop (road warrior) The control masters have the public keys for the service hosts and the laptop so that they can join the network. How can I prevent the laptop user to connect additional boxes to the network? In my view he can simply add new 'foreign' hosts and specify connectTo to point to the laptop. As keys are exchanged automatically

Hi We have several stale nodes in our tinc network and I'd like to remove these. These nodes show up in graph dumps as red nodes, indicating they are unreachable. We run: tinc -n <vpn-name> purge Nothing happens. If we tail the logs at /var/log/syslog, we dont see an ack or message concerning the purge either. The dead nodes still show up in the graphs and their certs are still

TL;DR: a proposal for a new tinc feature that allows nodes to filter ADD_SUBNET messages based on the metaconnection on which they are received, so that nodes can't impersonate each other's VPN Subnets. Similar to StrictSubnets in spirit, but way more flexible. BACKGROUND: THE ISSUE OF TRUST IN A TINC NETWORK In terms of metaconnections (I'm not discussing data tunnels here), one of

Dear All, We are trying the Tinc invites to let nodes join the network. This is working as described but we want to push some configuration for some nodes but this seemed not to be working. What is working is the following invite: Name = test_invite NetName = test_VPN ConnectTo = test_hub01 Ifconfig = 172.16.1.4/24 Subnet = 172.16.1.4

Hi All, I've been playing around with TINC and like what I've seen so far. I wanted a TINC tunnel like this, where I have a server on the Internet with a public IPv4 address as my TINC server. Then I can have clients connect to it and see each other except that the client at a customer site would allow me to route behind it so I could see hosts on site beyond my device on premise. I do

On Tue, Jul 11, 2017 at 09:58:39AM +0200, Alessandro Briosi wrote: > I understand on a security bug or something, but having to rekey all the > hosts 'cause someone gets fired to me it sounds insane. > There must be an easy way to block somebody from connecting to the VPN? > Isn't removing it's reference on the "servers" enough? The proper way is to remove the

Hello, are there reasons why all the examples for debian and ubuntu explain how to setup tinc to start from the init job /etc/init.d/tinc and /etc/tinc/nets.boot and why there are no examples or tutorials on howto start tinc from /etc/network/interfaces ? Using /etc/network/interfaces I have a perfectly running tinc vpn with an unprivileged user, locked memory and a chroot jail plus converted

Il dom 22 apr 2018, 10:46 Alessandro Briosi <ab1 at metalit.com> ha scritto: > Imho the easiest path would be to turn off sharding on the volume and > simply do a copy of the files (to a different directory, or rename and > then copy i.e.) > > This should simply store the files without sharding. > If you turn off sharding on a sharded volume with data in it, all sharded

Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto: >>> OK, you can get winbind to update your keytab, you need to alter your >>> smb.conf slightly. You need to change 'kerberos method = secrets >>> only' >>> to either 'kerberos method = secrets and keytab' or 'kerberos method >>> = >>> system keytab' and add the line

thanks for answering. But I have to setup and test it myself and record the result. Can you guide me a little more. The problem is, one valid ip for each data centers exist, and each data centers have 3 servers. How should I config the network in which the server bricks see each other to create a glusterfs volume? On Tue, Oct 24, 2017 at 1:47 PM, <lemonnierk at ulrar.net> wrote: > Hi,

Il 24/10/2017 12:45, atris adam ha scritto: > thanks for answering. But I have to setup and test it myself and > record the result. Can you guide me a little more. The problem is, one > valid ip for each data centers exist, and each data centers have 3 > servers. How should I config the network in which the server bricks > see each other to create a glusterfs volume? > I would

Hi Rowland, this posting ended a lot of grief I had with expired keytabs. While this is presumably an issue of sssd, I have no chance to attack the issue right at its root*). But rejoining the domain with the lines dedicated keytab file = /etc/krb5.memberserver.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes seems to fix it. Phew... Maybe You or someone

>> Hi, how have you setup the fileserver ? >> Is it joined to the domain ? >> Can you post your fileservers smb.conf >> Rowland OT: Oops, wasn't subscribed to the mailing list :) Yes, server is joined to the domain (otherwise I would not be able to generate the principal) Server configuration is following (only global part), winbind config is there because it was