tinc - Dec 2014 - Current state of Tinc 1.1?

So as probably any Tinc user, I noticed there are two versions: 1.0 and
1.1. On the website is explained that 1.1 is the stepping stone for 2.0 and
that it has a lot of neat features *planned*. However, in the repositories,
one usually finds version 1.0, and since I'm someone who prefers having
everything run through repositories instead of manually updated, I want to
know if it's worth it, if it's actually in a usable state, and if any of
the 'planned' features are implemented.

In short, does anyone know what the current state of Tinc 1.1 is? Is it
recommended to use it at all, or stay with 1.0 as provided in most distro
repositories?

I'm also asking this question over here:
http://serverfault.com/questions/654053/current-state-of-tinc-1-1 , someone
suggested there I'd poke the mailing list :) Feel free to answer the
question there if you think it's more appropriate.
Met vriendelijke groet / Kind regards,
Alexander Ypema
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20141222/bb767094/attachment.html>

Is there a specific capability you are looking for or concern you have?

No doubt Gus can give details on the differences but if you're wondering if
1.0 will work for you we may be able to help with some more information.

Regards,
Donald

On Sun, Dec 21, 2014 at 7:42 PM, Alexander Ypema <alexanderypema at
gmail.com>
wrote:
>
> So as probably any Tinc user, I noticed there are two versions: 1.0 and
> 1.1. On the website is explained that 1.1 is the stepping stone for 2.0 and
> that it has a lot of neat features *planned*. However, in the
> repositories, one usually finds version 1.0, and since I'm someone who
> prefers having everything run through repositories instead of manually
> updated, I want to know if it's worth it, if it's actually in a
usable
> state, and if any of the 'planned' features are implemented.
>
> In short, does anyone know what the current state of Tinc 1.1 is? Is it
> recommended to use it at all, or stay with 1.0 as provided in most distro
> repositories?
>
> I'm also asking this question over here:
> http://serverfault.com/questions/654053/current-state-of-tinc-1-1 ,
> someone suggested there I'd poke the mailing list :) Feel free to
answer
> the question there if you think it's more appropriate.
> Met vriendelijke groet / Kind regards,
> Alexander Ypema
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20141222/c82ab390/attachment.html>

On Sun, Dec 21, 2014 at 7:42 PM, Alexander Ypema
<alexanderypema at gmail.com> wrote:
>
> In short, does anyone know what the current state of Tinc 1.1 is? Is it
recommended to use it at all, or stay with 1.0 as provided in most distro
repositories?
Alexander, I don't speak for the Tinc team but I think this is a good
way to decide based on what is your use case.

Tinc 1.0:
I use Tinc across many platforms and devices and I want it to just
work. (Linux/Win/Mac/Android & Router/Server/Desktop/Laptop/Mobile). I
stick with the 1.0 series because that is packaged for me on all those
platforms and I don't want to have to support users as much. I should
be able to mix and match 1.0 and 1.1 but I don't want to have to
support that if there is a probem.

Tinc 1.1:
If I controlled all devices in the Tinc deployment I'd likely go with
the Tinc 1.1 series as I could keep those devices current and help the
Tinc project exercise new code and prove it's way forward ever so
slightly and roll back if necessary.

-- 
Sandy McArthur, Jr.

"No nation could preserve its freedom in the midst of continual
warfare."
- Letters and Other Writings of James Madison (1865), Vol. IV, p. 491

On Mon, Dec 22, 2014 at 01:42:01AM +0100, Alexander Ypema wrote:
> So as probably any Tinc user, I noticed there are two versions: 1.0 and
> 1.1. On the website is explained that 1.1 is the stepping stone for 2.0 and
> that it has a lot of neat features *planned*. However, in the repositories,
> one usually finds version 1.0, and since I'm someone who prefers having
> everything run through repositories instead of manually updated, I want to
> know if it's worth it, if it's actually in a usable state, and if
any of
> the 'planned' features are implemented.
There are four items listed for tinc 1.1 on http://tinc-vpn.org/goals/:

* Replaceable cryptography backend

Although the cryptography is now separated from the rest of the logic in
tinc, it is not really replaceable, since only OpenSSL is supported.
However, there is also a new protocol in tinc 1.1, which uses Ed25519
and ChaCha-Poly1305. The code for those algorithms is included in tinc,
so the new protocol has no dependencies on external libraries.

* Control socket

This is already implemented.

* Automatic connection management

This is mostly implemented (see the AutoConnect option).

* Automate setting up nodes

This is mostly implemented (see the "tinc init" command).

Something not listed in the goals is the new protocol that is already
implemented but not completely fixed yet. The new protocol provides
end-to-end encryption and authentication between nodes.

If you disable the new protocol (using ExperimentalProtocol = no), then
you can use most of the new features in tinc 1.1 without any problems.
It is also backwards compatible with tinc 1.0 nodes. So you can try out
1.1 by upgrading an existing node, and if you don't like it you can
switch back to 1.0 without worries.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20141222/724f08ce/attachment.sig>

Hello Donald, Sandy and Guus himself :)
Thank you for the quick and informative reactions!
I think I'm going to experiment a little with Tinc 1.1 considering it's
mostly backwards compatible. The simplified configuration management seems
really neat to have, much less copy-pasting and rsyncing about ;)
The Serverfault post seems on hold for now, although I've posted a very
short summary in a comment for who'd be interested there.
Keep up the great work Guus :) I really love how flexible Tinc allows me to
setup my VPNs, it serves me really well.

Met vriendelijke groet / Kind regards,
Alexander Ypema

On 22 December 2014 at 22:30, Guus Sliepen <guus at tinc-vpn.org> wrote:
> On Mon, Dec 22, 2014 at 01:42:01AM +0100, Alexander Ypema wrote:
>
> > So as probably any Tinc user, I noticed there are two versions: 1.0
and
> > 1.1. On the website is explained that 1.1 is the stepping stone for
2.0
> and
> > that it has a lot of neat features *planned*. However, in the
> repositories,
> > one usually finds version 1.0, and since I'm someone who prefers
having
> > everything run through repositories instead of manually updated, I
want
> to
> > know if it's worth it, if it's actually in a usable state, and
if any of
> > the 'planned' features are implemented.
>
> There are four items listed for tinc 1.1 on http://tinc-vpn.org/goals/:
>
> * Replaceable cryptography backend
>
> Although the cryptography is now separated from the rest of the logic in
> tinc, it is not really replaceable, since only OpenSSL is supported.
> However, there is also a new protocol in tinc 1.1, which uses Ed25519
> and ChaCha-Poly1305. The code for those algorithms is included in tinc,
> so the new protocol has no dependencies on external libraries.
>
> * Control socket
>
> This is already implemented.
>
> * Automatic connection management
>
> This is mostly implemented (see the AutoConnect option).
>
> * Automate setting up nodes
>
> This is mostly implemented (see the "tinc init" command).
>
> Something not listed in the goals is the new protocol that is already
> implemented but not completely fixed yet. The new protocol provides
> end-to-end encryption and authentication between nodes.
>
> If you disable the new protocol (using ExperimentalProtocol = no), then
> you can use most of the new features in tinc 1.1 without any problems.
> It is also backwards compatible with tinc 1.0 nodes. So you can try out
> 1.1 by upgrading an existing node, and if you don't like it you can
> switch back to 1.0 without worries.
>
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20141223/235686ff/attachment.html>

On Mon, Dec 22, 2014 at 9:30 PM, Guus Sliepen <guus at tinc-vpn.org>
wrote:
> Although the cryptography is now separated from the rest of the logic in
> tinc, it is not really replaceable, since only OpenSSL is supported.
> However, there is also a new protocol in tinc 1.1, which uses Ed25519
> and ChaCha-Poly1305. The code for those algorithms is included in tinc,
> so the new protocol has no dependencies on external libraries.
Any reason not to use libsodium for this?

Pedro