I am wondering if tinc breaks if two hosts have the same key? I am guessing it probably does! I have a hub-and-spoke arrangement, with VPN clients who all know the DNS name and the public key for the hub. I need to transition the hub to another server, with another IP address. I will, after testing, transition the DNS name to point to the new server. It would be convenient if I didn't have to update all the clients with a new key for the new server. And certainly not all at the same time. So, it would be useful if I could install the same key on both the old and the new server while I test and transition to the new server. And if I then switch the name over, the clients would not need to have any modifications at all. But during the testing and transition period, I want to keep the VPN connected, so I had planned to connect the old hub and the new hub. But this would mean two nodes with the same key (and the same name, but I assume tinc host names are only meaningful locally) on the network (connected directly to each other). This would last until testing of the new hub is complete, the DNS name is switched to the new hub and the old hub is shut down. If this won't work, I can either break connectivity until I can switch the DNS names, or I run something like rinetd on the old hub to forward tinc traffic to the new hub. Graham
On Mon, May 11, 2015 at 06:43:22PM +0100, Graham Cobb wrote:> I am wondering if tinc breaks if two hosts have the same key? I am > guessing it probably does! [...] (and the same name, but I assume > tinc host names are only meaningful locally)It does not break if two nodes have the same key, although it is unrecommended and there might be security issues with that scenario. Tinc does break if you have two nodes that have the same Name online at the same time, since those are used to uniquely identify nodes in the VPN. Netnames are only used locally. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150511/254bfbbd/attachment.sig>
On 11/05/15 18:59, Guus Sliepen wrote:> Tinc does break if you have two nodes that have the same Name > online at the same time, since those are used to uniquely identify > nodes in the VPN.Ah. I had assumed that some sort of internal UID was used to identify nodes. Does tinc break if the two ends of the connection disagree about the name? For example if my old hub was called "hub" and I told my new hub it was called "new-hub", would clients that that tried to connect to "hub" using a DNS name which now points to the new hub fail to connect?