Tinc 1.0 3 control masters Many service hosts Laptop (road warrior) The control masters have the public keys for the service hosts and the laptop so that they can join the network. How can I prevent the laptop user to connect additional boxes to the network? In my view he can simply add new 'foreign' hosts and specify connectTo to point to the laptop. As keys are exchanged automatically then these 'foreign' boxes would have access to all the service nodes. Whats the best way to prevent that ? Thanks Azul -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160313/ef9b7ca6/attachment.html>
On Sun, Mar 13, 2016 at 04:57:12PM +0000, Azul wrote:> Tinc 1.0 > 3 control masters > Many service hosts > Laptop (road warrior) > > The control masters have the public keys for the service hosts and the > laptop so that they can join the network. > > How can I prevent the laptop user to connect additional boxes to the > network?There are several ways. One can be to have two VPNs, one for trusted nodes, and one for untrusted nodes like your laptop user. Another option is to use the TunnelServer or the StrictSubnets options to restrict what other nodes can do. But even if you could prevent the laptop user from introducing foreign hosts using tinc, he can simply use a separate VPN to have foreign nodes connect to his laptop, and then use NAT to give them access your VPN. So in short, if you don't trust someone to behave, you shouldn't allow him access at all. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160313/179c53ae/attachment.sig>
Thanks I will look into StrictSubnets, while digging through the mailling list I came across this: https://github.com/siblynx/tinc-1.0.16_hostupd/blob/master/README.hostupd which is pretty close to what I need That looks to be a fork on its own, with no PR raises for addding that functionality to the main tinc, unless I missed it out. Are there any plans to bring that functionality in ? -azul On 13 March 2016 at 17:52, Guus Sliepen <guus at tinc-vpn.org> wrote:> On Sun, Mar 13, 2016 at 04:57:12PM +0000, Azul wrote: > > > Tinc 1.0 > > 3 control masters > > Many service hosts > > Laptop (road warrior) > > > > The control masters have the public keys for the service hosts and the > > laptop so that they can join the network. > > > > How can I prevent the laptop user to connect additional boxes to the > > network? > > There are several ways. One can be to have two VPNs, one for trusted > nodes, and one for untrusted nodes like your laptop user. Another option > is to use the TunnelServer or the StrictSubnets options to restrict what > other nodes can do. > > But even if you could prevent the laptop user from introducing foreign > hosts using tinc, he can simply use a separate VPN to have foreign nodes > connect to his laptop, and then use NAT to give them access your VPN. So > in short, if you don't trust someone to behave, you shouldn't allow him > access at all. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160313/f3a0bf44/attachment.html>