Hello all, as written in my other posts, I have a setup of about seven hosts. Two of them (A and B) use StrictSubnets and an own routing via a special host (C), because C has better connection to the A and B than a direct A-B connection. Host C is in a place where I need to create special security settings. The VPN encrypted data shall not be available on host C. There is no need for host C be in routing of tinc vpn, it just shall forward the encrypted packets to another host when needed. Is it possible to setup a host as part of a tinc network without the access to the packets (decrypted)? Or do I need to setup some other kind of tunnel for this? Armin
What version of tinc are you using? tinc 1.1 already does what you want out of the box: packets sent from node A to node B through node C will use a key that A and B will negotiate between themselves. C doesn't have the key, and will act as a blind relay. C will not be able to decipher the packets flowing between A and B. This is different from tinc 1.0, where C would have to decipher the packet in order to determine what its final destination is. In tinc 1.1 that routing information is sent in cleartext so that C can forward the packet without having to decipher it. On 2 September 2016 at 09:40, Armin <armin at melware.de> wrote:> Hello all, > > as written in my other posts, I have a setup of about seven > hosts. Two of them (A and B) use StrictSubnets and an own routing via > a special host (C), because C has better connection to the A and B than a > direct A-B connection. > > Host C is in a place where I need to create special security settings. > The VPN encrypted data shall not be available on host C. > There is no need for host C be in routing of tinc vpn, it just shall > forward the encrypted packets to another host when needed. > > Is it possible to setup a host as part of a tinc network without the > access to the packets (decrypted)? > Or do I need to setup some other kind of tunnel for this? > > Armin > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160902/5c0e25a1/attachment.html>
On 09/02/2016 08:51 PM, Etienne Dechamps wrote:> What version of tinc are you using? tinc 1.1 already does what you want out of > the box: packets sent from node A to node B through node C will use a key that > A and B will negotiate between themselves. C doesn't have the key, and will > act as a blind relay. C will not be able to decipher the packets flowing > between A and B. > > This is different from tinc 1.0, where C would have to decipher the packet in > order to determine what its final destination is. In tinc 1.1 that routing > information is sent in cleartext so that C can forward the packet without > having to decipher it.I am using tinc 1.0. Switching to 1.1 makes sense then. Can C then be completely without keys, forwarder only with not access to the network at all? Armin> On 2 September 2016 at 09:40, Armin <armin at melware.de > <mailto:armin at melware.de>> wrote: > > Hello all, > > as written in my other posts, I have a setup of about seven > hosts. Two of them (A and B) use StrictSubnets and an own routing via > a special host (C), because C has better connection to the A and B than a > direct A-B connection. > > Host C is in a place where I need to create special security settings. > The VPN encrypted data shall not be available on host C. > There is no need for host C be in routing of tinc vpn, it just shall > forward the encrypted packets to another host when needed. > > Is it possible to setup a host as part of a tinc network without the > access to the packets (decrypted)? > Or do I need to setup some other kind of tunnel for this? > > Armin > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org> > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc>