On 09/02/2016 08:51 PM, Etienne Dechamps wrote:> What version of tinc are you using? tinc 1.1 already does what you want out of > the box: packets sent from node A to node B through node C will use a key that > A and B will negotiate between themselves. C doesn't have the key, and will > act as a blind relay. C will not be able to decipher the packets flowing > between A and B. > > This is different from tinc 1.0, where C would have to decipher the packet in > order to determine what its final destination is. In tinc 1.1 that routing > information is sent in cleartext so that C can forward the packet without > having to decipher it.I am using tinc 1.0. Switching to 1.1 makes sense then. Can C then be completely without keys, forwarder only with not access to the network at all? Armin> On 2 September 2016 at 09:40, Armin <armin at melware.de > <mailto:armin at melware.de>> wrote: > > Hello all, > > as written in my other posts, I have a setup of about seven > hosts. Two of them (A and B) use StrictSubnets and an own routing via > a special host (C), because C has better connection to the A and B than a > direct A-B connection. > > Host C is in a place where I need to create special security settings. > The VPN encrypted data shall not be available on host C. > There is no need for host C be in routing of tinc vpn, it just shall > forward the encrypted packets to another host when needed. > > Is it possible to setup a host as part of a tinc network without the > access to the packets (decrypted)? > Or do I need to setup some other kind of tunnel for this? > > Armin > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org> > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc>
C will still need keys in order to establish metaconnections with A and B (as well as a few other things). However there is no need for C to own any "Subnets" at all. On 3 September 2016 at 06:21, Armin <armin at melware.de> wrote:> On 09/02/2016 08:51 PM, Etienne Dechamps wrote: > > What version of tinc are you using? tinc 1.1 already does what you want > out of > > the box: packets sent from node A to node B through node C will use a > key that > > A and B will negotiate between themselves. C doesn't have the key, and > will > > act as a blind relay. C will not be able to decipher the packets flowing > > between A and B. > > > > This is different from tinc 1.0, where C would have to decipher the > packet in > > order to determine what its final destination is. In tinc 1.1 that > routing > > information is sent in cleartext so that C can forward the packet without > > having to decipher it. > > I am using tinc 1.0. > Switching to 1.1 makes sense then. > Can C then be completely without keys, forwarder only with not access to > the > network at all? > > Armin > > > On 2 September 2016 at 09:40, Armin <armin at melware.de > > <mailto:armin at melware.de>> wrote: > > > > Hello all, > > > > as written in my other posts, I have a setup of about seven > > hosts. Two of them (A and B) use StrictSubnets and an own routing via > > a special host (C), because C has better connection to the A and B > than a > > direct A-B connection. > > > > Host C is in a place where I need to create special security > settings. > > The VPN encrypted data shall not be available on host C. > > There is no need for host C be in routing of tinc vpn, it just shall > > forward the encrypted packets to another host when needed. > > > > Is it possible to setup a host as part of a tinc network without the > > access to the packets (decrypted)? > > Or do I need to setup some other kind of tunnel for this? > > > > Armin > > > > _______________________________________________ > > tinc mailing list > > tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org> > > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > > <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160903/6aa23a31/attachment.html>
On 09/03/2016 10:56 AM, Etienne Dechamps wrote:> C will still need keys in order to establish metaconnections with A and B (as > well as a few other things). However there is no need for C to own any > "Subnets" at all.If somebody breaks into C, he could get access to the vpn network, right? Because the keys are there, it will be possible to use them to get access. Even if A-B connections via C are not decrypted, connection A-C and B-C are still possible, right? Armin> On 3 September 2016 at 06:21, Armin <armin at melware.de > <mailto:armin at melware.de>> wrote: > > On 09/02/2016 08:51 PM, Etienne Dechamps wrote: > > What version of tinc are you using? tinc 1.1 already does what you want out of > > the box: packets sent from node A to node B through node C will use a key that > > A and B will negotiate between themselves. C doesn't have the key, and will > > act as a blind relay. C will not be able to decipher the packets flowing > > between A and B. > > > > This is different from tinc 1.0, where C would have to decipher the packet in > > order to determine what its final destination is. In tinc 1.1 that routing > > information is sent in cleartext so that C can forward the packet without > > having to decipher it. > > I am using tinc 1.0. > Switching to 1.1 makes sense then. > Can C then be completely without keys, forwarder only with not access to the > network at all? > > Armin > > > On 2 September 2016 at 09:40, Armin <armin at melware.de <mailto:armin at melware.de> > > <mailto:armin at melware.de <mailto:armin at melware.de>>> wrote: > > > > Hello all, > > > > as written in my other posts, I have a setup of about seven > > hosts. Two of them (A and B) use StrictSubnets and an own routing via > > a special host (C), because C has better connection to the A and B than a > > direct A-B connection. > > > > Host C is in a place where I need to create special security settings. > > The VPN encrypted data shall not be available on host C. > > There is no need for host C be in routing of tinc vpn, it just shall > > forward the encrypted packets to another host when needed. > > > > Is it possible to setup a host as part of a tinc network without the > > access to the packets (decrypted)? > > Or do I need to setup some other kind of tunnel for this? > > > > Armin > > > > _______________________________________________ > > tinc mailing list > > tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org> > <mailto:tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>> > > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc> > > <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc>> > >-- Cytronics & Melware Weinbergstrasse 39, 55296 Loerzweiler / Germany Tel: +49 6138 99998-100 Fax: +49 6138 99998-109 VoIP: sip:info at melware.net mailto:info at melware.de http://www.melware.de