I'm looking for a way to add some (Linux) participants into my tinc network, but I want to protect them from accidentally binding a port so that it's accessible via tinc. For example, `nc -l` by default listens to all interfaces. Similarly, some software (I think mongodb < 2.6 was among those) bind to all interfaces AND allow unauthenticated access that can do remote code execution, which is a security nightmare. While these are arguably cases of "the user should be careful what interface they let their programs listen to", I want to avoid the possibility of this all together, and want to configure tinc such that on selected participants, there's no interface that programs could bind to, so that only outgoing connections work. How can I achieve that? I imagine the easiest way would be to make it so that tinc creates no tun device. Is the `DeviceType = raw_socket` option what I'm looking for? Thanks! Niklas
Why not just firewall incoming traffic on the clients? On 27 Jan 2017 8:37 am, "Niklas Hambüchen" <mail at nh2.me> wrote:> I'm looking for a way to add some (Linux) participants into my tinc > network, but I want to protect them from accidentally binding a port so > that it's accessible via tinc. > > For example, `nc -l` by default listens to all interfaces. > > Similarly, some software (I think mongodb < 2.6 was among those) bind to > all interfaces AND allow unauthenticated access that can do remote code > execution, which is a security nightmare. > > While these are arguably cases of "the user should be careful what > interface they let their programs listen to", I want to avoid the > possibility of this all together, and want to configure tinc such that > on selected participants, there's no interface that programs could bind > to, so that only outgoing connections work. > > How can I achieve that? > > I imagine the easiest way would be to make it so that tinc creates no > tun device. Is the `DeviceType = raw_socket` option what I'm looking for? > > Thanks! > Niklas > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170127/3ae8967b/attachment.html>
That would probably work, too; it's harder to configure though and easier to get wrong. If I could avoid having the tun0, that would trivially solve the problem. On 27/01/17 09:41, Azul wrote:> Why not just firewall incoming traffic on the clients? > > > On 27 Jan 2017 8:37 am, "Niklas Hambüchen" <mail at nh2.me > <mailto:mail at nh2.me>> wrote: > > I'm looking for a way to add some (Linux) participants into my tinc > network, but I want to protect them from accidentally binding a port so > that it's accessible via tinc. > > For example, `nc -l` by default listens to all interfaces. > > Similarly, some software (I think mongodb < 2.6 was among those) bind to > all interfaces AND allow unauthenticated access that can do remote code > execution, which is a security nightmare. > > While these are arguably cases of "the user should be careful what > interface they let their programs listen to", I want to avoid the > possibility of this all together, and want to configure tinc such that > on selected participants, there's no interface that programs could bind > to, so that only outgoing connections work. > > How can I achieve that? > > I imagine the easiest way would be to make it so that tinc creates no > tun device. Is the `DeviceType = raw_socket` option what I'm looking > for? > > Thanks! > Niklas > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org> > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc> > > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >
On Fri, Jan 27, 2017 at 01:24:37AM +0100, Niklas Hambüchen wrote:> I'm looking for a way to add some (Linux) participants into my tinc > network, but I want to protect them from accidentally binding a port so > that it's accessible via tinc.[...]> I imagine the easiest way would be to make it so that tinc creates no > tun device. Is the `DeviceType = raw_socket` option what I'm looking for?You can use DeviceType = dummy to make tinc run without a tun device. Note that the node running tinc then cannot access the VPN at all, it then only acts as a forwarder and/or NAT helper for other nodes. Otherwise, the best option is to add firewall rules that disallow any new incoming connections from the VPN interface, but still allow outgoing connections. Example commands to do this: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i <VPN interface> -j DROP Don't forget about IPv6, where you have to add similar rules. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170127/8f4db571/attachment.sig>
OK, looks like iptables it is then. I found that the tinc-up script is a convenient place to put this, and with newer iptables's `--check` feature, we can ensure that the rule isn't added more than once when tinc is restarted. So I'm currently using in there something like: iptables --check INPUT -i tun0benacovpn -m state --state RELATED,ESTABLISHED -j ACCEPT || iptables --append INPUT -i tun0benacovpn -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables --check INPUT -i tun0benacovpn -m state --state RELATED,ESTABLISHED -j ACCEPT || ip6tables --append INPUT -i tun0benacovpn -m state --state RELATED,ESTABLISHED -j ACCEPT iptables --check INPUT -i tun0benacovpn -j REJECT --reject-with icmp-port-unreachable || iptables --append INPUT -i tun0benacovpn -j REJECT --reject-with icmp-port-unreachable ip6tables --check INPUT -i tun0benacovpn -j REJECT --reject-with icmp6-port-unreachable || ip6tables --append INPUT -i tun0benacovpn -j REJECT --reject-with icmp6-port-unreachable Thanks for your hints! On 27/01/17 17:33, Guus Sliepen wrote:> Otherwise, the best option is to add firewall rules that disallow any > new incoming connections from the VPN interface, but still allow > outgoing connections. Example commands to do this: > > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -i <VPN interface> -j DROP > > Don't forget about IPv6, where you have to add similar rules.