Il 2017-07-10 18:32 Matthew Nichols ha scritto:> 1. That entirely depends on how you have it set up (look at > StrictSubnets and TunnelServer). It might also be recommended to have > every node re-key itself (http://tinc-vpn.org/security/).I've used StrictSubnets and TunnelServer (and probably will keep using this so roadwarriors don't see eachother, though looking at the logs and adding the route manually simply would allow them to connect to the others in some cases), but that's not the point. I understand on a security bug or something, but having to rekey all the hosts 'cause someone gets fired to me it sounds insane. There must be an easy way to block somebody from connecting to the VPN? Isn't removing it's reference on the "servers" enough?> 2. No, tinc cannot do this itself.ok> 3. That is not a bad approach.ok> > -----Original Message----- > From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Alessandro > Briosi > Sent: Monday, July 10, 2017 1:43 AM > To: tinc at tinc-vpn.org > Subject: Some tinc clatifications > > Hi all, > I'm currently happily using tinc in my networks. > > I also use OpenVPN based on the customer requirements. > > I though have some questions which I could not find a clear answer. > > What I'd like to know is: > 1. How to revoke a "node", simply removing the host file on the servers > is enough? And one created by invitation? > 2. Is there a way to let tinc ask for a username/password (like it's > possible with OpenVPN)? > (I know this might be complicated as one would have to have a > centralized or synced user db, but that's not tinc business anyway). > 3. Suppose I have 3 or more tinc "servers", is it suggested that the > "hosts" directory be synced between thoose hosts? > > Thank you. > Alessandro > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
On Tue, Jul 11, 2017 at 09:58:39AM +0200, Alessandro Briosi wrote:> I understand on a security bug or something, but having to rekey all the > hosts 'cause someone gets fired to me it sounds insane. > There must be an easy way to block somebody from connecting to the VPN? > Isn't removing it's reference on the "servers" enough?The proper way is to remove the host key files of those nodes on all other nodes. If only the "servers" have a copy of those host files, you only need to remove it on the servers. Note that you need to send the tinc daemons on those servers the HUP signal (or "tincd -kHUP" for tinc 1.0, "tinc reload" for tinc 1.1) to have them reread the host config files and disconnect any nodes for which it doesn't have a host config file anymore. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170711/d9cdfa03/attachment.sig>
Il 2017-07-11 12:29 Guus Sliepen ha scritto:> On Tue, Jul 11, 2017 at 09:58:39AM +0200, Alessandro Briosi wrote: > >> I understand on a security bug or something, but having to rekey all >> the >> hosts 'cause someone gets fired to me it sounds insane. >> There must be an easy way to block somebody from connecting to the >> VPN? >> Isn't removing it's reference on the "servers" enough? > > The proper way is to remove the host key files of those nodes on all > other nodes. If only the "servers" have a copy of those host files, you > only need to remove it on the servers. >This sounds much more reasonable. Thanks.> Note that you need to send the tinc daemons on those servers the HUP > signal (or "tincd -kHUP" for tinc 1.0, "tinc reload" for tinc 1.1) to > have them reread the host config files and disconnect any nodes for > which it doesn't have a host config file anymore. > > _______________________________________________Yes, the same when adding a node. Thank you. Alessandro