Glauber Ferreira
2017-Dec-18 19:37 UTC
Create network of untrusted peers (like SocialVPN, ChaosVPN, etc)
For some weeks I've been trying to devise a way to connect multiple users in various parts of the city and state, and I found out that most likely Tinc is the only daemon that does the kind of meshing I want. I was successful in connecting some servers of mine around in switch mode, but now comes the hard part: How can I authenticate clients on my network? I would also need to direct static leases and subnets to them, is this safely possible on switch mode? What other kind of attacks should I be aware of? (Impersonation, Any kinds of malicious broadcasts, etc) For now, my configuration is that every peer connects to a master node where there's also a dnsmasq daemon which hands out IPs. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20171218/c9a1322d/attachment.html>
Parke
2017-Dec-18 21:26 UTC
Create network of untrusted peers (like SocialVPN, ChaosVPN, etc)
On Mon, Dec 18, 2017 at 11:37 AM, Glauber Ferreira <glaubermmf at gmcomms.com.br> wrote:> What other kind of attacks should I be aware of? > (Impersonation, Any kinds of malicious broadcasts, etc)Possibly relevant: http://www.tinc-vpn.org/pipermail/tinc/2017-May/004864.html Etienne Dechamps wrote:> In general however, I would advise against trusting other nodes, even with > StrictSubnets=yes. tinc is not currently designed to provide strong > protection against insider attacks - for the most part it assumes that > every node inside the metaconnection graph can be trusted. In my opinion > tinc will do poorly in a scenario where a "compromised node" is part of > your threat model.-Parke
Azul
2017-Dec-18 22:03 UTC
Create network of untrusted peers (like SocialVPN, ChaosVPN, etc)
I use https://github.com/JeevesTakesOver/Railtrack/blob/master/README.rst however in my setup I do trust the nodes in the VPN, so this may not exactly work out for what you want On Mon, 18 Dec 2017 at 20:07, Glauber Ferreira <glaubermmf at gmcomms.com.br> wrote:> For some weeks I've been trying to devise a way to connect multiple users > in various parts of the city and state, and I found out that most likely > Tinc is the only daemon that does the kind of meshing I want. > I was successful in connecting some servers of mine around in switch mode, > but now comes the hard part: How can I authenticate clients on my network? > I would also need to direct static leases and subnets to them, is this > safely possible on switch mode? What other kind of attacks should I be > aware of? (Impersonation, Any kinds of malicious broadcasts, etc) > > For now, my configuration is that every peer connects to a master node > where there's also a dnsmasq daemon which hands out IPs. > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20171218/2108b3f5/attachment-0001.html>
Glauber Ferreira
2017-Dec-18 22:41 UTC
Create network of untrusted peers (like SocialVPN, ChaosVPN, etc)
Thanks! Will get in touch with the author about the security implications. ---- On Seg, 18 dez 2017 20:03:21 -0200 Azul <mail at azulinho.com> wrote ---- I use https://github.com/JeevesTakesOver/Railtrack/blob/master/README.rst however in my setup I do trust the nodes in the VPN, so this may not exactly work out for what you want I tested ZeroTier for some time but unfortunately I decided to not use it for a number of factors: - Can only be configured by API - Depends on central Zerotier Servers - Little documentation Furthermore, I'm intrigued by how cjdns works: Is cjdns made to only work with Hyperboria? If I install it I will inevitably peer with them? How will I peer with other nets such as dn42 in the future if I use cjdns? I guess I'll try to find these answers on the internet or their repo. ---- On Seg, 18 dez 2017 19:40:41 -0200 Parke <parke.nexus at gmail.com> wrote ---- Hi Glauber, [Offlist] Have you considered ZeroTier? https://zerotier.com/ I have not used it, but it might deal better with untrusted peers, given that each peer's identity is tightly bound to an IPv6 address. Have you considered Cjdns? I have not used it, either. It came before ZeroTier, I think, and the two may have some similarities. https://github.com/cjdelisle/cjdns Cheers, Parke Well, how does ChaosVPN does it then? Is it a fork? ---- On Seg, 18 dez 2017 19:26:27 -0200 Parke <parke.nexus at gmail.com> wrote ---- On Mon, Dec 18, 2017 at 11:37 AM, Glauber Ferreira <glaubermmf at gmcomms.com.br> wrote: > What other kind of attacks should I be aware of? > (Impersonation, Any kinds of malicious broadcasts, etc) _______________________________________________ tinc mailing list tinc at tinc-vpn.org https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20171218/476728e8/attachment.html>