Hi all! Is there any way to make tinc use keys from a keyring or similar? I'm trying to find a way to manage multiple server, making it easier to register a new user to the network. Thanks! -- Martin IƱaki Malerba inakimmalerba at gmail.com inaki at satellogic.com
On Fri, Jan 05, 2018 at 01:15:17PM -0300, Inaki Malerba wrote:> Is there any way to make tinc use keys from a keyring or similar? > > I'm trying to find a way to manage multiple server, making it easier to > register a new user to the network.Are you talking about public keys or private keys? Also, which keyring technology do you have in mind? -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180105/0bdd141c/attachment.sig>
On Fri, Jan 05, 2018 at 02:34:00PM -0300, Inaki Malerba wrote:> Public keys I mean. > > I'd like to manage an easier way to distribute public keys when a new > user is added to the network. > > I'm thinking of mounting hosts/ over ssh on the servers and have it > centralized. > Also, distributing server config (host file, ConnectTo, etc) to the > clients via debian package or git maybe. > > Has anyone done something different with this?For tinc 1.0, have a look at the ChaosVPN tools. These take care of distributing configuration files to any number of clients, securely, from a central repository: https://github.com/ryd/chaosvpn If you can live with just distributing the hosts/ directory, then pretty much anything will work, including Debian packages or git. For tinc 1.1, things are a bit different: you can use the invitation system to add new nodes to a VPN and automatically have them exchange information on how to connect. It's not perfect yet, but the idea is that this will automatically keep all hosts in sync. See: https://tinc-vpn.org/documentation-1.1/Invitations.html -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180105/c30474e5/attachment.sig>
On Fri, Jan 05, 2018 at 05:30:53PM -0300, Inaki Malerba wrote:> Also, autodiscovery over lan is working? Keys shared between all hosts > is enough?There is the LocalDiscovery option that can be enabled. However, it does not automatically exchanging keys with nodes on the LAN. Instead, it is there to assist when two nodes that are on the same LAN, are part of the same VPN, and are connect to an external node in that VPN, but don't know each other's local address. The LocalDiscovery option will then help them connect directly via the LAN. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180106/5a5a4956/attachment.sig>