Hello, Sorry if reposted. Original was auto rejected for not being subscribed to mailing list. I am making some systems that are going to be donated to different organizations and I want the kids to be able to share programs they write with each other on the different disk automatically securely. Can I network these systems without knowing individual ip's and not touching firewalls. I was thinking maybe I could use a dns service like duckdns to substitute ip's with comp1.duckdns.org, comp2.duckdns.org, etc. Is this even possible/advisable using tinc? I am guessing I would minimally need to know the internal private ip's to avoid conflicts.
On Mon, Jan 15, 2018 at 01:56:11AM -0500, waltfeasel at gmail.com wrote:> I am making some systems that are going to be donated to different > organizations and I want the kids to be able to share programs they > write with each other on the different disk automatically securely. Can > I network these systems without knowing individual ip's and not > touching firewalls. I was thinking maybe I could use a dns service like > duckdns to substitute ip's with comp1.duckdns.org, comp2.duckdns.org, > etc. > Is this even possible/advisable using tinc?Yes.> I am guessing I would minimally need to know the internal private ip's > to avoid conflicts.Indeed, you need to carefully choose an address range for your tinc network so that there are no conflicts with the local network of any of the peers. If possible, try to use IPv6. With RFC 4193, you can generate a unique private address range that is virtually certain to not conflict with anything. Also, you will have a huge address space to work with. You might also be able to acquire a globally unique address range for your project. As for the external addresses of the systems: there is no need for all nodes in the VPN to know the external address of all other nodes up front. Also, you can use hostnames instead of numeric addresses so indeed, if you have a DNS zone set up you can make use of that. As long as you have one or more central nodes with a known IP address or hostname that other nodes can connect to, you do not need to know the external IP addresses of any of the other nodes. As soon as tinc daemons connect to the central nodes, they will learn about each other's addresses, and will use this information to connect to each other directly, if possible. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180115/f597e2fc/attachment.sig>
Guus, On Mon, 2018-01-15 at 18:58 +0100, Guus Sliepen wrote:> On Mon, Jan 15, 2018 at 01:56:11AM -0500, waltfeasel at gmail.com wrote: > > > I am making some systems that are going to be donated to different > > organizations and I want the kids to be able to share programs they > > write with each other on the different disk automatically securely. > > Can > > I network these systems without knowing individual ip's and not > > touching firewalls. I was thinking maybe I could use a dns service > > like > > duckdns to substitute ip's with comp1.duckdns.org, > > comp2.duckdns.org, > > etc. > > Is this even possible/advisable using tinc? > > Yes. > > > I am guessing I would minimally need to know the internal private > > ip's > > to avoid conflicts. > > Indeed, you need to carefully choose an address range for your tinc > network so that there are no conflicts with the local network of any > of > the peers. If possible, try to use IPv6. With RFC 4193, you can > generate > a unique private address range that is virtually certain to not > conflict > with anything. Also, you will have a huge address space to work with. > You might also be able to acquire a globally unique address range for > your project. > > As for the external addresses of the systems: there is no need for > all > nodes in the VPN to know the external address of all other nodes up > front. Also, you can use hostnames instead of numeric addresses so > indeed, if you have a DNS zone set up you can make use of that. > > As long as you have one or more central nodes with a known IP address > or > hostname that other nodes can connect to, you do not need to know the > external IP addresses of any of the other nodes. As soon as tinc > daemons > connect to the central nodes, they will learn about each other's > addresses, and will use this information to connect to each other > directly, if possible. > >Thank you for the response and the suggestion about using ipv6 addresses! Now to get reading ;) Walt> _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc