Just search online why in general that is insecure via CLI vs programmatic for first class automation.. there is a reason why snmp, rest, ... exist. On Thu, Mar 29, 2018 at 3:50 AM, Tomasz Chmielewski <mangoo at wpkg.org> wrote:> You've mentioned security issues in your previous email, but now you're > hopping to management issues. > > Have you tried Ansible, Chef or Puppet for automation? It works well for > hundreds of servers, different services and not just one kind of VPN. > > > Tomasz Chmielewski > https://lxadm.com > > > On 2018-03-29 16:10, al so wrote: > >> Programmatic management with first class APIs is preferred for larger >> deployments.. >> >> On Mon, Mar 26, 2018 at 12:28 PM, Tomasz Chmielewski <mangoo at wpkg.org> >> wrote: >> >> Could you elaborate on why CLI (SSH) managing is insecure? >>> >>> Tomasz Chmielewski >>> https://lxadm.com >>> >>> On 2018-03-27 04:23, al so wrote: >>> So, for remote manageability of Tinc, we don't have any SNMP or >>> REST >>> like programmatic ways? >>> >>> If it is going to be CLI only, it is definitely not secure to manage >>> and also not very convenient to manage programmatically. >>> >>> On Sun, Mar 25, 2018 at 1:44 AM, Guus Sliepen <guus at tinc-vpn.org> >>> wrote: >>> >>> On Sat, Mar 24, 2018 at 02:16:20PM -0700, al so wrote: >>> >>> Is there any quickstart guide to setup site-to-site VPN using >>> >> Tinc 1.1 >> >> pre-rel? >>>> >>> >> You can find an example of a site-to-site VPN with four sites here: >> >> http://tinc-vpn.org/documentation/Example-configuration.html [1] [1] >> >> Assuming I have two routers at two sites running tinc vpn along >>>> >>> with >> >> routing feature. >>>> >>> >> If you only have two sites, then just look at the example >> configuration >> for "Branch A" and "Branch B" in the page I linked, and ignore the >> other >> two sites. >> >> Once I setup manually and validate the connection, I want to >>>> >>> automate >> >> using REST APIs. >>>> >>> >> Tinc does not expose any REST APIs. With tinc 1.1, you can use the >> command line tool to automate things though, see: >> >> http://tinc-vpn.org/documentation-1.1/Controlling-tinc.html [2] [2] >> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180329/63695ff7/attachment-0001.html>
automation refers to day to day vpn management from non-IT layman... not a geek running shell/ansible scrpits. On Thu, Mar 29, 2018 at 8:48 AM, al so <volkswak at gmail.com> wrote:> Just search online why in general that is insecure via CLI vs programmatic > for first class automation.. there is a reason why snmp, rest, ... exist. > > On Thu, Mar 29, 2018 at 3:50 AM, Tomasz Chmielewski <mangoo at wpkg.org> > wrote: > >> You've mentioned security issues in your previous email, but now you're >> hopping to management issues. >> >> Have you tried Ansible, Chef or Puppet for automation? It works well for >> hundreds of servers, different services and not just one kind of VPN. >> >> >> Tomasz Chmielewski >> https://lxadm.com >> >> >> On 2018-03-29 16:10, al so wrote: >> >>> Programmatic management with first class APIs is preferred for larger >>> deployments.. >>> >>> On Mon, Mar 26, 2018 at 12:28 PM, Tomasz Chmielewski <mangoo at wpkg.org> >>> wrote: >>> >>> Could you elaborate on why CLI (SSH) managing is insecure? >>>> >>>> Tomasz Chmielewski >>>> https://lxadm.com >>>> >>>> On 2018-03-27 04:23, al so wrote: >>>> So, for remote manageability of Tinc, we don't have any SNMP or >>>> REST >>>> like programmatic ways? >>>> >>>> If it is going to be CLI only, it is definitely not secure to manage >>>> and also not very convenient to manage programmatically. >>>> >>>> On Sun, Mar 25, 2018 at 1:44 AM, Guus Sliepen <guus at tinc-vpn.org> >>>> wrote: >>>> >>>> On Sat, Mar 24, 2018 at 02:16:20PM -0700, al so wrote: >>>> >>>> Is there any quickstart guide to setup site-to-site VPN using >>>> >>> Tinc 1.1 >>> >>> pre-rel? >>>>> >>>> >>> You can find an example of a site-to-site VPN with four sites here: >>> >>> http://tinc-vpn.org/documentation/Example-configuration.html [1] [1] >>> >>> Assuming I have two routers at two sites running tinc vpn along >>>>> >>>> with >>> >>> routing feature. >>>>> >>>> >>> If you only have two sites, then just look at the example >>> configuration >>> for "Branch A" and "Branch B" in the page I linked, and ignore the >>> other >>> two sites. >>> >>> Once I setup manually and validate the connection, I want to >>>>> >>>> automate >>> >>> using REST APIs. >>>>> >>>> >>> Tinc does not expose any REST APIs. With tinc 1.1, you can use the >>> command line tool to automate things though, see: >>> >>> http://tinc-vpn.org/documentation-1.1/Controlling-tinc.html [2] [2] >>> >> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180329/85f8925b/attachment.html>
SNMP is mainly used for monitoring, not _server_ automation. Also, it's inherently insecure for anything else - only SNMPv3 offers any kind of encryption, and it's DES - 56 bit only, and you can easily brute-force it on an average computer. If you could provide some serious articles about why is CLI insecure, I'd be interested to read. Tomasz Chmielewski https://lxadm.com On 2018-03-30 00:48, al so wrote:> Just search online why in general that is insecure via CLI vs > programmatic for first class automation.. there is a reason why snmp, > rest, ... exist. > > On Thu, Mar 29, 2018 at 3:50 AM, Tomasz Chmielewski <mangoo at wpkg.org> > wrote: > >> You've mentioned security issues in your previous email, but now >> you're hopping to management issues. >> >> Have you tried Ansible, Chef or Puppet for automation? It works well >> for hundreds of servers, different services and not just one kind of >> VPN. >> >> Tomasz Chmielewski >> https://lxadm.com >> >> On 2018-03-29 16:10, al so wrote: >> Programmatic management with first class APIs is preferred for >> larger >> deployments.. >> >> On Mon, Mar 26, 2018 at 12:28 PM, Tomasz Chmielewski >> <mangoo at wpkg.org> >> wrote: >> >> Could you elaborate on why CLI (SSH) managing is insecure? >> >> Tomasz Chmielewski >> https://lxadm.com >> >> On 2018-03-27 04:23, al so wrote: >> So, for remote manageability of Tinc, we don't have any SNMP or >> REST >> like programmatic ways? >> >> If it is going to be CLI only, it is definitely not secure to manage >> and also not very convenient to manage programmatically. >> >> On Sun, Mar 25, 2018 at 1:44 AM, Guus Sliepen <guus at tinc-vpn.org> >> wrote: >> >> On Sat, Mar 24, 2018 at 02:16:20PM -0700, al so wrote: >> >> Is there any quickstart guide to setup site-to-site VPN using >> Tinc 1.1 >> >> pre-rel? > > You can find an example of a site-to-site VPN with four sites here: > > http://tinc-vpn.org/documentation/Example-configuration.html [1] [1] > [1] > >>> Assuming I have two routers at two sites running tinc vpn along > with > >>> routing feature. > > If you only have two sites, then just look at the example > configuration > for "Branch A" and "Branch B" in the page I linked, and ignore the > other > two sites. > >>> Once I setup manually and validate the connection, I want to > automate > >>> using REST APIs. > > Tinc does not expose any REST APIs. With tinc 1.1, you can use the > command line tool to automate things though, see: > > http://tinc-vpn.org/documentation-1.1/Controlling-tinc.html [2] [2] > [2] > > > > Links: > ------ > [1] http://tinc-vpn.org/documentation/Example-configuration.html > [2] http://tinc-vpn.org/documentation-1.1/Controlling-tinc.html
Al like any open-source or free sofware you need to put the leg work into what you want it to be. My company is actually creating something using TINC and we believe in it. If successful we'll be giving back to TINC monetarily in a big way to make TINC even better so if TINC isn't for you keep an eye on further developments in the future. Thanks, Rafael On Thu, Mar 29, 2018 at 12:03 PM, Tomasz Chmielewski <mangoo at wpkg.org> wrote:> SNMP is mainly used for monitoring, not _server_ automation. > > Also, it's inherently insecure for anything else - only SNMPv3 offers any > kind of encryption, and it's DES - 56 bit only, and you can easily > brute-force it on an average computer. > > > If you could provide some serious articles about why is CLI insecure, I'd > be interested to read. > > > Tomasz Chmielewski > https://lxadm.com > > > > On 2018-03-30 00:48, al so wrote: > >> Just search online why in general that is insecure via CLI vs >> programmatic for first class automation.. there is a reason why snmp, >> rest, ... exist. >> >> On Thu, Mar 29, 2018 at 3:50 AM, Tomasz Chmielewski <mangoo at wpkg.org> >> wrote: >> >> You've mentioned security issues in your previous email, but now >>> you're hopping to management issues. >>> >>> Have you tried Ansible, Chef or Puppet for automation? It works well >>> for hundreds of servers, different services and not just one kind of >>> VPN. >>> >>> Tomasz Chmielewski >>> https://lxadm.com >>> >>> On 2018-03-29 16:10, al so wrote: >>> Programmatic management with first class APIs is preferred for >>> larger >>> deployments.. >>> >>> On Mon, Mar 26, 2018 at 12:28 PM, Tomasz Chmielewski >>> <mangoo at wpkg.org> >>> wrote: >>> >>> Could you elaborate on why CLI (SSH) managing is insecure? >>> >>> Tomasz Chmielewski >>> https://lxadm.com >>> >>> On 2018-03-27 04:23, al so wrote: >>> So, for remote manageability of Tinc, we don't have any SNMP or >>> REST >>> like programmatic ways? >>> >>> If it is going to be CLI only, it is definitely not secure to manage >>> and also not very convenient to manage programmatically. >>> >>> On Sun, Mar 25, 2018 at 1:44 AM, Guus Sliepen <guus at tinc-vpn.org> >>> wrote: >>> >>> On Sat, Mar 24, 2018 at 02:16:20PM -0700, al so wrote: >>> >>> Is there any quickstart guide to setup site-to-site VPN using >>> Tinc 1.1 >>> >>> pre-rel? >>> >> >> You can find an example of a site-to-site VPN with four sites here: >> >> http://tinc-vpn.org/documentation/Example-configuration.html [1] [1] >> [1] >> >> Assuming I have two routers at two sites running tinc vpn along >>>> >>> with >> >> routing feature. >>>> >>> >> If you only have two sites, then just look at the example >> configuration >> for "Branch A" and "Branch B" in the page I linked, and ignore the >> other >> two sites. >> >> Once I setup manually and validate the connection, I want to >>>> >>> automate >> >> using REST APIs. >>>> >>> >> Tinc does not expose any REST APIs. With tinc 1.1, you can use the >> command line tool to automate things though, see: >> >> http://tinc-vpn.org/documentation-1.1/Controlling-tinc.html [2] [2] >> [2] >> >> >> >> Links: >> ------ >> [1] http://tinc-vpn.org/documentation/Example-configuration.html >> [2] http://tinc-vpn.org/documentation-1.1/Controlling-tinc.html >> > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-- Rafael 765-714-7257 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180329/86617065/attachment-0001.html>
There is a reason most NMS systems used SNMP in the past and REST apis past 7+ years. They don't use CLIs except toy Expect type scripts.. Not just security but better error handling and more. Good luck learning! On Thu, Mar 29, 2018 at 9:03 AM, Tomasz Chmielewski <mangoo at wpkg.org> wrote:> SNMP is mainly used for monitoring, not _server_ automation. > > Also, it's inherently insecure for anything else - only SNMPv3 offers any > kind of encryption, and it's DES - 56 bit only, and you can easily > brute-force it on an average computer. > > > If you could provide some serious articles about why is CLI insecure, I'd > be interested to read. > > > Tomasz Chmielewski > https://lxadm.com > > > > On 2018-03-30 00:48, al so wrote: > >> Just search online why in general that is insecure via CLI vs >> programmatic for first class automation.. there is a reason why snmp, >> rest, ... exist. >> >> On Thu, Mar 29, 2018 at 3:50 AM, Tomasz Chmielewski <mangoo at wpkg.org> >> wrote: >> >> You've mentioned security issues in your previous email, but now >>> you're hopping to management issues. >>> >>> Have you tried Ansible, Chef or Puppet for automation? It works well >>> for hundreds of servers, different services and not just one kind of >>> VPN. >>> >>> Tomasz Chmielewski >>> https://lxadm.com >>> >>> On 2018-03-29 16:10, al so wrote: >>> Programmatic management with first class APIs is preferred for >>> larger >>> deployments.. >>> >>> On Mon, Mar 26, 2018 at 12:28 PM, Tomasz Chmielewski >>> <mangoo at wpkg.org> >>> wrote: >>> >>> Could you elaborate on why CLI (SSH) managing is insecure? >>> >>> Tomasz Chmielewski >>> https://lxadm.com >>> >>> On 2018-03-27 04:23, al so wrote: >>> So, for remote manageability of Tinc, we don't have any SNMP or >>> REST >>> like programmatic ways? >>> >>> If it is going to be CLI only, it is definitely not secure to manage >>> and also not very convenient to manage programmatically. >>> >>> On Sun, Mar 25, 2018 at 1:44 AM, Guus Sliepen <guus at tinc-vpn.org> >>> wrote: >>> >>> On Sat, Mar 24, 2018 at 02:16:20PM -0700, al so wrote: >>> >>> Is there any quickstart guide to setup site-to-site VPN using >>> Tinc 1.1 >>> >>> pre-rel? >>> >> >> You can find an example of a site-to-site VPN with four sites here: >> >> http://tinc-vpn.org/documentation/Example-configuration.html [1] [1] >> [1] >> >> Assuming I have two routers at two sites running tinc vpn along >>>> >>> with >> >> routing feature. >>>> >>> >> If you only have two sites, then just look at the example >> configuration >> for "Branch A" and "Branch B" in the page I linked, and ignore the >> other >> two sites. >> >> Once I setup manually and validate the connection, I want to >>>> >>> automate >> >> using REST APIs. >>>> >>> >> Tinc does not expose any REST APIs. With tinc 1.1, you can use the >> command line tool to automate things though, see: >> >> http://tinc-vpn.org/documentation-1.1/Controlling-tinc.html [2] [2] >> [2] >> >> >> >> Links: >> ------ >> [1] http://tinc-vpn.org/documentation/Example-configuration.html >> [2] http://tinc-vpn.org/documentation-1.1/Controlling-tinc.html >> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180330/1c9967aa/attachment.html>
This part I have to answer on-list:> On 29 Mar 2018, at 17:50 , al so <volkswak at gmail.com> wrote: > > automation refers to day to day vpn management from non-IT layman... not a geek running shell/ansible scrpits.Dear Also / Volk Swak TINC have it’s uses and place in the VPN environment. Perhaps you could/should consider https://pritunl.com/ <https://pritunl.com/> or http://www.softether.org/ <http://www.softether.org/> that might more fit into that environment you want/need. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180403/ec49ce09/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: Message signed with OpenPGP URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180403/ec49ce09/attachment.sig>