tinc - Oct 2018 - Per host key authentication

Definitely considered that. Running different VPNs and even running
different instances of the daemon on different ports. But, as you
rightly pointed out: *additional complexity*.

It basically comes down to: what if you have a bad actor who needs
credentials revoked immediately?

We have a way of doing this already, but it can take up to 5 minutes to
cycle through every machine on the network - and some machines, which
are off, have a delay.

It would be nice to just disable the key at some central point and then
authentication / encryption / decryption just *break* for that bad actor.


	
Michael Munger, dCAP, MCPS, MCNPS, MBSS
*Microsoft Certified Professional*
*Microsoft Certified Small Business Specialist*
*Digium Certified Asterisk Professional*
*High Powered Help, Inc.*
p: 	678-905-8569
w: 	hph.io <https://hph.io>  e: mj at hph.io <mailto:mj at hph.io>



On 10/02/2018 05:18 PM, Frank Myhr wrote:
> On 02/10/2018 17:02, Michael Munger wrote:
> > there might be another way to skin that cat.
>
> Additional complexity, but you could set up *four* tinc VPNs:
> 1) admin VPN
> 2) site A VPN
> 3) site B VPN
> 4) site C VPN
>
> Each of your client machines would then participate in 2 VPNs: the
> admin VPN and the appropriate site VPN. Each site VPN is NOT a subnet
> of the admin VPN, but its own separate network.
>
> Or maybe I'm missing something...?
>
> Best regards,
> Frank
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20181002/07aa9432/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpgalbdniojcajhm.png
Type: image/png
Size: 738 bytes
Desc: not available
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20181002/07aa9432/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20181002/07aa9432/attachment.key>

On Tue, Oct 2, 2018 at 2:41 PM, Michael Munger <mj at hph.io>
wrote:
> It would be nice to just disable the key at some central point and then
> authentication / encryption / decryption just *break* for that bad actor.
Depending on your specific network topology, 4 separate VPNs might
very well give you the single break point you want.

If I was going to try to use Tinc to solve your problem, I would start
by trying the 4 separate VPN approach.

-Parke

If I am understanding correctly, you have a central node, 3 sub nodes, and
3 techs that should be able to access only the node assigned to them?

and the current issue is that tinc of course tries to help everyone play
nice, thus letting tech A access the site C subnet for example.

simple solution I think.

each site connects to admin, each site does NOT have the keys or
information to connect to each other (note this will cause admin to handle
all routing for each site, desired or undesired?)
also set

IndirectData = no

Forwarding = kernel

in each tinc.conf

You will then need to handle all forwarding rules in the firewall
setup on admin. and thus admin becomes a single point, you run into a
bad actor and you can cut there client off at the firewall, giving you
ample time to rotate out their

public key from their site, if for any reason they hamper this, you
can even close there site off via the firewall or by the admin tinc
config, by temporarily blanking the offending site's public key until
said bad actor is dealt with.

This setup will give you more fine grained control over how tinc
behaves, at the cost of slight increase to kernel cpu overhead, and
requiring direct firewall configuration to handle packet flow.

Setting the above config options in each tinc.conf also ensures that
if a bad actor attempts to bypass those settings by changing them,
they will give themselves away. they will only be able to change the
ones on their own site,

admin being the central point will still have it set for all sites,
and force it to be honored, and the other sites will have it set, thus
ignoring any attempts the bad site makes to talk to them directly.


Forwarding = kernel

 can also be replaced with
Forwarding = off

on each site, leaving admin "holding the bag" for literally all vpn
packet movement










On Tue, Oct 2, 2018 at 2:59 PM Parke <parke.nexus at gmail.com> wrote:
> On Tue, Oct 2, 2018 at 2:41 PM, Michael Munger <mj at hph.io> wrote:
> > It would be nice to just disable the key at some central point and
then
> > authentication / encryption / decryption just *break* for that bad
actor.
>
> Depending on your specific network topology, 4 separate VPNs might
> very well give you the single break point you want.
>
> If I was going to try to use Tinc to solve your problem, I would start
> by trying the 4 separate VPN approach.
>
> -Parke
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20181004/4fdc5ecd/attachment.html>