I want tinc to listen locally on loopback, so that port 655 is not exposed on any system interfaces. Can't tinc make outbound connections when listening on loopback? I can't see any reason why it should. This system will never have other tinc daemons connect to it, it will only ever connect to other tinc daemons in order to establish a VPN connection. -- Jonny Tyers On Sat, 17 Nov 2018 at 22:03, Clemens Schrimpe <clemens.schrimpe at gmail.com> wrote:> > The only thing „localhost“ can talk to is „localhost“ - by definition & independently of tinc. > > What are you trying to accomplish with that choice? > > Clemens > > Von meinem iPad gesendet > > > Am 17.11.2018 um 21:58 schrieb Jonny Tyers <jtyers at gmail.com>: > > > > Hi there, > > > > Thanks for tinc, firstly. It's awesome. Now, I've found that if I specify: > > > > BindAddress = 127.0.0.1 655 > > > > Then my tincd cannot make outbound connections (on attempting to > > connect to another tinc daemon is receives 'Invalid argument'). > > Removing BindAddress fixes the issue. Unless I've misunderstood the > > purpose of this option, is this a bug? > > > > I'm running v1.0.35 on Arch Linux > > _______________________________________________ > > tinc mailing list > > tinc at tinc-vpn.org > > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
On Sat, Nov 17, 2018 at 11:20:47PM +0000, Jonny Tyers wrote:> I want tinc to listen locally on loopback, so that port 655 is not > exposed on any system interfaces. Can't tinc make outbound connections > when listening on loopback? I can't see any reason why it should. This > system will never have other tinc daemons connect to it, it will only > ever connect to other tinc daemons in order to establish a VPN > connection. > > -- > Jonny TyersBinding to loopback means you can make any outbound on inbound connections you'd like- on loopback. Since loopback doesn't route to the Internet, there's no way to make outbound connections. Why are you worried about exposing port 655 on any system interfaces? You should be using a firewall to make it not exposed externally. If you're worried about it being exposed internally, loopback has the same issue as any user or application can connect to it. Jookia.
On Sat, Nov 17, 2018 at 3:20 PM Jonny Tyers <jtyers at gmail.com> wrote:> I want tinc to listen locally on loopback, so that port 655 is not > exposed on any system interfaces.Did you consider or try "ListenAddress"? https://tinc-vpn.org/documentation-1.1/Main-configuration-variables.html#Main-configuration-variables -Parke
Thanks all for your messages; ListenAddress is in fact the thing I am looking for, thank you. To Jookia's point about firewalls, I of course use a firewall to protect ports but in the name of defending in depth, I'd rather not expose a listening port in the first place if it is never to be used. Many other daemons use 'bind address' terminology in their documentation when talking about listen-only sockets; I think it would be a good idea to add a line to the man page next to 'BindAddress' pointing out 'ListenAddress' so less attentive users (like myself) don't get caught out by it. -- Jonny Tyers On Sun, 18 Nov 2018 at 09:40, Jookia <166291 at gmail.com> wrote:> > On Sat, Nov 17, 2018 at 11:20:47PM +0000, Jonny Tyers wrote: > > I want tinc to listen locally on loopback, so that port 655 is not > > exposed on any system interfaces. Can't tinc make outbound connections > > when listening on loopback? I can't see any reason why it should. This > > system will never have other tinc daemons connect to it, it will only > > ever connect to other tinc daemons in order to establish a VPN > > connection. > > > > -- > > Jonny Tyers > > Binding to loopback means you can make any outbound on inbound > connections you'd like- on loopback. Since loopback doesn't route to the > Internet, there's no way to make outbound connections. > > Why are you worried about exposing port 655 on any system interfaces? > You should be using a firewall to make it not exposed externally. > If you're worried about it being exposed internally, loopback has the > same issue as any user or application can connect to it. > > Jookia. > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc