Other feature requests

Julien Muchembled jm at jmuchemb.eu
Fri Sep 10 13:12:48 CEST 2010 

Hello,


Great to see that my patch for new '-o' command-line option has been accepted :)
It was the most important missing feature for me.
But there are other ones I'd like to see implemented:

1. push options to clients (see push/pull options of OpenVPN)
2. automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN (see redirect-gateway of OpenVPN)
3. prevent a node from stealing an IP
4. prevent nodes from giving access to new nodes

Yes, the list is quite long and implementation is probably not trivial. You could reply that I should still use OpenVPN, but really centralized VPN are so inefficient when clients are all around the world.
I'd like to get rid of OpenVPN completely. For my personal use, current tinc is ok (although feature 1 & 2 would be nice). I am the administrator of the OpenVPN network of my company and I'm afraid tinc does not provide enough security (features 3 & 4).

More details on the requested features:

1. Pushing options to clients allows to centralize configuration, without having to reconfigure every node when one decide to change IP or any other network setting.

2. redirect-gateway is a nice shortcut (especially on Windows, because currently, I don't know how to do otherwise). I like securing wifi connection with a VPN instead of wifi encryption.

3. I don't know the status of Tinc about this. I'd like to be sure that if a node A steals the IP of another node B, intentionally or not, B is not affected (and A just loses all packets).

4. I don't want that any client is allowed to extend the network by giving access to new nodes. I should be the only person allowing a machine to join the VPN, by configuring 2 or 3 "master" nodes.
In fact, what is important is to protect nodes from being accessed by unauthorized nodes. So we could imagine an option that we enable on every node A that should be protected from unauthorized nodes: whenever A sees a new node B, it asks a master node if B is authorized.
A workaround would be to force all traffic going to the "master" nodes, and the result would still be better than with OpenVPN. Maybe options already exist for that.


What do you think of these features. Is there anything already implemented I would have missed ? Maybe only in the 1.1 branch ?

I am ready to help on these topics, either for design or coding.


Regards,
Julien

More information about the tinc-devel mailing list