[olug] TINC

Guus Sliepen guus at tinc-vpn.org
Wed Nov 14 23:05:45 CET 2012 

On Wed, Nov 14, 2012 at 02:16:16PM -0600, Rob Townley wrote:

> tinc is an educational project sponsored by a university aiming to grow
> awareness of encryption over the public internet.  It does not have a
> marketing department.

The tinc website is hosted by Tilburg University, but apart from that there are
no sponsors (except for donations from individuals). It's not an educational
project, although it would be nice if it indeed increased awareness of internet
crypto.

> Peter Gutman tore apart many different VPNs in his assessment, but still
> ranked tinc the best of those in his comparison.   The only real criticism
> he had was that it still used Defense Encryption Standard DES keys

Tinc never used DES by default. Except for some very early versions, Blowfish
has always been the default.

> > It was not looked on particularly favorably in a comparison some years
> > ago by well known cryptographer Peter Gutmann:
> > http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt
> >
> > Admittedly, that review was from 2003.  However, one of the things
> > that post discusses in length, and does a great job of illustrating,
> > is that security software like VPNs are difficult to get right, and
> > very easy to get wrong.

That is very true. Tinc 1.1 (not officially released yet) implements a new
protocol that, I believe, fixes all the issues found by Peter Gutmann.

> > OpenVPN seems to have emerged as the closest thing to a de facto
> > standard for non-IPsec.  Personally, I would stick with either IPsec
> > or OpenVPN for any VPN needs unless I had a *really* good reason to
> > use something else.
> >
> > Personal experience with IPsec and OpenVPN would leave me leaning
> > towards OpenVPN for everything that didn't require compatibility with
> > non-OpenVPN connections (appliances, routers/firewalls, other
> > third-party situations), in which case I'd use IPsec.

I want to remark that if correctly set up, using TLS authentication with strong
certificates, CRL checking, and --tls-auth, OpenVPN is very secure.  However,
it is also possible to just use a static key, in which case I would say that it
is much less secure than many other VPN solutions. So be careful.

Tinc's strength is the fact that it automatically creates a full mesh network
between an arbitrary number of peers, while only specifying a handful of
(initial) connections between peers. This is very difficult to reproduce with
OpenVPN or IPsec in tunnel mode.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20121114/4819a63b/attachment.pgp>

More information about the tinc mailing list