Authenticating VPN addresses: a proposal
Рысь
lynx at lynxlynx.tk
Mon Nov 23 09:48:08 CET 2015
I am, like you, have the same network: exactly two master servers which
are trusted, and a number of clients that connect to one of them, or to
both (this depends on which physical network they reside, we have
city-wide LANs).
I use StrictSubnets and I happy with them. That was choice from the
beginning. But it also enforced to have all node keys and configuration
data on each node. Up to Sep2015, I employed a central http server for
that, like chaosvpn does. But that central server lost it's key (it was
an embeddish system) and the service stopped working.
Since that I was forced to implement a protocol extension to tinc that
adds such a service directly inside the daemon and it now performs
perfectly. You can find an announcement about it earlier in tinc
archives of Oct2015.
I don't think StrictSubnets is flawed. It works nice, and embedded
tincs running it has no issues. I think that network must be
consistent. Hence every node must know about others. There is also
TunnelServer option if you want to manage network through gateways.
More information about the tinc
mailing list