Disallow binding via tinc
Guus Sliepen
guus at tinc-vpn.org
Fri Jan 27 17:33:25 CET 2017
On Fri, Jan 27, 2017 at 01:24:37AM +0100, Niklas Hambüchen wrote:
> I'm looking for a way to add some (Linux) participants into my tinc
> network, but I want to protect them from accidentally binding a port so
> that it's accessible via tinc.
[...]
> I imagine the easiest way would be to make it so that tinc creates no
> tun device. Is the `DeviceType = raw_socket` option what I'm looking for?
You can use DeviceType = dummy to make tinc run without a tun device.
Note that the node running tinc then cannot access the VPN at all, it
then only acts as a forwarder and/or NAT helper for other nodes.
Otherwise, the best option is to add firewall rules that disallow any
new incoming connections from the VPN interface, but still allow
outgoing connections. Example commands to do this:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i <VPN interface> -j DROP
Don't forget about IPv6, where you have to add similar rules.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170127/8f4db571/attachment.sig>
More information about the tinc
mailing list