Public key sharing between nodes

tet teteros at teknik.io
Thu Nov 22 09:19:46 CET 2018 

Hello tinc users,

I have been trying to work out how key exchange/hosts file sharing in tinc 1.1 works.
My topology is straightforward, a "super" always-online node A to which remote nodes B, C, ... (and so on) ConnectTo = A, to discover each other via AutoConnect (that's on by default in tinc 1.1pre17)

Only super A has host files with Ed25519 keys for every node on the network. Remote nodes such as B and C were invited with "tinc invite" meaning B/C and so on create their own ed25519 private/public keypair as well as exchange pubkeys with A. They do not have host files for other remote nodes.

So far so good, but what exactly determines when node B downloads C's host file?

When testing on localhost: nodes B and C (both connected to A) refuse to connect to each other as their host files were never transfered by A.

On my live tinc set up (where A with DHCP server on tinc's interface in switch mode is configured, and I have both windows/linux machines connecting to it outside NAT) it appears B/C/... nodes eventually acquire host files through A, maybe when they need to establish a metaconnection with each other?

It also seems once the host file is transferred, it stays that way. That is, if I was to change on supernode A the Ed25519PublicKey stored in hosts of B (doing so as well locally on B) then C and other remote nodes would be stuck with the old host file and public key rather than transfer the updated file, causing remote connections to B to be refused.

To summarize it looks like:
1. You need to be on another machine for key exchange to occur (not share same machine/interface or hostname)
2. Key exchange happens only when necessary (e.g B actively tries to connect to C on some port)
3. It's not possible to change host configuration files (like Ed25519PublicKey within it or Compression) after creation, unless you can manage all remote nodes as well because key exchange does not transfer the updated hosts file.
Inviting a new node with different name for the new key is required.

tinc.conf of A
AddressFamily = ipv4
DeviceStandby = no
Interface = tap0
Mode = switch
Name = a
ProcessPriority = high
LogLevel = 3
AutoConnect = no

tinc.conf of remote nodes (B/C/...)
AddressFamily = ipv4
LocalDiscovery = yes
Mode = switch
Name = b
ConnectTo = a
LogLevel = 3

More information about the tinc mailing list